Setup mistake

[mschipperheyn]

I made a bit of a mistake during setup. I followed the recipe, but the port on my app was set to 5000 in stead of 5555, so I ran into issues when I tried to apply 5555. Duplicate entries etc.

I removed those but I cannot restart my app anymore because the tld directory is not there.

Reloading nginx
nginx: [emerg] BIO_new_file("/home/dokku/myapp/tls/server.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/home/dokku/myapp/tls/server.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
       validate_nginx failed. contents of /home/dokku/myapp/nginx.conf below...

directory letsencrypt/certs/09434hk24h2k342[some_code] contains a config file with and nothing else

--server https://acme-v01.api.letsencrypt.org/directory --email [email protected] --tos_sha256 637some_sha6221  -d myapp.com.br -d *.myapp.com.br

Can you guys give me some suggestions how to best revert the situation so I can try again

PORT.web.1 => 5000

nginx.conf

server {
  listen      [::]:80;
  listen      80;
  server_name educadorinspirador.com.br *.educadorinspirador.com.br;
  access_log  /var/log/nginx/myapp-access.log;
  error_log   /var/log/nginx/myapp-error.log;

  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/sv$
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://myapp-5000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Request-Start $msec;
  }
  include /home/dokku/myapp/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 502 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

}

server {
  listen      [::]:443 ssl ;
  listen      443 ssl ;

  server_name educadorinspirador.com.br *.educadorinspirador.com.br;
  access_log  /var/log/nginx/myapp-access.log;
  error_log   /var/log/nginx/myapp-error.log;

  ssl_certificate     /home/dokku/myapp/tls/server.crt;
  ssl_certificate_key /home/dokku/myapp/tls/server.key;
  ssl_protocols       TLSv1.2;
  ssl_prefer_server_ciphers on;

  keepalive_timeout   70;
 location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/sv$
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://myapp-5000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Request-Start $msec;
  }
  include /home/dokku/myapp/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
 }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 502 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }
}

upstream myapp-5000 {

  server 172.1.2.3:5000;
}

nginx.conf.d/letsencrypt.conf

location /.well-known/acme-challenge/ {

  # disable http-auth for /.well-known/acme-challenge
  auth_basic off;

  proxy_pass http://127.0.0.1:23365;
  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header X-Forwarded-Port $server_port;
  proxy_set_header X-Request-Start $msec;
}

[mschipperheyn]

What is the best way to recover from this? I'm stuck. I cannot deploy the website anymore nor seem to have a clear path to undo what the plugin got done before failure occurred. E.g. how do I remove the 443 nginx website config? If I manually remove, it justs gets reconstituted when I run dokku proxy:ports-remove myapp http:443:5000

[joshmanders]

I'm not exactly sure what you did or how to fix it.. You should have just ran 3 commands and been done...

[mschipperheyn]

Ok, what I did was follow the recipe to the letter. My PORT.web.1 was 5000 however, not sure if that's the issue. I also have the wildcard in the domain names. Not sure if let's encrypt like's that

[joshmanders]

Lets Encrypt does not support wildcards yet. January they come to the CA, but tools won't adopt them for a while.

I believe web default port is 5000. So I think your wildcard messed up stuff.

[mschipperheyn]

The actual obvious issue is that

  ssl_certificate     /home/dokku/myapp/tls/server.crt;
  ssl_certificate_key /home/dokku/myapp/tls/server.key;

were not created. I'm not an expert on Dokku, but perhaps there is a good way to manually create those? I tried the certbot but it fails because nginx won't start because of these issues.

I tried removing the ports so I can at least resume normal operation, but that also failed.

I also tried manually removing the 443 section in the nginx.conf but that just gets reconstituted when I run a dokku command.

I'm fairly sure the solution should be simple. I just don't really know what steps to follow safely without bringing down the live site.

[joshmanders]

Try using the cert commands of the core dokku project to remove the certs and reset nginx so it restarts. Then try without wildcard.

[mschipperheyn]

Ok, yeah. This worked.

dokku proxy:ports-remove myapp 443
dokku domains:set myapp myapp.com.br www.myapp.com.br
dokku letsencrypt myapp

Thanks!

[joshmanders]

Awesome! No problem.

[mschipperheyn]

Some follow up suggestions without knowing enough about the inner workings.

• Perhaps the script should refuse to run if it detects a wildcard (until it's supported)
• Perhaps the default recipe should eliminate the manual dokku proxy:ports-add myapp http:80:5555 and dokku proxy:ports-add myapp http:433:5555 calls in favor of reading the port from PORT.web.1

[joshmanders]

PR's welcome.