I'm trying to setup a self-hosted Retool instance and it's failing at to sign the SSL certificate. First of all, my server lives at IP address 54.186.85.141. I have a Route53 DNS A-record pointing retool.furx-stg.net at that IP address. On the initial launch of the
retool-onpremise_https-portal_1 container, this snippet appears in the logs:
Signing certificates from https://acme-v02.api.letsencrypt.org/directory ...
Parsing account key...
Parsing CSR...
Found domains: retool.furx-stg.net
Getting directory...
Directory found!
Registering account...
Registered!
Creating new order...
Order created!
Verifying retool.furx-stg.net...
Traceback (most recent call last):
File "/bin/acme_tiny", line 197, in
main(sys.argv[1:])
File "/bin/acme_tiny", line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/bin/acme_tiny", line 149, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for retool.furx-stg.net: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'54.186.85.141'], u'url': u'http://retool.furx-stg.net/.well-known/acme-challenge/a83RT7qeZfs1RKxiNSVGCYb-nGd_NQzMo-TaeW8mih0', u'hostname': u'retool.furx-stg.net', u'resolverAddrs': [u'A:10.0
.12.83:26820', u'AAAA:10.0.12.84:27221'], u'addressUsed': u'54.186.85.141', u'port': u'80'}], u'url': u'https://acme-v02.
api.letsencrypt.org/acme/chall-v3/327837512927/mH2nGw', u'token': u'a83RT7qeZfs1RKxiNSVGCYb-nGd_NQzMo-TaeW8mih0', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'54.186.85.141: Fetching http://retool.furx-stg.net/.well-known/acme-challenge/a83RT7qeZfs1RKxiNSVGCYb-nGd_NQzMo-TaeW8mih0: Timeout during connect (likely firewall problem)'}, u'validated': u'2024-03-18T18:46:56Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value':u'retool.furx-stg.net'}, u'expires': u'2024-03-25T18:46:55Z'}
================================================================================
Failed to sign retool.furx-stg.net, is DNS set up properly?
================================================================================
Failed to obtain certs for retool.furx-stg.net
I can reproduce that error by exec'ing into the container, opening irb and running these commands:
require '/opt/certs_manager/certs_manager'
CertsManager.new.setup
In the container, I can successfully curl http://retool.furx-stg.net/.well-known/acme-challenge/a83RT7qeZfs1RKxiNSVGCYb-nGd_NQzMo-TaeW8mih0, as well as from the server and from my desktop, so the validation record is there and being served, it's just failing to validate.
Any idea what's going on? Without a signed and validated cert, Nginx is refusing all connection requests. Relevant settings:
- docker-compose.yml STAGE is 'production' in http-portal's environment.
- docker.env has COOKIE_INSECURE=true and a valid LICENSE_KEY.
Thanks!
-Chas