SSL error production

[ArmandArthur]

Hello,

I have this error with the SSL auto installed by the repository dunglas.

{"level":"error","ts":1757932084.0908844,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"URL.COM","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - 46.202.175.72: Invalid response from https://URL.COM/.well-known/acme-challenge/hw89QKK_jtVZA8IbeeVWuxkMB1xcHCc-n_vazIfe4GY: 504"}
{"level":"error","ts":1757932084.0909264,"logger":"tls.obtain","msg":"will retry","error":"[URL.COM] Obtain: [URL.COM] solving challenge: URL.COM: [URL.COM] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 46.202.175.72: Invalid response from https://URL.COM/.well-known/acme-challenge/hw89QKK_jtVZA8IbeeVWuxkMB1xcHCc-n_vazIfe4GY: 504 (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":252.787800769,"max_duration":2592000}

Do you know why? Thank you

[tcoch]

Let's encrypt is trying to generate an SSL certificate for your website, but can't do it.

I'd say you set SERVER_NAME=URL.COM?
Which you probably be wrong.

Can you share you docker compose files ?

[ArmandArthur]

URL.COM is the url to my website, i changed it.

services:
  traefik:
    image: "traefik:v3.4"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik-servicenet
    command:
      - "--configfile= ./traefik/traefik.yaml"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./config-traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro  # static traefik configuration
      - ./config-traefik/dynamic.yaml:/etc/traefik/dynamic.yaml:ro  # dynamic traefik configuration
      - ./config-traefik/acme.json:/etc/traefik/acme.json
      - ./apache-php/certs_auto:/certs 
    labels:
      - "traefik.enable=true"

      # define basic auth middleware for dashboard
      - "traefik.http.middlewares.traefik-auth.basicauth.removeheader=true"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=***:***" # CHANGE PASSWORD!! 
      # how to set a real password:
      # sudo apt-get install apache2-utils
      # htpasswd -Bnb username password | sed -e s/\\$/\\$\\$/g

      # define traefik dashboard router and service
      - "traefik.http.routers.traefik.rule=Host(`traefik.***`)" # change hostname!
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=tlschallenge"
      - "traefik.http.routers.traefik.entrypoints=web-secure"
      - "traefik.http.routers.traefik.middlewares=traefik-auth, secHeaders@file, autodetectContenttype@file"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
                                                                    
  php:
    image: ${IMAGES_PREFIX:-}app-php
    restart: unless-stopped
    container_name: symfony
    environment:
      SERVER_NAME: ${SERVER_NAME:-localhost}, php:80   
      MERCURE_PUBLISHER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}
      MERCURE_SUBSCRIBER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}
      # Run "composer require symfony/orm-pack" to install and configure Doctrine ORM
      DATABASE_URL: mysql://${MYSQL_USER:-***}:${MYSQL_PASSWORD:-***}@database:3306/${MYSQL_DATABASE:-***}?serverVersion=${MYSQL_VERSION:-9.4.0}&charset=${MYSQL_CHARSET:-utf8mb4}
      # Run "composer require symfony/mercure-bundle" to install and configure the Mercure integration
      MERCURE_URL: ${CADDY_MERCURE_URL:-http://php/.well-known/mercure}
      MERCURE_PUBLIC_URL: ${CADDY_MERCURE_PUBLIC_URL:-https://${SERVER_NAME:-localhost}:${HTTPS_PORT:-443}/.well-known/mercure}
      MERCURE_JWT_SECRET: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!}
      # The two next lines can be removed after initial installation
      SYMFONY_VERSION: ${SYMFONY_VERSION:-6.4}
      STABILITY: ${STABILITY:-stable}
    volumes:
      - caddy_data:/data
      - caddy_config:/config
    ports:
      # HTTP
      - target: 80
        published: ${HTTP_PORT:-82}
        protocol: tcp
      #HTTPS:
      - target: 443
        published: ${HTTPS_PORT:-442}
        protocol: tcp
      # HTTP/3
      - target: 443
        published: ${HTTP3_PORT:-442}
        protocol: udp  
    # labels:
    #   - "traefik.enable=true"
    #   - "traefik.http.routers.symfony.entrypoints=web-secure"
    #   - "traefik.http.routers.symfony.rule=Host(`adherents.***`)" # change hostname!
    #   - "traefik.http.routers.symfony.tls=true"
    #   - "traefik.http.routers.symfony.tls.certresolver=tlschallenge"
    #   - "traefik.http.routers.symfony.middlewares=secHeaders@file"
    #   - "traefik.http.services.symfony.loadbalancer.server.port=80" # set port the container listenes to

  apache:
    image: php:8.3-apache
    container_name: front
    build:
      context: ./apache-php
    ports:
    - '81:80'
    - '444:443'
    volumes:
    - /var/www/html/adherents/front/build:/var/www/html/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.front.entrypoints=web-secure"
      - "traefik.http.routers.front.rule=Host(`adherents-front.***`)" # change hostname!
      - "traefik.http.routers.front.tls=true"
      - "traefik.http.routers.front.tls.certresolver=tlschallenge"
      - "traefik.http.routers.front.middlewares=secHeaders@file"
      - "traefik.http.services.front.loadbalancer.server.port=80" # set port the container listenes to    
    networks:
      - traefik-servicenet

###> doctrine/doctrine-bundle ###
  database:
    image: mysql:latest
    container_name: database-adherents
    environment:
      # You should definitely change the password in production
      MYSQL_DATABASE: ***
      MYSQL_ROOT_PASSWORD: root
      MYSQL_USER: ***
      MYSQL_PASSWORD: ***
    # healthcheck:
    #   test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
    #   timeout: 5s
    #   retries: 5
    #   start_period: 60s
    volumes:
      - database_data:/var/lib/mysql:rw
    ports:
      - 3307:3306


  phpmyadmin:
    image: phpmyadmin
    restart: always
    ports:
      - 8181:80
    environment:
      - PMA_ARBITRARY=1
    networks:
      - traefik-servicenet

volumes:
  caddy_data:
  caddy_config:
###> symfony/mercure-bundle ###
###< symfony/mercure-bundle ###

###> doctrine/doctrine-bundle ###
  database_data:

networks:
  traefik-servicenet:
    external: true
    name: traefik-servicenet 
###< doctrine/doctrine-bundle ###
```

[ArmandArthur]

I have apachephp 8.3 for hosting my front app.

I changed: - "--configfile= ./traefik/traefik.yaml" into - "--configfile= /etc/traefik/traefik.yaml" but same.

traefik.yaml

log:
  level: DEBUG  # ERROR, DEBUG, PANIC, FATAL, ERROR, WARN, INFO
providers:
  docker:
    exposedByDefault: false
    endpoint: 'unix:///var/run/docker.sock'
    network: traefik-servicenet
  file:
    filename: /etc/traefik/dynamic.yaml
    watch: true
api:
  dashboard: true # if you don't need the dashboard disable it
entryPoints:
  web:
    address: ':80' # http
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https      
  web-secure:
    address: ':443' # https
certificatesResolvers:
  tlschallenge:
    acme:
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # IMPORTANT: comment out this line to get production ready certificates. After this, clear acme.json file.
      email: ***@gmail.com
      storage: /etc/traefik/acme.json # chmod 600 this file on the host system
      tlsChallenge: {}
global:
  checkNewVersion: true
  sendAnonymousUsage: true # disable this if you don't want to send anonymous usage data to traefik

dynamic.yaml

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /certs/***.crt
        keyFile: /certs/***.key
  certificates:
    - certFile: /certs/***.crt
      keyFile: /certs/***.key
      stores:
        - default

http:
  # define middlewares
  middlewares:

    # define some security header options,
    # see https://doc.traefik.io/traefik/v2.5/middlewares/http/headers/
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
        customResponseHeaders:
          # prevent some applications to expose too much information by removing thise headers:
          server: ""
          x-powered-by: ""
    autodetectContenttype: # needed for traefik v3 - see https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/
      contentType: {}

Dockerfile for apache php8.3

FROM php:8.3-apache
# Copy SSL certificate and key

RUN apt-get update && \
    apt-get install -y vim && \
    rm -rf /var/lib/apt/lists/*

# Copy SSL certificate and key
COPY certs_auto/ninja-code.crt /etc/ssl/certs/***.crt
COPY certs_auto/ninja-code.key /etc/ssl/private/***.key

# Copy the custom Apache virtual host config
COPY ./adherents-front-httpd-vhosts.conf /etc/apache2/sites-available/adherents-front-ssl.conf

# Enable SSL module, configure Apache for PHP support, and enable our SSL site configuration
RUN a2enmod ssl && \
    a2enmod rewrite && \
    a2dissite 000-default default-ssl && \
    a2ensite adherents-front-ssl

SSLSessionCache "shmcb:logs/ssl_scache(512000)"

<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName adherents-front.***
    ServerAlias ***
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    <Directory "/var/www/html">
        AllowOverride all
        ErrorDocument 404 /index.html
        Require all granted
  </Directory>
    SSLEngine on
    SSLCertificateFile "/etc/ssl/certs/***.crt"
    SSLCertificateKeyFile "/etc/ssl/private/***.key"
</VirtualHost>

[maxhelias]

@ArmandArthur You have recently created several support or "how to" questions in the issue tracker. Please use Discussions instead: https://github.com/dunglas/symfony-docker/discussions

This helps keep the issue tracker clean and focused on bugs and feature requests.

[ArmandArthur]

It's OK. I didn't see this tab.

[ArmandArthur]

I used image apache-php for hosting the front app but i have the port 81 in url. I don't think i can remove the port in url with a Vhost.
But, if you used SERVER_NAME, image app-php from Dunglas create a Vhost, there is a way to create a Vhost which used apache from dunglas image?