Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

503 Error under Installation #227

Open
ObitoSigma opened this issue Nov 6, 2020 · 2 comments
Open

503 Error under Installation #227

ObitoSigma opened this issue Nov 6, 2020 · 2 comments

Comments

@ObitoSigma
Copy link

ObitoSigma commented Nov 6, 2020

Hello RADAR team. I've been having a bit of trouble with installation. I use an SSL certificate from ACM. Here is the following error I receive at the end of installation:

==> Requesting Let's Encrypt SSL certificate for digitalphenotypingmit.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for digitalphenotypingmit.com
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. digitalphenotypingmit.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://digitalphenotypingmit.com/.well-known/acme-challenge/Cc8Cd4XD_xhPRwOMCp3l7oM2_SG7gInHHh1YV0DZav4 [54.159.14.8]: 503
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: digitalphenotypingmit.com
   Type:   unauthorized
   Detail: Invalid response from
   http://digitalphenotypingmit.com/.well-known/acme-challenge/Cc8Cd4XD_xhPRwOMCp3l7oM2_SG7gInHHh1YV0DZav4
   [54.159.14.8]: 503

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Here is what I've learned from the letsencrypt forums:

  1. First of all, the 503 error is due to the webserver not being up. So something is going wrong in the installation that is not properly setting up the webserver.
  2. This may be due to failing health checks in my ELB. This is because my ELB marks my instance as unhealthy when there is no webserver, and since installation sets up both the webserver and certificate immediately after each other, my ELB is not fast enough to check its health, resulting in a 503 error by the time letsencrypt tries creating the certificate. My attempted solution: I temporarily set up an httpd web server so my ELB will think my instance is healthy. I then increased the health check to every 10 minutes (so it won't immediately go unhealthy). I then shut down the httpd server and start the installation. Unfortunately, instead of a 503 error, this gave me a 408 error.
  3. Someone recommended me to not use letsencrypt and instead use AWS certificate manager. Now, I do have an Amazon certificate, but I don't see a config option for me to use it. Does anyone know if it's possible for me to use an Amazon certificate instead of letsencrypt, and how I would be able to do that?
@blootsvoets
Copy link
Member

First of all, if the radar-docker stack is running behind a reverse proxy (httpd), then the lets encrypt of the radar-docker stack should not be used, instead httpd should be configured to have a valid certificate. You can use lets encrypt or AWS for that, whatever you prefer. To have this behaviour, set ENABLE_HTTPS=no in .env and forward to port 80 of the radar-docker stack. You will need to update etc/webserver/nginx.conf to match the etc/webserver/nginx.nossl.conf.template. If possible, you don't need to have httpd running but you can directly expose radar-docker nginx server to the internet.

If nginx is already directly connected to the internet, indeed the webserver needs to be running for the letsencrypt step. Since you're already at a long way through the installation, what you can do is set SELF_SIGNED_CERT=yes in .env, then run sudo bin/radar-cert-renew. Now change it back to SELF_SIGNED_CERT=no, run sudo bin/radar-docker up -d webserver and then run sudo bin/radar-cert-renew again.

@yatharthranjan
Copy link
Member

The webserver not up maybe related to #230

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants