🐛 Bug Report: worker-certificates generate SSL certificate failed

[wilhantian]

👟 Reproduction steps

Preconditions:

1. The appwrite has been installed correctly
2. Properly configure the domain name my.domain.com

Run: docker compose exec appwrite ssl

worker-certificates logs:

Cannot renew domain (my.domain.com) on attempt no. 4 certificate: Failed to issue a certificate with message: Saving debug log to /var/log/letsencrypt/letsencrypt.lo

/var/log/letsencrypt/letsencrypt.lo:

2023-05-31 13:43:13,758:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-05-31 13:43:13,758:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-05-31 13:43:13,758:DEBUG:certbot._internal.main:Arguments: ['--webroot', '--noninteractive', '--agree-tos', '--email', 'certs@appwrite.io', '--cert-name', '64774eef75c9e479c247', '-w', '/storage/certificates', '-d', 'my.domain.com']
2023-05-31 13:43:13,759:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-05-31 13:43:13,784:DEBUG:certbot._internal.log:Root logging level set at 30
2023-05-31 13:43:13,789:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-05-31 13:43:13,795:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fb84d006910>
Prep: True
2023-05-31 13:43:13,795:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fb84d006910> and installer None
2023-05-31 13:43:13,795:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-05-31 13:43:13,886:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-05-31 13:43:13,893:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-05-31 13:43:16,397:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-05-31 13:43:16,397:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 31 May 2023 13:43:15 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "EJf8o9ZOweo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-05-31 13:43:16,398:DEBUG:acme.client:Requesting fresh nonce
2023-05-31 13:43:16,398:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-05-31 13:43:16,673:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-05-31 13:43:16,674:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 31 May 2023 13:43:16 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 15C9wfTOGUJlnlUDahe1L11bJf2ArdE6JzosJl6pzhs_qC4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-05-31 13:43:16,675:DEBUG:acme.client:Storing nonce: 15C9wfTOGUJlnlUDahe1L11bJf2ArdE6JzosJl6pzhs_qC4
2023-05-31 13:43:16,675:DEBUG:acme.client:JWS payload:
b'{\n  "contact": [\n    "mailto:certs@appwrite.io"\n  ],\n  "termsOfServiceAgreed": true\n}'
2023-05-31 13:43:16,679:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInd6eFVhOG52UlNOb0lsN2ZQcUhmbHU2cEJxd09PcmYwQWtiOXhPbEk0RnNYUURWckhWMVdIQS1sQVNYeV82UnRWMjh4MFBsR1pBR0Q1bE9lUXJ2NGgtdUVsSjdYYWtEeGhtMUR1VmtNVUFWbVNEWUtaMTlpZFg2WmppOVY1TkJtY1IzRkFLMXFsaFZubFlzREFCc3FPS1FZeHk3M3VidW10cjlaR0xybzJfUEx4bGhmamRzRXVuMmx0UDFrcUJUcFRHRzI0Nk5MUXdNaDhkSDZrM0wxTWQ5dVFEQlpYM0RaOHlUcU5LMFFYMU9NcUlMVllXOTRwOHBzU19PZVRYUHd3QmF6alZTNmZZcVJzSUZDNE5VM0JNZU5rZHR3WnRMWHAyWG0zTllCUEZhb3hIMFdVWVY5Uk1qbEZBSHdBNVA4YThBZTk1bF9TSTRLT096ZTFMVmdDdyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiMTVDOXdmVE9HVUpsbmxVRGFoZTFMMTFiSmYyQXJkRTZKem9zSmw2cHpoc19xQzQiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0",
  "signature": "Mpt8uPVWrvxS1wLeF3jYGid3a1Tn3vjqFGUug8JdFE652EVDQvWI-SKUH1f2Ro9cvVq9cJzilGDkwlVh6jqJ35fA7zxtRv_mDEOrA5lVeQoxagN-W54xiay4txB236Rcjw2WuPPMN9Po-_UdVxkcWGEJadlYV2vkqrIuDM6cVBLF3y5eLJ-8Sh7nH6nl2LsoOKuy4CAGS4XoTc5mt1ullHf9xVj9q8rB00KUX_JX0C91YdQFFBelj52H6AfEJhO1MLJADjqd3F_YsjUhcNCaTw7Gw9BaZN8j4H7BAPpSTmkAf1rHnJRSeuILCt28xCLPVjb9Up7IhHvCgYeN5-EtHA",
  "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpjZXJ0c0BhcHB3cml0ZS5pbyIKICBdLAogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUKfQ"
}
2023-05-31 13:43:16,992:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 561
2023-05-31 13:43:16,993:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 31 May 2023 13:43:16 GMT
Content-Type: application/json
Content-Length: 561
Connection: keep-alive
Boulder-Requester: 1136520607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf>;rel="terms-of-service"
Location: https://acme-v02.api.letsencrypt.org/acme/acct/1136520607
Replay-Nonce: 15C9myFgzoGZr9hVHiMYdSXpDZgmRAodL-5TsmmT5FmR22Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "key": {
    "kty": "RSA",
    "n": "wzxUa8nvRSNoIl7fPqHflu6pBqwOOrf0Akb9xOlI4FsXQDVrHV1WHA-lASXy_6RtV28x0PlGZAGD5lOeQrv4h-uElJ7XakDxhm1DuVkMUAVmSDYKZ19idX6Zji9V5NBmcR3FAK1qlhVnlYsDABsqOKQYxy73ubumtr9ZGLro2_PLxlhfjdsEun2ltP1kqBTpTGG246NLQwMh8dH6k3L1Md9uQDBZX3DZ8yTqNK0QX1OMqILVYW94p8psS_OeTXPwwBazjVS6fYqRsIFC4NU3BMeNkdtwZtLXp2Xm3NYBPFaoxH0WUYV9RMjlFAHwA5P8a8Ae95l_SI4KOOze1LVgCw",
    "e": "AQAB"
  },
  "contact": [
    "mailto:certs@appwrite.io"
  ],
  "initialIp": "182.92.176.221",
  "createdAt": "2023-05-31T13:43:16.825377872Z",
  "status": "valid"
}
2023-05-31 13:43:16,993:DEBUG:acme.client:Storing nonce: 15C9myFgzoGZr9hVHiMYdSXpDZgmRAodL-5TsmmT5FmR22Y
2023-05-31 13:43:16,997:DEBUG:certbot._internal.display.obj:Notifying user: Account registered.
2023-05-31 13:43:16,997:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fb84d0034c0>)>), contact=('mailto:certs@appwrite.io',), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1136520607', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'), 5c0ec3a18fcb3cbb994534dc787dd082, Meta(creation_dt=datetime.datetime(2023, 5, 31, 13, 43, 16, tzinfo=<UTC>), creation_host='318b73835b42', register_to_eff=None))>
2023-05-31 13:43:16,998:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for my.domain.com
2023-05-31 13:43:17,105:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2023-05-31 13:43:17,129:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2023-05-31 13:43:17,131:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "my.domain.com"\n    }\n  ]\n}'
2023-05-31 13:43:17,134:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzNjUyMDYwNyIsICJub25jZSI6ICIxNUM5bXlGZ3pvR1pyOWhWSGlNWWRTWHBEWmdtUkFvZEwtNVRzbW1UNUZtUjIyWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "TLiEL0z75Keid-9VTTDCd-Zk_2WpBnqCOJAVQHTY7-lEf98bEq4hJ83klApJBzSlPh2zLO4SuDvWkgwiebitEB2qi5tutnSrycL6bqr9gyE-2qu1qwi8KcZdWtBzP2bbwH-qC-YhJMeLFUN_4Po4QJ2EN9IiQ_xXHu7SMKr6FOoTSigUj-fYW5Q9iodFGtM_lyGk7scxva8vo4ZafO9858UW4HTdC6u6nE5mtehwmpKZbKfWtl36t-doVCrCyk4jpoA_UyHsC9xGPh7ptBhikD2CaeamKkA6gQzsrTkR8AEI7Wexy7hp-Dm1LIHyfHg92v9Y11I_J4BE6qg9a4E00g",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFwcC5pb3Jlc3QuY29tIgogICAgfQogIF0KfQ"
}
2023-05-31 13:43:17,980:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 340
2023-05-31 13:43:17,982:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 31 May 2023 13:43:17 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 1136520607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1136520607/185676526967
Replay-Nonce: 15C9-PdEgtw6hNiw-cyxJwBKqQK2E5INDhjFAKN-PY-uf2g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-06-07T13:43:17Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "my.domain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/232702648627"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1136520607/185676526967"
}
2023-05-31 13:43:17,982:DEBUG:acme.client:Storing nonce: 15C9-PdEgtw6hNiw-cyxJwBKqQK2E5INDhjFAKN-PY-uf2g
2023-05-31 13:43:17,983:DEBUG:acme.client:JWS payload:
b''
2023-05-31 13:43:17,985:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/232702648627:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzNjUyMDYwNyIsICJub25jZSI6ICIxNUM5LVBkRWd0dzZoTml3LWN5eEp3QktxUUsyRTVJTkRoakZBS04tUFktdWYyZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjMyNzAyNjQ4NjI3In0",
  "signature": "hNSNmTS8mCdQnfOx_UZYuRY1T28Rqaa6bnpMILafs2d2NmcbaK9HKhGqBBFUHcBEc44zvu0_jWeL34PZCU4T7OnTjGKOF-Zc_1CxcSpDQfPhmyj8T5Goo4VbDIpGIpdFHLfA581FT3KOta1iyzDh5g3jUTBU7eCI41_MWjFk7iKxXKhsVUXqkp48xEglUibWLMP1ZpHbGJbnPxOnNRDG6YSsUijGn28SeH1agtjKCdO-ap7gjSMBmrRQF1vQWgPHF740yTalEqMcC_Wk24dlmjJuFm9fvYSQ9A-u-kvyOCx5Iji1wyCgArdLiGM_DYYPil5GH9WNBJ58Mup8qOYACQ",
  "payload": ""
}
2023-05-31 13:43:18,265:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/232702648627 HTTP/1.1" 200 798
2023-05-31 13:43:18,267:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 31 May 2023 13:43:18 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1136520607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 1AADRDlZ7p6V6MH_FKe11yujAUp9DJx5P2I6lvgqXkPy5zM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.com"
  },
  "status": "pending",
  "expires": "2023-06-07T13:43:17Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/232702648627/_xtK8A",
      "token": "Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/232702648627/uvRTRQ",
      "token": "Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/232702648627/gpWVKg",
      "token": "Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc"
    }
  ]
}
2023-05-31 13:43:18,267:DEBUG:acme.client:Storing nonce: 1AADRDlZ7p6V6MH_FKe11yujAUp9DJx5P2I6lvgqXkPy5zM
2023-05-31 13:43:18,268:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-05-31 13:43:18,269:INFO:certbot._internal.auth_handler:http-01 challenge for my.domain.com
2023-05-31 13:43:18,269:INFO:certbot._internal.plugins.webroot:Using the webroot path /storage/certificates for all unmatched domains.
2023-05-31 13:43:18,269:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /storage/certificates/.well-known/acme-challenge
2023-05-31 13:43:18,272:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /storage/certificates/.well-known/acme-challenge/Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc
2023-05-31 13:43:18,273:DEBUG:acme.client:JWS payload:
b'{}'
2023-05-31 13:43:18,277:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/232702648627/_xtK8A:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzNjUyMDYwNyIsICJub25jZSI6ICIxQUFEUkRsWjdwNlY2TUhfRktlMTF5dWpBVXA5REp4NVAySTZsdmdxWGtQeTV6TSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMjMyNzAyNjQ4NjI3L194dEs4QSJ9",
  "signature": "STjuVPL9UNjp9uPVx7Vv3-5eEU_3Aew__g5iPYfR6LX5sJnEMtiyU9BIaix6w6q6fZ-VxXBf5w_2TMabM25WiyhDCMzcUdfxt1yF9IrKqtDdFPxhL18g9w_eSiFT4k5g535hcIA-QbUST67rI_6gJOhw2FFQa2x1HGVOZCjeBHNO2nnJWPHoCcBt5dkpu3gZvs7kOD-GLHS6auM7brvjFgr0GdnCoocdaxqsgTXOJT8nMEJI4ShzlfKT-VicKpsG_4f7Dtut1nWd6sGeRqtV9wdYuMHdBXcKVJl-olr7ktOdbMajRM9KHamzUmZBJOP_oWDK93bQTK7M8QShIoP69A",
  "payload": "e30"
}
2023-05-31 13:43:18,561:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/232702648627/_xtK8A HTTP/1.1" 200 187
2023-05-31 13:43:18,562:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 31 May 2023 13:43:18 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 1136520607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/232702648627>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/232702648627/_xtK8A
Replay-Nonce: 1AADUGuPAuRO6tbET0D2dr6GvdFXHQHiOJVpqqZ_bPSkEO4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/232702648627/_xtK8A",
  "token": "Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc"
}
2023-05-31 13:43:18,563:DEBUG:acme.client:Storing nonce: 1AADUGuPAuRO6tbET0D2dr6GvdFXHQHiOJVpqqZ_bPSkEO4
2023-05-31 13:43:18,563:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-05-31 13:43:19,565:DEBUG:acme.client:JWS payload:
b''
2023-05-31 13:43:19,567:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/232702648627:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzNjUyMDYwNyIsICJub25jZSI6ICIxQUFEVUd1UEF1Uk82dGJFVDBEMmRyNkd2ZEZYSFFIaU9KVnBxcVpfYlBTa0VPNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjMyNzAyNjQ4NjI3In0",
  "signature": "DuCwzvbExHIeD52hXvbKGot3_AyDy9PPhMrCn3f2E9e2eYgLHBKZ3iMK3jKWOsGtgN3xjp_RXdWY8pEMqrUGgNU52awf1Vdd22bn_c5uhSWNsbjR5q96o5Ube0IXglVRge44tQsdSNisw7LPUdpnIhnXbMIpCYrtedVehRsxv4bSCO3vgAsg8HgRbbtbaakY3DYmTYa_-oWkUhStUX8-cN_z0ZSFKtD1-fys1O5GTP7z6hbP6k_mhNF0yuhWbdJ2dgJ6FrR6MuTXy42F7MEkmW_hs93LBSveATsaCpkKSJISECa6t7nTkgKM6q3VM1QVEVJBXBSEVUqUax0e81Xlvw",
  "payload": ""
}
2023-05-31 13:43:19,847:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/232702648627 HTTP/1.1" 200 1027
2023-05-31 13:43:19,848:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 31 May 2023 13:43:19 GMT
Content-Type: application/json
Content-Length: 1027
Connection: keep-alive
Boulder-Requester: 1136520607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 1AADqu236d9F6Uw5N2U_W3AvXGg2DE6YAK22_J4WZEEAY4g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.com"
  },
  "status": "invalid",
  "expires": "2023-06-07T13:43:17Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "182.92.176.221: Invalid response from http://my.domain.com/.well-known/acme-challenge/Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/232702648627/_xtK8A",
      "token": "Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc",
      "validationRecord": [
        {
          "url": "http://my.domain.com/.well-known/acme-challenge/Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc",
          "hostname": "my.domain.com",
          "port": "80",
          "addressesResolved": [
            "182.92.176.221"
          ],
          "addressUsed": "182.92.176.221"
        }
      ],
      "validated": "2023-05-31T13:43:18Z"
    }
  ]
}
2023-05-31 13:43:19,848:DEBUG:acme.client:Storing nonce: 1AADqu236d9F6Uw5N2U_W3AvXGg2DE6YAK22_J4WZEEAY4g
2023-05-31 13:43:19,849:INFO:certbot._internal.auth_handler:Challenge failed for domain my.domain.com
2023-05-31 13:43:19,849:INFO:certbot._internal.auth_handler:http-01 challenge for my.domain.com
2023-05-31 13:43:19,849:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: my.domain.com
  Type:   unauthorized
  Detail: 182.92.176.221: Invalid response from http://my.domain.com/.well-known/acme-challenge/Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-05-31 13:43:19,850:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-05-31 13:43:19,850:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-05-31 13:43:19,850:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-05-31 13:43:19,850:DEBUG:certbot._internal.plugins.webroot:Removing /storage/certificates/.well-known/acme-challenge/Rhso2S7e9D9JhGRxfAmVr9887-83K6z5XkmJflJVpMc
2023-05-31 13:43:19,851:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-05-31 13:43:19,851:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1434, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 389, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-05-31 13:43:19,853:ERROR:certbot._internal.log:Some challenges have failed.

👍 Expected behavior

Generate SSL certificate correctly

👎 Actual Behavior

SSL certificate not generated correctly

🎲 Appwrite version

Version 1.3.x

💻 Operating system

Linux

🧱 Your Environment

No response

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[wilhantian]

I entered the appwrite worker certificates docker container and created the /storage/certificates/.well-know/acme-challenge/test file

then accessed http://my.domain.com/.well-known/acme-challenge/test

The browser displays {"message": "Not Found", "code": 404, "type": "general_route_not_found", "version": "1.3.5"}

[wilhantian]

I seem to have found the problem.

Two days ago, the routing matching function of the Utopia framework was modified,
causing App::get('/.well-known/acme-challenge'), unable to process routing request for 'http://my.domain.com/.well-known/acme-challenge/test',

Change App::get('/.well-known/acme-challenge') to App::get('/.well-known/acme-challenge/:token') and it will work

[joeyouss]

Hi
Thank you for opening this. Glad you found out the reason. Can you please close the issue if no more help is needed here?

[istornz]

I seem to have found the problem.

Two days ago, the routing matching function of the Utopia framework was modified, causing App::get('/.well-known/acme-challenge'), unable to process routing request for 'http://my.domain.com/.well-known/acme-challenge/test',

Change App::get('/.well-known/acme-challenge') to App::get('/.well-known/acme-challenge/:token') and it will work

I think I had the same issue, where did you change that line ? Appwrite need an update with this ?

Thanks :)

[wilhantian]

upgrade latest version