Certificate Not Valid

yakito · January 20, 2022, 3:03am

Hi!
I’ve been trying to solve this by myself for the past 2 days, but can’t seem to find a solution.
Basically the issue I am having is that after following the steps here Server Setup | Docs on a Lightsail instance and a Vultr instance, everything works fine except that I am getting an error of "certificate is not valid" when visiting with chrome

I am able to access N8N but some services I need to run require https which isn’t working.

When I try to install Letsencrypt on my own I am able to get a valid certificate using the following command

sudo certbot --apache --agree-tos --preferred-challenges http -d domain-name.com

The thing is that works for apache server, but as soon as I run the docker container I get the "bad certificate" back.

Any help will be appreciated,
Thanks!

mcnaveen · January 20, 2022, 4:28am

Hi @yakito

I’m using n8n with NGINX reverse proxy, It works very well for me.

Are you running n8n on the main domain or subdomain?

Because according to this thread, If you’re running on the main domain, You have to get a certificate for both the www and non-www versions.

Jon · January 20, 2022, 6:16am

If you look at the certificate warning in Chrome it normally tells you what the issue is, it could be what @mcnaveen has suggested and the certificate being used is for the wrong domain.

yakito · January 20, 2022, 11:29am

Thanks a lot @mcnaveen @Jon

I am using N8N on a subdomain. When I stop the container and run the command above, I do get a valid certificate, but as soon as I start the container again the valid certificate changes to the invalid one from the installation.

Basically either I have apache running with a valid certificate or I have n8n with an invalid certificate.
The only error I see from chrome is that the certificate was not approved by third parties.

How can I tell the container to use the certificate I installed with the following command (which seems to work?)

Thanks a lot again!

Jon · January 20, 2022, 11:38am

That looks like Traefik was not able to generate the certificate, I think you can tell traefik which certificates to use but it should ideally be managing it for you.

Have you looked at the logs for Traefik to see if it shows any errors?

yakito · January 20, 2022, 11:47am

You are THE BEST! Think I have it! Here are the logs

**ubuntu@ip-1**:**~**$ sudo docker logs ubuntu_traefik_1

time="2022-01-19T20:57:17Z" level=info msg="Configuration loaded from flags."

time="2022-01-19T20:57:27Z" level=error msg="Unable to obtain ACME certificate for domains \"my-domain.com\": cannot get ACME client acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden" providerName=mytlschallenge.acme routerName=n8n@docker rule="Host(`my-domain.com`)"

time="2022-01-20T11:38:03Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure

time="2022-01-20T11:38:03Z" level=error msg="Error while starting server: accept tcp [::]:443: use of closed network connection" entryPointName=websecure

time="2022-01-20T11:38:03Z" level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik

time="2022-01-20T11:38:03Z" level=error msg="Error while starting server: accept tcp [::]:8080: use of closed network connection" entryPointName=traefik

time="2022-01-20T11:38:03Z" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=web

time="2022-01-20T11:38:03Z" level=error msg="Error while starting server: accept tcp [::]:80: use of closed network connection" entryPointName=web

2022/01/20 11:38:03 reverseproxy.go:490: httputil: ReverseProxy read error during body copy: unexpected EOF

time="2022-01-20T11:42:49Z" level=info msg="Configuration loaded from flags."

time="2022-01-20T11:42:55Z" level=error msg="Unable to obtain ACME certificate for domains \"my-domain.com\": cannot get ACME client acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden" routerName=n8n@docker providerName=mytlschallenge.acme rule="Host(`my-domain.com`)"

So I guess I should change my email somewhere and reinstall the certificate and it should work!

Jon · January 20, 2022, 11:49am

You got it, So in your .env file you probably still have:

[email protected]

It will be at the bottom if you just did a copy / paste, Update that, restart the container and you should be good to go after a minute or so.

yakito · January 20, 2022, 11:49am

Thank you sooo much! have a wonderful day!

mcnaveen · January 20, 2022, 12:08pm

Glad it works!