After enabling of tls in our TYK server it runs out of filehandles and stop working - api-gateway
We have enabled tls in our on premise TYK dashboard and gateway after that it runs out of filehandles and stop working
Redirecting to /bin/systemctl status tyk-dashboard.service
tyk-dashboard.service - Tyk API Dashboard Loaded: loaded
(/usr/lib/systemd/system/tyk-dashboard.service; enabled; vendor
preset: disabled) Active: active (running) since Thu 2018-10-18
11:24:32 CEST; 3h 57min ago Main PID: 13062 (tyk-analytics) CGroup:
/system.slice/tyk-dashboard.service └─13062
/opt/tyk-dashboard/tyk-analytics --conf
/opt/tyk-dashboard/tyk_analytics.conf
Oct 18 15:22:00 sktudv01tyk01.ccta.dk tyk-analytics[13062]: 2018/10/18
15:22:00 http: Accept error: accept tcp [::]:3000: accept4: too many
open files; retrying in 1s Oct 18 15:22:01 sktudv01tyk01.ccta.dk
tyk-analytics[13062]: 2018/10/18 15:22:01 http: Accept error: accept
tcp [::]:3000: accept4: too many open files; retrying in 1s
our conf files looks like this
tyk.conf
{
"listen_port": 8443,
"node_secret": "secret",
"secret": "secret",
"template_path": "/opt/tyk-gateway/templates",
"use_db_app_configs": true,
"db_app_conf_options": {
"connection_string": "https://localhost:3000",
"node_is_segmented": false,
"tags": []
},
"disable_dashboard_zeroconf": false,
"app_path": "/opt/tyk-gateway/apps",
"middleware_path": "/opt/tyk-gateway/middleware",
"storage": {
"type": "redis",
"host": "localhost",
"port": 6379,
"username": "",
"password": "",
"database": 0,
"optimisation_max_idle": 2000,
"optimisation_max_active": 4000
},
"enable_analytics": true,
"analytics_config": {
"type": "",
"ignored_ips": [],
"enable_detailed_recording": true,
"enable_geo_ip": false,
"geo_ip_db_path": "",
"normalise_urls": {
"enabled": true,
"normalise_uuids": true,
"normalise_numbers": true,
"custom_patterns": []
}
},
"health_check": {
"enable_health_checks": false,
"health_check_value_timeouts": 60
},
"optimisations_use_async_session_write": true,
"allow_master_keys": false,
"policies": {
"policy_source": "service",
"policy_connection_string": "",
"policy_record_name": "tyk_policies",
"allow_explicit_policy_id": true
},
"hash_keys": true,
"suppress_redis_signal_reload": false,
"use_redis_log": true,
"close_connections": true,
"enable_non_transactional_rate_limiter": true,
"enable_sentinel_rate_limiter": false,
"experimental_process_org_off_thread": false,
"local_session_cache": {
"disable_cached_session_state": false
},
"http_server_options": {
"enable_websockets": true,
"use_ssl": true,
"server_name": "localhost",
"certificates": [
{
"domain_name": "*.ccta.dk",
"cert_file": "/etc/pki/tls/certs/localhost.crt",
"key_file": "/etc/pki/tls/private/localhost.key"
}
],
"ssl_insecure_skip_verify": false
},
"uptime_tests": {
"disable": false,
"config": {
"enable_uptime_analytics": true,
"failure_trigger_sample_size": 2,
"time_wait": 10,
"checker_pool_size": 50
}
},
"hostname": "",
"enable_custom_domains": true,
"enable_jsvm": true,
"oauth_redirect_uri_separator": ";",
"coprocess_options": {
"enable_coprocess": false,
"coprocess_grpc_server": ""
},
"pid_file_location": "./tyk-gateway.pid",
"allow_insecure_configs": true,
"public_key_path": "",
"close_idle_connections": false,
"allow_remote_config": false,
"enable_bundle_downloader": true,
"bundle_base_url": "",
"global_session_lifetime": 100,
"force_global_session_lifetime": false,
"max_idle_connections_per_host": 500
}
our tyk_analytics.conf
{
"listen_port": 3000,
"tyk_api_config": {
"Host": "https://localhost",
"Port": "8443",
"Secret": "secret"
},
"mongo_url": "mongodb://127.0.0.1/tyk_analytics",
"mongo_use_ssl": false,
"mongo_ssl_insecure_skip_verify": false,
"page_size": 10,
"admin_secret": "secret",
"shared_node_secret": "secret",
"redis_port": 6379,
"redis_host": "localhost",
"redis_password": "",
"enable_cluster": false,
"redis_use_ssl": false,
"redis_ssl_insecure_skip_verify": false,
"force_api_defaults": false,
"notify_on_change": true,
"license_key": "secret",
"redis_database": 0,
"redis_hosts": null,
"hash_keys": true,
"email_backend": {
"enable_email_notifications": false,
"code": "",
"settings": null,
"default_from_email": "",
"default_from_name": "",
"dashboard_hostname": ""
},
"hide_listen_path": false,
"sentry_code": "",
"sentry_js_code": "",
"use_sentry": false,
"enable_master_keys": false,
"enable_duplicate_slugs": true,
"show_org_id": true,
"host_config": {
"enable_host_names": true,
"disable_org_slug_prefix": true,
"hostname": "localhost",
"override_hostname": "localhost",
"portal_domains": {},
"portal_root_path": "/portal",
"generate_secure_paths": false,
"secure_cookies": false,
"use_strict_hostmatch": false
},
"http_server_options": {
"use_ssl": true,
"servername": "localhost",
"certificates": [
{
"domain_name": "*.ccta.dk",
"cert_file": "/etc/pki/tls/certs/dev.api.data.ccta.dk.crt",
"key_file": "/etc/pki/tls/private/dev.api.data.ccta.dk.key"
}
],
"min_version": 0
},
"security": {
"allow_admin_reset_password": false,
"login_failure_username_limit": 0,
"login_failure_ip_limit": 0,
"login_failure_expiration": 0,
"audit_log_path": "/var/log/tyk/tyk-audit.log"
},
"ui": {
"languages": {
"Chinese": "cn",
"English": "en",
"French": "fr",
"Korean": "ko"
},
"hide_help": false,
"default_lang": "en",
"login_page": {},
"nav": {},
"uptime": {},
"portal_section": null,
"designer": {},
"dont_show_admin_sockets": false,
"dont_allow_license_management": false,
"dont_allow_license_management_view": false,
"cloud": false
},
"home_dir": "/opt/tyk-dashboard",
"identity_broker": {
"enabled": false,
"host": {
"connection_string": "http://localhost:3010",
"secret": "secret"
}
},
"tagging_options": {
"tag_all_apis_by_org": false
},
"use_sharded_analytics": false,
"enable_aggregate_lookups": true,
"enable_analytics_cache": false,
"aggregate_lookup_cutoff": "01/07/2016",
"maintenance_mode": false,
"allow_explicit_policy_id": false,
"private_key_path": "",
"node_schema_path": "",
"oauth_redirect_uri_separator": ";",
"statsd_connection_string": "",
"statsd_prefix": "",
"disable_parallel_sessions": false,
"dashboard_session_lifetime": 0,
"alternative_dashboard_url": "",
"sso_permission_defaults": null,
"sso_default_group_id": "",
"sso_custom_login_url": "",
"sso_custom_portal_login_url": "",
"notifications_listen_port": 5000,
"portal_session_lifetime": 0,
"enable_delete_key_by_hash": false
}
cat /proc/981/limits Limit Soft Limit
Hard Limit Units Max cpu time unlimited
unlimited seconds Max file size unlimited
unlimited bytes Max data size unlimited
unlimited bytes Max stack size 8388608
unlimited bytes Max core file size 0
unlimited bytes Max resident set unlimited
unlimited bytes Max processes 31191
31191 processes Max open files 1024
4096 files Max locked memory 65536
65536 bytes Max address space unlimited
unlimited bytes Max file locks unlimited
unlimited locks Max pending signals 31191
31191 signals Max msgqueue size 819200
819200 bytes Max nice priority 0
0 Max realtime priority 0 0 Max realtime
timeout unlimited unlimited us
Number of file handles when it failed again with Oct 23 13:04:34
sktudv01tyk01 tyk-analytics: 2018/10/23 13:04:34 http: Accept error:
accept tcp [::]:3000: accept4: too many open files; retrying in 1s
lsof | wc -l
31677
cat /usr/lib/systemd/system/tyk-gateway.service
[Unit]
Description=Tyk API Gateway
[Service]
Type=simple
User=root
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/tyk-gateway
EnvironmentFile=-/etc/sysconfig/tyk-gateway
ExecStart=/opt/tyk-gateway/tyk --conf /opt/tyk-gateway/tyk.conf
Restart=always
WorkingDirectory=/opt/tyk-gateway
RuntimeDirectory=tyk
RuntimeDirectoryMode=0770
LimitNOFILE=80000
[Install]
WantedBy=multi-user.target
OS settings ( centos )
# /etc/security/limits.conf
* hard maxlogins 10
* soft nproc 80000
* hard nproc 80000
* soft nofile 80000
* hard nofile 80000
root soft nproc 80000
root hard nproc 80000
root soft nofile 80000
root hard nofile 80000
and in sysctl.conf i added
fs.file-max=80000
When i restart the tyk-dashboard i can login using https and my api's respond ok on https but after some minuttes it runs out of file handles
What do i need to change here, when starting dashboard alone everything is steady and running well, no errors in my log. But when i start the gateway my numbers of open files increase every second
gateway startup log
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Setting up analytics normaliser"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="PIDFile location set to: ./tyk-gateway.pid"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Initialising Tyk REST API Endpoints"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=warning msg="Default secret `secret` should be changed for production."
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=warning msg="Default node_secret `secret` should be changed for production."
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Redis connection pools are ready after number of retires" currRetry=0
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Redis connection pools are ready"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="--> Using SSL (https)"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Setting up Server"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Registering node."
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=error msg="Response failed with code 404; retrying in 5s"
Oct 24 08:55:37 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:37" level=warning msg="Insecure configuration detected (allowing)!"
Oct 24 08:55:37 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:37" level=info msg="Hostname set with dashboard zeroconf signal"
Oct 24 08:55:41 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:41" level=error msg="Response failed with code 404; retrying in 5s"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Node registered" id=10321add-ffb6-40c5-4692-c2035ee2760d
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Gateway started (v2.7.3)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Initialising distributed rate limiter"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="--> Listening on address: (open interface)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="--> Listening on port: 8443"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="--> PID: 10135"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Starting gateway rate limiter notifications..."
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading policies"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Using Policies from Dashboard Service"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Mutex lock acquired... calling"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Calling dashboard service for policy list"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Processing policy list"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Policies found (0 total):"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Detected 8 APIs"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Preparing new router"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Initialising Tyk REST API Endpoints"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API configurations."
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="Robotics - fast excel API #rpa" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="gulapi_aarsopg #Gul" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="rpaqlik_prod #rpa #prod" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name=awsvalues domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="rpaqlik #rpa" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name=postman domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name=simons domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="eboks #eboks #java #dropwizard" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API" api_name="eboks #eboks #java #dropwizard"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API" api_name="Robotics - fast excel API #rpa"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API" api_name="gulapi_aarsopg #Gul"
lines 7537-7582/7616 100%
If you are using SystemD, ensure that it does not mess with your file handler settings, by checking process limits like this: cat /proc/<pid>/limits. And if you find anomalies follow this guide https://tyk.io/docs/deploy-tyk-premise-production/#file-handles
Additionally your "db_app_conf_options.connection_string" is empty, instead it should point to the dashboard.
Also, you configured Gateway to use TLS, but in Dashboard config it still points to "http", and same for Gateway port.
Hope it helps.
Related
Custom app in Microsoft Teams can't connect to it's own API from desktop app
I am trying to embed our app into Teams. We have it working from the web version of MS Teams. However when we try it from the MS Teams desktop app, our app's tab is unable to communicate with our API saying net::ERR_BLOCKED_BY_RESPONSE for all XHR requests the app tries to make to the API. The OPTIONS request seems to get some response headers back but is still listed as failed (see header below) What is blocking the requests in the Desktop app? We have tried various security header changes and disabling our apps service worker among other things but to no avail. The application loads fine (we have the iframe enabling headers set in the CSP - see below). It's just the communication with the API that is blocked. Application details that we are embedding in the MS Teams APP as a custom app Progressive web app Angular v13 with Angular routing strategy (useHash = false) API is REST based NB: The app tab works in the mobile app version of teams on iOS as well as on the web version Response headers that are returned by the API we are trying to talk to on the OPTIONS request access-control-allow-headers: Content-Type, Authorization, V, D access-control-allow-methods: OPTIONS, GET, POST, DELETE, PUT access-control-allow-origin: https://**redacted** access-control-max-age: 86400 cache-control: no-cache content-length: 0 date: Wed, 12 Jan 2022 00:14:44 GMT permissions-policy: geolocation=() referrer-policy: no-referrer server: CloudFront status: 200 strict-transport-security: max-age=31536000; includeSubDomains vary: Origin via: 1.1 **redacted**.cloudfront.net (CloudFront) x-amz-cf-id: **redacted** x-amz-cf-pop: SYD62-P1 x-cache: Miss from cloudfront x-content-type-options: nosniff x-xss-protection: 1; mode=block Headers and CSP on the application (SPA) age: 6 cache-control: no-cache content-encoding: br content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.**redacted**.com https://**redacted**.app https://*.**redacted**.app; connect-src https://*.**redacted**.com https://**redacted**.app https://*.**redacted**.app; object-src 'none'; frame-ancestors teams.microsoft.com *.office.com outlook.office.com outlook.office365.com content-type: text/html cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin date: Wed, 12 Jan 2022 00:22:58 GMT etag: **redacted** expect-ct: max-age=0, report-uri="https://**redacted**.report-uri.com/r/d/ct/reportOnly" last-modified: Tue, 11 Jan 2022 23:27:02 GMT permissions-policy: geolocation=() referrer-policy: no-referrer-when-downgrade server: CloudFront status: 304 strict-transport-security: max-age=31536000; includeSubDomains vary: Accept-Encoding via: 1.1 **redacted**.cloudfront.net (CloudFront) x-amz-cf-id: **redacted** x-amz-cf-pop: SYD62-P1 x-cache: Hit from cloudfront x-content-type-options: nosniff x-xss-protection: 1; mode=block The manifest, currently setup with a configure page that adds a tab after choosing our customer account name which generates the url for the tab. { "$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.11/MicrosoftTeams.schema.json", "manifestVersion": "1.11", "version": "4.1.8", "id": "***", "packageName": "app.***", "developer": { "name": "*** Pty Limited", "websiteUrl": "https://www.***.com", "privacyUrl": "https://www.***.com/privacy", "termsOfUseUrl": "https://***.com/resources/20201019+***+Terms+and+Conditions.pdf" }, "icons": { "color": "color.png", "outline": "outline.png" }, "name": { "short": "***", "full": "*** For Microsoft Teams" }, "description": { "short": "***", "full": "***" }, "accentColor": "#F9F9FA", "configurableTabs": [ { "configurationUrl": "https://dev.***.app/ms-teams/teams-configure.html", "canUpdateConfiguration": true, "scopes": [ "team" ], "context": [ "channelTab" ], "supportedSharePointHosts": [ "sharePointFullPage" ] } ], "permissions": [ "identity", "messageTeamMembers" ], "validDomains": [ "dev.***.app", "*.dev.***.app", "*.teams.***.app", "api.test.***.com", "api.***.com", "*.test.***.app", "*.***.app" ] }
Multiple Set-Cookie headers ignored by API Gateway in combination with Lambda integration and CloudFront
My setup looks like this: |––––––––––––| |–––––––––––––| |–––––––––––––––––| | | <- origin 1 -> | API Gateway | <-> | Lambda function | | | |–––––––––––––| |–––––––––––––––––| | CloudFront | | | |–––––––––––––| | | <- origin 2 -> | S3 bucket | |––––––––––––| |–––––––––––––| I need CloudFront in front of the API Gateway to get automatic http->https redirection. I'm using a custom login.example.com subdomain w/ CloudFront. API Gateway's generated URL is the origin 1 for CloudFront distribution. This all works as expected. I can even return one Set-Cookie header from the lambda function and it will get passed on until it reaches the browser. { "statusCode": 302, "body": "", "headers": { "location": "/test", "surrogate-control": "no-store", "cache-control": "no-store, no-cache, must-revalidate, proxy-revalidate", "pragma": "no-cache", "expires": "0", "content-length": "0", "date": "Fri, 19 Feb 2021 17:25:56 GMT", "connection": "keep-alive", "set-cookie": "cookie1=68abcdbefbef7d84c26e68; Max-Age=2592000; Domain=example.com; Path=/; HttpOnly; Secure; SameSite=Strict" }, "isBase64Encoded": false } Adding another one isn't working - as expected when you look at the docs: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#apigateway-multivalue-headers-and-parameters https://aws.amazon.com/blogs/compute/support-for-multi-value-parameters-in-amazon-api-gateway/ { "statusCode": 302, "headers": { "location": "/test", "set-cookie": [ "cookie1=68abcdbefbef7d84c26e68; Max-Age=2592000; Domain=example.com; Path=/; HttpOnly; Secure; SameSite=Strict", "cookie2-login=; Max-Age=0; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure" ], "surrogate-control": "no-store", "cache-control": "no-store, no-cache, must-revalidate, proxy-revalidate", "pragma": "no-cache", "expires": "0", "content-length": "0" } } Both of these will be ignored/removed. But even when I'm using the multiValueHeaders object to return more than one of the same kind like this: { "statusCode": 302, "body": "", "headers": { "location": "/test", "surrogate-control": "no-store", "cache-control": "no-store, no-cache, must-revalidate, proxy-revalidate", "pragma": "no-cache", "expires": "0", "content-length": "0", "date": "Fri, 19 Feb 2021 17:25:56 GMT", "connection": "keep-alive" }, "isBase64Encoded": false, "multiValueHeaders": { "Set-Cookie": [ "cookie1=68abcdbefbef7d84c26e68; Max-Age=2592000; Domain=example.com; Path=/; HttpOnly; Secure; SameSite=Strict", "cookie2-login=; Max-Age=0; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure" ] } } the API Gateway removes/ignores them from the response it passes on to CloudFront. What am I doing wrong? Do I have to map something in the API Gateway when using the multiValueHeaders? Normal headers['set-cookie'] is passed on automatically but multiValueHeaders not? Are the additional attributes a problem? Is it a problem that I'm trying to set the cookie for the root-domain and not the login.example.com domain?
Not sure how Philipp missed this, as it was on the same page he cited: To customize the response, your Lambda function should return a response with the following format. { "cookies" : ["cookie1", "cookie2"], "isBase64Encoded": true|false, "statusCode": httpStatusCode, "headers": { "headername": "headervalue", ... }, "body": "Hello from Lambda!" } So just return cookies: ['name=value', 'name=value'] Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html#http-api-develop-integrations-lambda.v2
Finally found the answer myself: The new payload format (2.0) does not support multiValueHeaders. Working with AWS Lambda proxy integrations for HTTP APIs [...] Format 2.0 doesn't have multiValueHeaders or multiValueQueryStringParameters fields. Duplicate headers are combined with commas and included in the headers field. Duplicate query strings are combined with commas and included in the queryStringParameters field. [...] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html So I'm rewriting the set-cookie headers to different spellings: Set-cookie sEt-cookie seT-cookie That was the way you had to do it before there were multiValueHeaders - but it seems it is still the only when you're using the new payload format :(
Hubot - Botframework - MS Teams - Not responding
I have created a localhost-based Hubot and used Botframework as adapter. I created a MS bot account. I also created a new app using app studio in MS Teams. I then side loaded it. I started ngrok and I started everything up. I can see the bot is online in Teams. But when I sent a command to bot, it accepts the message but does not respond. In the log it looks like it's responding but I don't see the response in the Teams channel or #mention. Please see the log below [Mon Jun 24 2019 17:39:51 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware... [Mon Jun 24 2019 17:39:51 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: TextMiddleware toReceivable [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: onBotEvents [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: Handling activity Channel: msteams; type: message [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware... [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toReceivable [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: send [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: reply [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware... [Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toSendable [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: onBotEvents [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: Handling activity Channel: msteams; type: message [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware... [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toReceivable [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: send [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: reply [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware... [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toSendable [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: send [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: reply [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware... [Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toSendable App manifest: { "$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.5/MicrosoftTeams.schema.json", "manifestVersion": "1.5", "version": "1.0.0", "id": "xxxxxxxx", "packageName": "com.tech.bot", "developer": { "name": "user", "websiteUrl": "https://mm.com", "privacyUrl": "https://mm.com/privacy", "termsOfUseUrl": "https://mm.com/terms" }, "icons": { "color": "color.png", "outline": "outline.png" }, "name": { "short": "techbot", "full": "" }, "description": { "short": "bot for techbot", "full": "bot for techbot" }, "accentColor": "#FFFFFF", "bots": [ { "botId": "xxxxxxxxd", "scopes": [ "personal", "team", "groupchat" ], "commandLists": [ { "scopes": [ "personal" ], "commands": [ { "title": "hi", "description": "How are u!!!" } ] }, { "scopes": [ "team" ], "commands": [ { "title": "hi", "description": "Greet!!!" }, { "title": "hi", "description": "How are u!!!" } ] }, { "scopes": [ "groupchat" ], "commands": [ { "title": "hi", "description": "Greet!!!" }, { "title": "hi", "description": "How are u!!!" } ] } ], "supportsFiles": false, "isNotificationOnly": false } ], "permissions": [ "identity", "messageTeamMembers" ], "validDomains": [] } The debug log shows below express:router dispatching POST /api/messages +44s express:router query : /api/messages +0ms express:router expressInit : /api/messages +0ms express:router <anonymous> : /api/messages +1ms express:router query : /api/messages +0ms express:router jsonParser : /api/messages +0ms body-parser:json content-type "application/json; charset=utf-8" +0ms body-parser:json content-encoding "identity" +1ms body-parser:json read body +0ms body-parser:json parse body +0ms body-parser:json parse json +0ms express:router urlencodedParser : /api/messages +0ms body-parser:urlencoded body already parsed +0ms express:router multipart : /api/messages +0ms [Wed Jun 26 2019 08:33:32 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: onBotEvents [Wed Jun 26 2019 08:33:32 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: Handling activity Channel: msteams; type: message [Wed Jun 26 2019 08:33:32 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware... finalhandler cannot 404 after headers sent +6ms
Kernel.php doesn't exist Laravel 5
I'm following one tutorial while learning laravel but currently I've got this error Fatal error: Uncaught ReflectionException: Class App\Http\Kernel does not exist in /var/www/html/cms/vendor/laravel/framework/src/Illuminate/Container/Container.php:734 The class does exist in app/Http/Kernel.php. Those are permissions of the file -rw-rw-r-- 1 ivan www-data 1537 nov 26 2016 Kernel.php Those are permission on whole directory files -rw-rw-r-- 1 ivan www-data 567 nov 26 2016 server.php -rw-rw-r-- 1 ivan www-data 1918 nov 26 2016 readme.md -rw-rw-r-- 1 ivan www-data 1026 nov 26 2016 phpunit.xml -rw-rw-r-- 1 ivan www-data 212 nov 26 2016 package.json -rw-rw-r-- 1 ivan www-data 503 nov 26 2016 gulpfile.js -rw-rw-r-- 1 ivan www-data 1395 nov 26 2016 composer.json -rw-rw-r-- 1 ivan www-data 1646 nov 26 2016 artisan drwxr-x--- 2 ivan www-data 4096 jan 19 20:06 tests drwxrwxrwx 5 ivan www-data 4096 jan 19 20:06 storage drwxr-x--- 5 ivan www-data 4096 jan 19 20:06 resources drwxr-x--- 7 ivan www-data 4096 jan 19 20:06 public drwxr-x--- 5 ivan www-data 4096 jan 19 20:06 database drwxr-x--- 11 ivan www-data 4096 jan 19 20:06 app -rw-rw-r-- 1 ivan www-data 127324 jun 2 15:27 composer.lock drwxr-x--- 2 ivan www-data 4096 jun 2 15:29 config drwxr-x--- 3 ivan www-data 4096 jun 2 15:44 bootstrap drwxr-xr-x 33 ivan www-data 4096 jun 2 15:48 vendor When I run in my terminal php artisan serve and tried to load the site on http://localhost:8000 site is running. What can be the problem here? Kernel.php <?php namespace App\Http; use Illuminate\Foundation\Http\Kernel as HttpKernel; class Kernel extends HttpKernel { .... Update: Kernel.php from console/ <?php namespace App\Console; use Illuminate\Console\Scheduling\Schedule; use Illuminate\Foundation\Console\Kernel as ConsoleKernel; class Kernel extends ConsoleKernel { Update: composer.json { "name": "laravel/laravel", "description": "The Laravel Framework.", "keywords": ["framework", "laravel"], "license": "MIT", "type": "project", "require": { "php": ">=5.5.9", "laravel/framework": "5.2.*", "graham-campbell/markdown": "^6.1", "laravelcollective/html": "5.2", "intervention/image": "^2.3" }, "require-dev": { "fzaninotto/faker": "~1.4", "mockery/mockery": "0.9.*", "phpunit/phpunit": "~4.0", "symfony/css-selector": "2.8.*|3.0.*", "symfony/dom-crawler": "2.8.*|3.0.*" }, "autoload": { "classmap": [ "database" ], "psr-4": { "App\\": "app/" } }, "autoload-dev": { "classmap": [ "tests/TestCase.php" ] }, "scripts": { "post-root-package-install": [ "php -r \"copy('.env.example', '.env');\"" ], "post-create-project-cmd": [ "php artisan key:generate" ], "post-install-cmd": [ "Illuminate\\Foundation\\ComposerScripts::postInstall", "php artisan optimize" ], "post-update-cmd": [ "Illuminate\\Foundation\\ComposerScripts::postUpdate", "php artisan optimize" ] }, "config": { "preferred-install": "dist" } } Update: >>> new App\Http\Kernel() TypeError: Argument 1 passed to Illuminate\Foundation\Http\Kernel::__construct() must implement interface Illuminate\Contracts\Foundation\Application, none given on line 1 >>> App\Http\Kernel() PHP Fatal error: Call to undefined function App\Http\Kernel() in eval()'d code on line 1
certbot SERVFAIL looking up A fordomain
I used certbot to generate a certificate for a domain, it worked great the first time. After that I changed my amazon ec2 instance (amazon linux) for an other region. So I changed the A record for the subdomain and now i can't generate a certificate on the new instance because of DNS issue certbot-auto certonly --debug --standalone -d dev.******.com 2016-07-19 17:03:29,603:DEBUG:certbot.main:Root logging level set at 30 2016-07-19 17:03:29,604:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2016-07-19 17:03:29,604:DEBUG:certbot.main:certbot version: 0.8.1 2016-07-19 17:03:29,604:DEBUG:certbot.main:Arguments: ['--debug', '--standalone', '-d', 'dev.********.com'] 2016-07-19 17:03:29,605:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone) 2016-07-19 17:03:29,609:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None 2016-07-19 17:03:29,804:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone Description: Automatically use a temporary webserver Interfaces: IAuthenticator, IPlugin Entry point: standalone = certbot.plugins.standalone:Authenticator Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f0133b10d10> Prep: True 2016-07-19 17:03:29,806:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f0133b10d10> and installer None 2016-07-19 17:03:29,942:DEBUG:certbot.main:Picked account: <Account(388bf562a96cea8013b7660447da660e)> 2016-07-19 17:03:29,943:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {} 2016-07-19 17:03:29,946:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2016-07-19 17:03:30,132:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 280 2016-07-19 17:03:30,133:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '280', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'A4t6LE9szTZDv0FuCE7bQnICx2zyVtRVeQacSWenKUE', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'VLinxcmE9YznBxpdisr5YqFQqf9KFT3grGMLfwvD3Jg'}. Content: '{\n "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}' 2016-07-19 17:03:30,133:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '280', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'A4t6LE9szTZDv0FuCE7bQnICx2zyVtRVeQacSWenKUE', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'VLinxcmE9YznBxpdisr5YqFQqf9KFT3grGMLfwvD3Jg'}): '{\n "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}' 2016-07-19 17:03:30,134:DEBUG:root:Requesting fresh nonce 2016-07-19 17:03:30,134:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {} 2016-07-19 17:03:30,327:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0 2016-07-19 17:03:30,328:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': 'zZzFamjI7WOmh85keAw4lLd8laZfe74W1TYq3HNR7mk', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'CgmdRQWWj5_PPfveAA7c1o50xkOk3entsaA27xlBwmA'}. Content: '' 2016-07-19 17:03:30,328:DEBUG:acme.client:Storing nonce: '\n\t\x9dE\x05\x96\x8f\x9f\xcf=\xfb\xde\x00\x0e\xdc\xd6\x8et\xc6C\xa4\xdd\xe9\xed\xb1\xa06\xef\x19A\xc2`' 2016-07-19 17:03:30,328:DEBUG:acme.jose.json_util:Omitted empty fields: combinations=None, challenges=None, expires=None, status=None 2016-07-19 17:03:30,329:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "xxxxxxxxxxxxx.com"}, "resource": "new-authz"} 2016-07-19 17:03:30,330:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), jwk=None, typ=None, jku=None, cty=None, x5tS256=None, x5u=None, alg=None, x5t=None 2016-07-19 17:03:30,332:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jku=None, cty=None, x5tS256=None, x5u=None, x5t=None, nonce=None 2016-07-19 17:03:30,332:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "rKDIxM9XKqEZ69kyTl7L6l1OZuEaJRJdSje2z4VC8pJt0sxRJXu32BVy5zC7uKLDmj-pUxcR2N5zAZTD4hJC-CwavEp9IT4zsQacQK1E9aGQOewmAF54_qUJQrZal167BOmMIENKcQ-sbVz1OLAhz85oByCAXwW6T8v5qoXCPYIX7pmgp4IuI4WNBcWeBqFv3Joj78oSReZXCuJId8RqsP5DeYRNpetvqUHijj3JGiQnclnUW2iTRUuiilAkqswDqk4J4uAraLylprTt2iQYA4wLZDaC2Con_u3c62aLpYpK5J2D5ZVoGJANjAzzNfkQAhsun3h3LsXLgfZ0Z2n2aw"}}, "protected": "eyJub25jZSI6ICJDZ21kUlFXV2o1X1BQZnZlQUE3YzFvNTB4a09rM2VudHNhQTI3eGxCd21BIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJkZXYuZGlhZ25ldHdvcmsuY29tIn0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ", "signature": "lQjyTE1QljLHo1CxV6T94yrPb76ruaGDNd5ZthPI-9-rUDULu8VnCVHqO0v2ZYlfKlZUza80U6-ZFRmw4lGFaB1gK0w_jV7ONIg0dzjkTu8NEdKZ6PcMUuRdZuCbwsln9coIjy_7f5tQ7ukzSbQJXEbz6MTQ-5UALr5ft_JkSLTifwJFGtejzveY3KrpeP4WaI-hGzwLLOxjnFh_tn3Z2NdOqrTWJzGn_rqvlwX0OlG-GvcV6k9a9eK9aSK4T13Vs0N5ZYqX1IbVNHcqbgvoJ50LVUYlWWTDsihrZ4ttQl_onpmy5jRDKuQSeS8B3hVRKhgdmOh4fI9OYLjpd13Ddg"}'} 2016-07-19 17:03:30,629:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1004 2016-07-19 17:03:30,629:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1004', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'PknRp_fwf5o0vaHUpy_53-SwSKCN0Qwk0kBnm15EexI', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'B_6L7ZtDh3CzsQtRO_e8vceSEcbZGihWBGntNZ6h_G0'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxx.com"\n },\n "status": "pending",\n "expires": "2016-07-26T17:03:30.455575285Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}' 2016-07-19 17:03:30,629:DEBUG:acme.client:Storing nonce: '\x07\xfe\x8b\xed\x9bC\x87p\xb3\xb1\x0bQ;\xf7\xbc\xbd\xc7\x92\x11\xc6\xd9\x1a(V\x04i\xed5\x9e\xa1\xfcm' 2016-07-19 17:03:30,630:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1004', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'PknRp_fwf5o0vaHUpy_53-SwSKCN0Qwk0kBnm15EexI', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'B_6L7ZtDh3CzsQtRO_e8vceSEcbZGihWBGntNZ6h_G0'}): '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxxxxxxx.com"\n },\n "status": "pending",\n "expires": "2016-07-26T17:03:30.455575285Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}' 2016-07-19 17:03:30,630:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859'} 2016-07-19 17:03:30,630:INFO:certbot.auth_handler:Performing the following challenges: 2016-07-19 17:03:30,631:INFO:certbot.auth_handler:tls-sni-01 challenge for xxxxxxxxxxxxxxxxxxxx.com 2016-07-19 17:03:30,643:INFO:certbot.auth_handler:Waiting for verification... 2016-07-19 17:03:30,643:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0", "type": "tls-sni-01", "resource": "challenge"} 2016-07-19 17:03:30,644:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), jwk=None, typ=None, jku=None, cty=None, x5tS256=None, x5u=None, alg=None, x5t=None 2016-07-19 17:03:30,646:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jku=None, cty=None, x5tS256=None, x5u=None, x5t=None, nonce=None 2016-07-19 17:03:30,646:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "rKDIxM9XKqEZ69kyTl7L6l1OZuEaJRJdSje2z4VC8pJt0sxRJXu32BVy5zC7uKLDmj-pUxcR2N5zAZTD4hJC-CwavEp9IT4zsQacQK1E9aGQOewmAF54_qUJQrZal167BOmMIENKcQ-sbVz1OLAhz85oByCAXwW6T8v5qoXCPYIX7pmgp4IuI4WNBcWeBqFv3Joj78oSReZXCuJId8RqsP5DeYRNpetvqUHijj3JGiQnclnUW2iTRUuiilAkqswDqk4J4uAraLylprTt2iQYA4wLZDaC2Con_u3c62aLpYpK5J2D5ZVoGJANjAzzNfkQAhsun3h3LsXLgfZ0Z2n2aw"}}, "protected": "eyJub25jZSI6ICJCXzZMN1p0RGgzQ3pzUXRST19lOHZjZVNFY2JaR2loV0JHbnROWjZoX0cwIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogImJaanllcTM0LWZfVDRiVWN5MURWaFBibnZfQ2FuU3UxYzVQVWV6cmhqcUkuQjd6dVU0djZVbWcwVEdzOGpPSGxfaWhwdHlMdzlwUHNFMWRSelVab091MCIsICJ0eXBlIjogInRscy1zbmktMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "kZkv-CFLZH31z3kZ1naF7g41XcslUbVBPH42wptZzlov3_rWom-N8appf_eaLQ2P7lMVE89-gyM7fHmoWHl0Gpmkk4Xgmer9L4QdQyVixn60mm-1q6QMsWXT35e7Z7zokfUsOYkXQiEImIwZ0sxBc59dzxGIX7LhDFePZfyeZvH4_P0nUgpCgRqqXTni-O32stAM0i00GxLdg0kikc3UVD09iCU6sUpKpXc3kQHNLlkIkfiNN6zAngBnWDAgSMhquYKas2kk0hxnJw1UguyY9Ieu8Kd6vExi3U-yjGVOL2hVP3LkU46GS8eqvphC1mlndILGM-3VD1UYtwNAIsQt_A"}'} 2016-07-19 17:03:30,902:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860 HTTP/1.1" 202 338 2016-07-19 17:03:30,902:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '338', 'Boulder-Request-Id': 'qq5g3DMMDllSKoWuHRIRSY5oy9RNvpHZ9uF_zzYEeuk', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'VHPW9aR8jmuShp8pFrFuxFiQapbdip6SYQNzBaC-b7Y'}. Content: '{\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0"\n}' 2016-07-19 17:03:30,903:DEBUG:acme.client:Storing nonce: 'Ts\xd6\xf5\xa4|\x8ek\x92\x86\x9f)\x16\xb1n\xc4X\x90j\x96\xdd\x8a\x9e\x92a\x03s\x05\xa0\xbeo\xb6' 2016-07-19 17:03:30,903:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '338', 'Boulder-Request-Id': 'qq5g3DMMDllSKoWuHRIRSY5oy9RNvpHZ9uF_zzYEeuk', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'VHPW9aR8jmuShp8pFrFuxFiQapbdip6SYQNzBaC-b7Y'}): '{\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0"\n}' 2016-07-19 17:03:33,906:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0. args: (), kwargs: {} 2016-07-19 17:03:34,184:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0 HTTP/1.1" 200 1473 2016-07-19 17:03:34,185:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1473', 'Expires': 'Tue, 19 Jul 2016 17:03:34 GMT', 'Boulder-Request-Id': 'kbximz8gXN1-tbWUpkkxA5s9PyXQMnZ3DM2mztNnv00', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:34 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '9rCskcPn_HaHylVaCH-VViSBt78YdDh-I10sX5UlXak'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxxxxxxx.com"\n },\n "status": "invalid",\n "expires": "2016-07-26T17:03:30Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:connection",\n "detail": "DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com",\n "status": 400\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0",\n "validationRecord": [\n {\n "hostname": "xxxxxxxxxxxxxxxxxxxx.com",\n "port": "",\n "addressesResolved": null,\n "addressUsed": ""\n }\n ]\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}' 2016-07-19 17:03:34,185:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1473', 'Expires': 'Tue, 19 Jul 2016 17:03:34 GMT', 'Boulder-Request-Id': 'kbximz8gXN1-tbWUpkkxA5s9PyXQMnZ3DM2mztNnv00', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:34 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '9rCskcPn_HaHylVaCH-VViSBt78YdDh-I10sX5UlXak'}): '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxxxxxxx.com"\n },\n "status": "invalid",\n "expires": "2016-07-26T17:03:30Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:connection",\n "detail": "DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com",\n "status": 400\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0",\n "validationRecord": [\n {\n "hostname": "xxxxxxxxxxxxxxxxxxxx.com",\n "port": "",\n "addressesResolved": null,\n "addressUsed": ""\n }\n ]\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}' 2016-07-19 17:03:34,186:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859'} 2016-07-19 17:03:34,186:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server: Domain: xxxxxxxxxxxxxxxxxxxx.com Type: connection Detail: DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. 2016-07-19 17:03:34,186:INFO:certbot.auth_handler:Cleaning up challenges 2016-07-19 17:03:34,187:DEBUG:certbot.plugins.standalone:Stopping server at 0.0.0.0:443... 2016-07-19 17:03:34,646:DEBUG:certbot.main:Exiting abnormally: Traceback (most recent call last): File "/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/main.py", line 744, in main return config.func(config, plugins) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/main.py", line 555, in obtain_cert _, action = _auth_from_domains(le_client, config, domains, lineage) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/main.py", line 94, in _auth_from_domains lineage = le_client.obtain_and_enroll_certificate(domains) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/client.py", line 276, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/client.py", line 247, in obtain_certificate self.config.allow_subset_of_names) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 74, in get_authorizations self._respond(resp, best_effort) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 131, in _respond self._poll_challenges(chall_update, best_effort) File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 195, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. xxxxxxxxxxxxxxxxxxxx.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com If you have an idea.... I'm completly lost
The issue was due to DNSSEC. DNSSEC was activated on the domain because my first registrar could support this option. When I change my registrar for Amazon Route 53, DNSSEC was still activated but Amazon Route 53 don't support this option. Instead of remove the option or a clear warning, Amazon put this information in a tooltip of a lost page... "DNSSEC is activated but not yet supported by Route 53" UI is not their best skill. Thanks for your help anyway !
Two things can happened to result in such error: - You domain DNS records are too new and not listed on all DNS servers yet. If the problem is this, it would be soled by itself if you give it some time such as 2days. - DS record stops your domain from being validated. This was my case and one of my .eu domains couldn't go through Let's Encrypt certbot. I wasn't aware that there is a DS record among my DNS records for this domain. As soon as I removed it, my domain get verified ad installed SSL Certs using certbot. To check for this problem login to your domain panel. Go to DNS Zone File. Look for DS record. Remove and save your Zone File if there is any record there. If this is difficult for you, try to register your domain at cloudflare.com. If your domain has DS record Cloudflare will email you about it. I hope it helps you.