After enabling of tls in our TYK server it runs out of filehandles and stop working - api-gateway
We have enabled tls in our on premise TYK dashboard and gateway after that it runs out of filehandles and stop working
Redirecting to /bin/systemctl status tyk-dashboard.service
tyk-dashboard.service - Tyk API Dashboard Loaded: loaded
(/usr/lib/systemd/system/tyk-dashboard.service; enabled; vendor
preset: disabled) Active: active (running) since Thu 2018-10-18
11:24:32 CEST; 3h 57min ago Main PID: 13062 (tyk-analytics) CGroup:
/system.slice/tyk-dashboard.service └─13062
/opt/tyk-dashboard/tyk-analytics --conf
/opt/tyk-dashboard/tyk_analytics.conf
Oct 18 15:22:00 sktudv01tyk01.ccta.dk tyk-analytics[13062]: 2018/10/18
15:22:00 http: Accept error: accept tcp [::]:3000: accept4: too many
open files; retrying in 1s Oct 18 15:22:01 sktudv01tyk01.ccta.dk
tyk-analytics[13062]: 2018/10/18 15:22:01 http: Accept error: accept
tcp [::]:3000: accept4: too many open files; retrying in 1s
our conf files looks like this
tyk.conf
{
"listen_port": 8443,
"node_secret": "secret",
"secret": "secret",
"template_path": "/opt/tyk-gateway/templates",
"use_db_app_configs": true,
"db_app_conf_options": {
"connection_string": "https://localhost:3000",
"node_is_segmented": false,
"tags": []
},
"disable_dashboard_zeroconf": false,
"app_path": "/opt/tyk-gateway/apps",
"middleware_path": "/opt/tyk-gateway/middleware",
"storage": {
"type": "redis",
"host": "localhost",
"port": 6379,
"username": "",
"password": "",
"database": 0,
"optimisation_max_idle": 2000,
"optimisation_max_active": 4000
},
"enable_analytics": true,
"analytics_config": {
"type": "",
"ignored_ips": [],
"enable_detailed_recording": true,
"enable_geo_ip": false,
"geo_ip_db_path": "",
"normalise_urls": {
"enabled": true,
"normalise_uuids": true,
"normalise_numbers": true,
"custom_patterns": []
}
},
"health_check": {
"enable_health_checks": false,
"health_check_value_timeouts": 60
},
"optimisations_use_async_session_write": true,
"allow_master_keys": false,
"policies": {
"policy_source": "service",
"policy_connection_string": "",
"policy_record_name": "tyk_policies",
"allow_explicit_policy_id": true
},
"hash_keys": true,
"suppress_redis_signal_reload": false,
"use_redis_log": true,
"close_connections": true,
"enable_non_transactional_rate_limiter": true,
"enable_sentinel_rate_limiter": false,
"experimental_process_org_off_thread": false,
"local_session_cache": {
"disable_cached_session_state": false
},
"http_server_options": {
"enable_websockets": true,
"use_ssl": true,
"server_name": "localhost",
"certificates": [
{
"domain_name": "*.ccta.dk",
"cert_file": "/etc/pki/tls/certs/localhost.crt",
"key_file": "/etc/pki/tls/private/localhost.key"
}
],
"ssl_insecure_skip_verify": false
},
"uptime_tests": {
"disable": false,
"config": {
"enable_uptime_analytics": true,
"failure_trigger_sample_size": 2,
"time_wait": 10,
"checker_pool_size": 50
}
},
"hostname": "",
"enable_custom_domains": true,
"enable_jsvm": true,
"oauth_redirect_uri_separator": ";",
"coprocess_options": {
"enable_coprocess": false,
"coprocess_grpc_server": ""
},
"pid_file_location": "./tyk-gateway.pid",
"allow_insecure_configs": true,
"public_key_path": "",
"close_idle_connections": false,
"allow_remote_config": false,
"enable_bundle_downloader": true,
"bundle_base_url": "",
"global_session_lifetime": 100,
"force_global_session_lifetime": false,
"max_idle_connections_per_host": 500
}
our tyk_analytics.conf
{
"listen_port": 3000,
"tyk_api_config": {
"Host": "https://localhost",
"Port": "8443",
"Secret": "secret"
},
"mongo_url": "mongodb://127.0.0.1/tyk_analytics",
"mongo_use_ssl": false,
"mongo_ssl_insecure_skip_verify": false,
"page_size": 10,
"admin_secret": "secret",
"shared_node_secret": "secret",
"redis_port": 6379,
"redis_host": "localhost",
"redis_password": "",
"enable_cluster": false,
"redis_use_ssl": false,
"redis_ssl_insecure_skip_verify": false,
"force_api_defaults": false,
"notify_on_change": true,
"license_key": "secret",
"redis_database": 0,
"redis_hosts": null,
"hash_keys": true,
"email_backend": {
"enable_email_notifications": false,
"code": "",
"settings": null,
"default_from_email": "",
"default_from_name": "",
"dashboard_hostname": ""
},
"hide_listen_path": false,
"sentry_code": "",
"sentry_js_code": "",
"use_sentry": false,
"enable_master_keys": false,
"enable_duplicate_slugs": true,
"show_org_id": true,
"host_config": {
"enable_host_names": true,
"disable_org_slug_prefix": true,
"hostname": "localhost",
"override_hostname": "localhost",
"portal_domains": {},
"portal_root_path": "/portal",
"generate_secure_paths": false,
"secure_cookies": false,
"use_strict_hostmatch": false
},
"http_server_options": {
"use_ssl": true,
"servername": "localhost",
"certificates": [
{
"domain_name": "*.ccta.dk",
"cert_file": "/etc/pki/tls/certs/dev.api.data.ccta.dk.crt",
"key_file": "/etc/pki/tls/private/dev.api.data.ccta.dk.key"
}
],
"min_version": 0
},
"security": {
"allow_admin_reset_password": false,
"login_failure_username_limit": 0,
"login_failure_ip_limit": 0,
"login_failure_expiration": 0,
"audit_log_path": "/var/log/tyk/tyk-audit.log"
},
"ui": {
"languages": {
"Chinese": "cn",
"English": "en",
"French": "fr",
"Korean": "ko"
},
"hide_help": false,
"default_lang": "en",
"login_page": {},
"nav": {},
"uptime": {},
"portal_section": null,
"designer": {},
"dont_show_admin_sockets": false,
"dont_allow_license_management": false,
"dont_allow_license_management_view": false,
"cloud": false
},
"home_dir": "/opt/tyk-dashboard",
"identity_broker": {
"enabled": false,
"host": {
"connection_string": "http://localhost:3010",
"secret": "secret"
}
},
"tagging_options": {
"tag_all_apis_by_org": false
},
"use_sharded_analytics": false,
"enable_aggregate_lookups": true,
"enable_analytics_cache": false,
"aggregate_lookup_cutoff": "01/07/2016",
"maintenance_mode": false,
"allow_explicit_policy_id": false,
"private_key_path": "",
"node_schema_path": "",
"oauth_redirect_uri_separator": ";",
"statsd_connection_string": "",
"statsd_prefix": "",
"disable_parallel_sessions": false,
"dashboard_session_lifetime": 0,
"alternative_dashboard_url": "",
"sso_permission_defaults": null,
"sso_default_group_id": "",
"sso_custom_login_url": "",
"sso_custom_portal_login_url": "",
"notifications_listen_port": 5000,
"portal_session_lifetime": 0,
"enable_delete_key_by_hash": false
}
cat /proc/981/limits Limit Soft Limit
Hard Limit Units Max cpu time unlimited
unlimited seconds Max file size unlimited
unlimited bytes Max data size unlimited
unlimited bytes Max stack size 8388608
unlimited bytes Max core file size 0
unlimited bytes Max resident set unlimited
unlimited bytes Max processes 31191
31191 processes Max open files 1024
4096 files Max locked memory 65536
65536 bytes Max address space unlimited
unlimited bytes Max file locks unlimited
unlimited locks Max pending signals 31191
31191 signals Max msgqueue size 819200
819200 bytes Max nice priority 0
0 Max realtime priority 0 0 Max realtime
timeout unlimited unlimited us
Number of file handles when it failed again with Oct 23 13:04:34
sktudv01tyk01 tyk-analytics: 2018/10/23 13:04:34 http: Accept error:
accept tcp [::]:3000: accept4: too many open files; retrying in 1s
lsof | wc -l
31677
cat /usr/lib/systemd/system/tyk-gateway.service
[Unit]
Description=Tyk API Gateway
[Service]
Type=simple
User=root
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/tyk-gateway
EnvironmentFile=-/etc/sysconfig/tyk-gateway
ExecStart=/opt/tyk-gateway/tyk --conf /opt/tyk-gateway/tyk.conf
Restart=always
WorkingDirectory=/opt/tyk-gateway
RuntimeDirectory=tyk
RuntimeDirectoryMode=0770
LimitNOFILE=80000
[Install]
WantedBy=multi-user.target
OS settings ( centos )
# /etc/security/limits.conf
* hard maxlogins 10
* soft nproc 80000
* hard nproc 80000
* soft nofile 80000
* hard nofile 80000
root soft nproc 80000
root hard nproc 80000
root soft nofile 80000
root hard nofile 80000
and in sysctl.conf i added
fs.file-max=80000
When i restart the tyk-dashboard i can login using https and my api's respond ok on https but after some minuttes it runs out of file handles
What do i need to change here, when starting dashboard alone everything is steady and running well, no errors in my log. But when i start the gateway my numbers of open files increase every second
gateway startup log
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Setting up analytics normaliser"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="PIDFile location set to: ./tyk-gateway.pid"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Initialising Tyk REST API Endpoints"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=warning msg="Default secret `secret` should be changed for production."
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=warning msg="Default node_secret `secret` should be changed for production."
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Redis connection pools are ready after number of retires" currRetry=0
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Redis connection pools are ready"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="--> Using SSL (https)"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Setting up Server"
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=info msg="Registering node."
Oct 24 08:55:36 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:36" level=error msg="Response failed with code 404; retrying in 5s"
Oct 24 08:55:37 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:37" level=warning msg="Insecure configuration detected (allowing)!"
Oct 24 08:55:37 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:37" level=info msg="Hostname set with dashboard zeroconf signal"
Oct 24 08:55:41 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:41" level=error msg="Response failed with code 404; retrying in 5s"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Node registered" id=10321add-ffb6-40c5-4692-c2035ee2760d
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Gateway started (v2.7.3)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Initialising distributed rate limiter"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="--> Listening on address: (open interface)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="--> Listening on port: 8443"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="--> PID: 10135"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Starting gateway rate limiter notifications..."
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading policies"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Using Policies from Dashboard Service"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Mutex lock acquired... calling"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Calling dashboard service for policy list"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Processing policy list"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Policies found (0 total):"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Detected 8 APIs"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Preparing new router"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Initialising Tyk REST API Endpoints"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API configurations."
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="Robotics - fast excel API #rpa" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="gulapi_aarsopg #Gul" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="rpaqlik_prod #rpa #prod" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name=awsvalues domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="rpaqlik #rpa" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name=postman domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name=simons domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Tracking hostname" api_name="eboks #eboks #java #dropwizard" domain="(no host)"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API" api_name="eboks #eboks #java #dropwizard"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API" api_name="Robotics - fast excel API #rpa"
Oct 24 08:55:46 sktudv01tyk01.ccta.dk tyk[10135]: time="Oct 24 08:55:46" level=info msg="Loading API" api_name="gulapi_aarsopg #Gul"
lines 7537-7582/7616 100%
If you are using SystemD, ensure that it does not mess with your file handler settings, by checking process limits like this: cat /proc/<pid>/limits. And if you find anomalies follow this guide https://tyk.io/docs/deploy-tyk-premise-production/#file-handles
Additionally your "db_app_conf_options.connection_string" is empty, instead it should point to the dashboard.
Also, you configured Gateway to use TLS, but in Dashboard config it still points to "http", and same for Gateway port.
Hope it helps.
Related
Custom app in Microsoft Teams can't connect to it's own API from desktop app
I am trying to embed our app into Teams. We have it working from the web version of MS Teams. However when we try it from the MS Teams desktop app, our app's tab is unable to communicate with our API saying net::ERR_BLOCKED_BY_RESPONSE for all XHR requests the app tries to make to the API. The OPTIONS request seems to get some response headers back but is still listed as failed (see header below)
What is blocking the requests in the Desktop app? We have tried various security header changes and disabling our apps service worker among other things but to no avail. The application loads fine (we have the iframe enabling headers set in the CSP - see below). It's just the communication with the API that is blocked.
Application details that we are embedding in the MS Teams APP as a custom app
Progressive web app
Angular v13 with
Angular routing strategy (useHash = false)
API is REST based
NB: The app tab works in the mobile app version of teams on iOS as well as on the web version
Response headers that are returned by the API we are trying to talk to on the OPTIONS request
access-control-allow-headers: Content-Type, Authorization, V, D
access-control-allow-methods: OPTIONS, GET, POST, DELETE, PUT
access-control-allow-origin: https://**redacted**
access-control-max-age: 86400
cache-control: no-cache
content-length: 0
date: Wed, 12 Jan 2022 00:14:44 GMT
permissions-policy: geolocation=()
referrer-policy: no-referrer
server: CloudFront
status: 200
strict-transport-security: max-age=31536000; includeSubDomains
vary: Origin
via: 1.1 **redacted**.cloudfront.net (CloudFront)
x-amz-cf-id: **redacted**
x-amz-cf-pop: SYD62-P1
x-cache: Miss from cloudfront
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
Headers and CSP on the application (SPA)
age: 6
cache-control: no-cache
content-encoding: br
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.**redacted**.com https://**redacted**.app https://*.**redacted**.app; connect-src https://*.**redacted**.com https://**redacted**.app https://*.**redacted**.app; object-src 'none'; frame-ancestors teams.microsoft.com *.office.com outlook.office.com outlook.office365.com
content-type: text/html
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
date: Wed, 12 Jan 2022 00:22:58 GMT
etag: **redacted**
expect-ct: max-age=0, report-uri="https://**redacted**.report-uri.com/r/d/ct/reportOnly"
last-modified: Tue, 11 Jan 2022 23:27:02 GMT
permissions-policy: geolocation=()
referrer-policy: no-referrer-when-downgrade
server: CloudFront
status: 304
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding
via: 1.1 **redacted**.cloudfront.net (CloudFront)
x-amz-cf-id: **redacted**
x-amz-cf-pop: SYD62-P1
x-cache: Hit from cloudfront
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
The manifest, currently setup with a configure page that adds a tab after choosing our customer account name which generates the url for the tab.
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
"manifestVersion": "1.11",
"version": "4.1.8",
"id": "***",
"packageName": "app.***",
"developer": {
"name": "*** Pty Limited",
"websiteUrl": "https://www.***.com",
"privacyUrl": "https://www.***.com/privacy",
"termsOfUseUrl": "https://***.com/resources/20201019+***+Terms+and+Conditions.pdf"
},
"icons": {
"color": "color.png",
"outline": "outline.png"
},
"name": {
"short": "***",
"full": "*** For Microsoft Teams"
},
"description": {
"short": "***",
"full": "***"
},
"accentColor": "#F9F9FA",
"configurableTabs": [
{
"configurationUrl": "https://dev.***.app/ms-teams/teams-configure.html",
"canUpdateConfiguration": true,
"scopes": [
"team"
],
"context": [
"channelTab"
],
"supportedSharePointHosts": [
"sharePointFullPage"
]
}
],
"permissions": [
"identity",
"messageTeamMembers"
],
"validDomains": [
"dev.***.app",
"*.dev.***.app",
"*.teams.***.app",
"api.test.***.com",
"api.***.com",
"*.test.***.app",
"*.***.app"
]
}
Multiple Set-Cookie headers ignored by API Gateway in combination with Lambda integration and CloudFront
My setup looks like this:
|––––––––––––| |–––––––––––––| |–––––––––––––––––|
| | <- origin 1 -> | API Gateway | <-> | Lambda function |
| | |–––––––––––––| |–––––––––––––––––|
| CloudFront |
| | |–––––––––––––|
| | <- origin 2 -> | S3 bucket |
|––––––––––––| |–––––––––––––|
I need CloudFront in front of the API Gateway to get automatic http->https redirection.
I'm using a custom login.example.com subdomain w/ CloudFront.
API Gateway's generated URL is the origin 1 for CloudFront distribution.
This all works as expected.
I can even return one Set-Cookie header from the lambda function and it will get passed on until it reaches the browser.
{
"statusCode": 302,
"body": "",
"headers": {
"location": "/test",
"surrogate-control": "no-store",
"cache-control": "no-store, no-cache, must-revalidate, proxy-revalidate",
"pragma": "no-cache",
"expires": "0",
"content-length": "0",
"date": "Fri, 19 Feb 2021 17:25:56 GMT",
"connection": "keep-alive",
"set-cookie": "cookie1=68abcdbefbef7d84c26e68; Max-Age=2592000; Domain=example.com; Path=/; HttpOnly; Secure; SameSite=Strict"
},
"isBase64Encoded": false
}
Adding another one isn't working - as expected when you look at the docs:
https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#apigateway-multivalue-headers-and-parameters
https://aws.amazon.com/blogs/compute/support-for-multi-value-parameters-in-amazon-api-gateway/
{
"statusCode": 302,
"headers": {
"location": "/test",
"set-cookie": [
"cookie1=68abcdbefbef7d84c26e68; Max-Age=2592000; Domain=example.com; Path=/; HttpOnly; Secure; SameSite=Strict",
"cookie2-login=; Max-Age=0; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure"
],
"surrogate-control": "no-store",
"cache-control": "no-store, no-cache, must-revalidate, proxy-revalidate",
"pragma": "no-cache",
"expires": "0",
"content-length": "0"
}
}
Both of these will be ignored/removed.
But even when I'm using the multiValueHeaders object to return more than one of the same kind like this:
{
"statusCode": 302,
"body": "",
"headers": {
"location": "/test",
"surrogate-control": "no-store",
"cache-control": "no-store, no-cache, must-revalidate, proxy-revalidate",
"pragma": "no-cache",
"expires": "0",
"content-length": "0",
"date": "Fri, 19 Feb 2021 17:25:56 GMT",
"connection": "keep-alive"
},
"isBase64Encoded": false,
"multiValueHeaders": {
"Set-Cookie": [
"cookie1=68abcdbefbef7d84c26e68; Max-Age=2592000; Domain=example.com; Path=/; HttpOnly; Secure; SameSite=Strict",
"cookie2-login=; Max-Age=0; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure"
]
}
}
the API Gateway removes/ignores them from the response it passes on to CloudFront.
What am I doing wrong?
Do I have to map something in the API Gateway when using the multiValueHeaders?
Normal headers['set-cookie'] is passed on automatically but multiValueHeaders not?
Are the additional attributes a problem?
Is it a problem that I'm trying to set the cookie for the root-domain and not the login.example.com domain?
Not sure how Philipp missed this, as it was on the same page he cited:
To customize the response, your Lambda function should return a response with the following format.
{
"cookies" : ["cookie1", "cookie2"],
"isBase64Encoded": true|false,
"statusCode": httpStatusCode,
"headers": { "headername": "headervalue", ... },
"body": "Hello from Lambda!"
}
So just return cookies: ['name=value', 'name=value']
Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html#http-api-develop-integrations-lambda.v2
Finally found the answer myself: The new payload format (2.0) does not support multiValueHeaders. Working with AWS Lambda proxy integrations for HTTP APIs [...] Format 2.0 doesn't have multiValueHeaders or multiValueQueryStringParameters fields. Duplicate headers are combined with commas and included in the headers field. Duplicate query strings are combined with commas and included in the queryStringParameters field. [...] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html So I'm rewriting the set-cookie headers to different spellings: Set-cookie sEt-cookie seT-cookie That was the way you had to do it before there were multiValueHeaders - but it seems it is still the only when you're using the new payload format :(
Hubot - Botframework - MS Teams - Not responding
I have created a localhost-based Hubot and used Botframework as adapter. I created a MS bot account. I also created a new app using app studio in MS Teams. I then side loaded it. I started ngrok and I started everything up. I can see the bot is online in Teams. But when I sent a command to bot, it accepts the message but does not respond. In the log it looks like it's responding but I don't see the response in the Teams channel or #mention. Please see the log below
[Mon Jun 24 2019 17:39:51 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware...
[Mon Jun 24 2019 17:39:51 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: TextMiddleware toReceivable
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: onBotEvents
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: Handling activity Channel: msteams; type: message
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware...
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toReceivable
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: send
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: reply
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware...
[Mon Jun 24 2019 17:39:57 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toSendable
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: onBotEvents
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: Handling activity Channel: msteams; type: message
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware...
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toReceivable
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: send
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: reply
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware...
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toSendable
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: send
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: reply
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware...
[Mon Jun 24 2019 17:40:36 GMT-0400 (Eastern Daylight Time)] INFO hubot-msteams: toSendable
App manifest:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.5/MicrosoftTeams.schema.json",
"manifestVersion": "1.5",
"version": "1.0.0",
"id": "xxxxxxxx",
"packageName": "com.tech.bot",
"developer": {
"name": "user",
"websiteUrl": "https://mm.com",
"privacyUrl": "https://mm.com/privacy",
"termsOfUseUrl": "https://mm.com/terms"
},
"icons": {
"color": "color.png",
"outline": "outline.png"
},
"name": {
"short": "techbot",
"full": ""
},
"description": {
"short": "bot for techbot",
"full": "bot for techbot"
},
"accentColor": "#FFFFFF",
"bots": [
{
"botId": "xxxxxxxxd",
"scopes": [
"personal",
"team",
"groupchat"
],
"commandLists": [
{
"scopes": [
"personal"
],
"commands": [
{
"title": "hi",
"description": "How are u!!!"
}
]
},
{
"scopes": [
"team"
],
"commands": [
{
"title": "hi",
"description": "Greet!!!"
},
{
"title": "hi",
"description": "How are u!!!"
}
]
},
{
"scopes": [
"groupchat"
],
"commands": [
{
"title": "hi",
"description": "Greet!!!"
},
{
"title": "hi",
"description": "How are u!!!"
}
]
}
],
"supportsFiles": false,
"isNotificationOnly": false
}
],
"permissions": [
"identity",
"messageTeamMembers"
],
"validDomains": []
}
The debug log shows below
express:router dispatching POST /api/messages +44s
express:router query : /api/messages +0ms
express:router expressInit : /api/messages +0ms
express:router <anonymous> : /api/messages +1ms
express:router query : /api/messages +0ms
express:router jsonParser : /api/messages +0ms
body-parser:json content-type "application/json; charset=utf-8" +0ms
body-parser:json content-encoding "identity" +1ms
body-parser:json read body +0ms
body-parser:json parse body +0ms
body-parser:json parse json +0ms
express:router urlencodedParser : /api/messages +0ms
body-parser:urlencoded body already parsed +0ms
express:router multipart : /api/messages +0ms
[Wed Jun 26 2019 08:33:32 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: onBotEvents
[Wed Jun 26 2019 08:33:32 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-adapter: Handling activity Channel: msteams; type: message
[Wed Jun 26 2019 08:33:32 GMT-0400 (Eastern Daylight Time)] INFO hubot-botframework-middleware: creating middleware...
finalhandler cannot 404 after headers sent +6ms
Kernel.php doesn't exist Laravel 5
I'm following one tutorial while learning laravel but currently I've got this error
Fatal error: Uncaught ReflectionException: Class App\Http\Kernel does not exist in /var/www/html/cms/vendor/laravel/framework/src/Illuminate/Container/Container.php:734
The class does exist in app/Http/Kernel.php.
Those are permissions of the file
-rw-rw-r-- 1 ivan www-data 1537 nov 26 2016 Kernel.php
Those are permission on whole directory files
-rw-rw-r-- 1 ivan www-data 567 nov 26 2016 server.php
-rw-rw-r-- 1 ivan www-data 1918 nov 26 2016 readme.md
-rw-rw-r-- 1 ivan www-data 1026 nov 26 2016 phpunit.xml
-rw-rw-r-- 1 ivan www-data 212 nov 26 2016 package.json
-rw-rw-r-- 1 ivan www-data 503 nov 26 2016 gulpfile.js
-rw-rw-r-- 1 ivan www-data 1395 nov 26 2016 composer.json
-rw-rw-r-- 1 ivan www-data 1646 nov 26 2016 artisan
drwxr-x--- 2 ivan www-data 4096 jan 19 20:06 tests
drwxrwxrwx 5 ivan www-data 4096 jan 19 20:06 storage
drwxr-x--- 5 ivan www-data 4096 jan 19 20:06 resources
drwxr-x--- 7 ivan www-data 4096 jan 19 20:06 public
drwxr-x--- 5 ivan www-data 4096 jan 19 20:06 database
drwxr-x--- 11 ivan www-data 4096 jan 19 20:06 app
-rw-rw-r-- 1 ivan www-data 127324 jun 2 15:27 composer.lock
drwxr-x--- 2 ivan www-data 4096 jun 2 15:29 config
drwxr-x--- 3 ivan www-data 4096 jun 2 15:44 bootstrap
drwxr-xr-x 33 ivan www-data 4096 jun 2 15:48 vendor
When I run in my terminal php artisan serve and tried to load the site on http://localhost:8000 site is running.
What can be the problem here?
Kernel.php
<?php
namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel
{
....
Update: Kernel.php from console/
<?php
namespace App\Console;
use Illuminate\Console\Scheduling\Schedule;
use Illuminate\Foundation\Console\Kernel as ConsoleKernel;
class Kernel extends ConsoleKernel
{
Update: composer.json
{
"name": "laravel/laravel",
"description": "The Laravel Framework.",
"keywords": ["framework", "laravel"],
"license": "MIT",
"type": "project",
"require": {
"php": ">=5.5.9",
"laravel/framework": "5.2.*",
"graham-campbell/markdown": "^6.1",
"laravelcollective/html": "5.2",
"intervention/image": "^2.3"
},
"require-dev": {
"fzaninotto/faker": "~1.4",
"mockery/mockery": "0.9.*",
"phpunit/phpunit": "~4.0",
"symfony/css-selector": "2.8.*|3.0.*",
"symfony/dom-crawler": "2.8.*|3.0.*"
},
"autoload": {
"classmap": [
"database"
],
"psr-4": {
"App\\": "app/"
}
},
"autoload-dev": {
"classmap": [
"tests/TestCase.php"
]
},
"scripts": {
"post-root-package-install": [
"php -r \"copy('.env.example', '.env');\""
],
"post-create-project-cmd": [
"php artisan key:generate"
],
"post-install-cmd": [
"Illuminate\\Foundation\\ComposerScripts::postInstall",
"php artisan optimize"
],
"post-update-cmd": [
"Illuminate\\Foundation\\ComposerScripts::postUpdate",
"php artisan optimize"
]
},
"config": {
"preferred-install": "dist"
}
}
Update:
>>> new App\Http\Kernel()
TypeError: Argument 1 passed to Illuminate\Foundation\Http\Kernel::__construct() must implement interface Illuminate\Contracts\Foundation\Application, none given on line 1
>>> App\Http\Kernel()
PHP Fatal error: Call to undefined function App\Http\Kernel() in eval()'d code on line 1
certbot SERVFAIL looking up A fordomain
I used certbot to generate a certificate for a domain, it worked great the first time.
After that I changed my amazon ec2 instance (amazon linux) for an other region. So I changed the A record for the subdomain and now i can't generate a certificate on the new instance because of DNS issue
certbot-auto certonly --debug --standalone -d dev.******.com
2016-07-19 17:03:29,603:DEBUG:certbot.main:Root logging level set at 30
2016-07-19 17:03:29,604:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-07-19 17:03:29,604:DEBUG:certbot.main:certbot version: 0.8.1
2016-07-19 17:03:29,604:DEBUG:certbot.main:Arguments: ['--debug', '--standalone', '-d', 'dev.********.com']
2016-07-19 17:03:29,605:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-07-19 17:03:29,609:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2016-07-19 17:03:29,804:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f0133b10d10>
Prep: True
2016-07-19 17:03:29,806:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f0133b10d10> and installer None
2016-07-19 17:03:29,942:DEBUG:certbot.main:Picked account: <Account(388bf562a96cea8013b7660447da660e)>
2016-07-19 17:03:29,943:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-07-19 17:03:29,946:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-07-19 17:03:30,132:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 280
2016-07-19 17:03:30,133:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '280', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'A4t6LE9szTZDv0FuCE7bQnICx2zyVtRVeQacSWenKUE', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'VLinxcmE9YznBxpdisr5YqFQqf9KFT3grGMLfwvD3Jg'}. Content: '{\n "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-07-19 17:03:30,133:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '280', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'A4t6LE9szTZDv0FuCE7bQnICx2zyVtRVeQacSWenKUE', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'VLinxcmE9YznBxpdisr5YqFQqf9KFT3grGMLfwvD3Jg'}): '{\n "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-07-19 17:03:30,134:DEBUG:root:Requesting fresh nonce
2016-07-19 17:03:30,134:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-07-19 17:03:30,327:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-07-19 17:03:30,328:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': 'zZzFamjI7WOmh85keAw4lLd8laZfe74W1TYq3HNR7mk', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'CgmdRQWWj5_PPfveAA7c1o50xkOk3entsaA27xlBwmA'}. Content: ''
2016-07-19 17:03:30,328:DEBUG:acme.client:Storing nonce: '\n\t\x9dE\x05\x96\x8f\x9f\xcf=\xfb\xde\x00\x0e\xdc\xd6\x8et\xc6C\xa4\xdd\xe9\xed\xb1\xa06\xef\x19A\xc2`'
2016-07-19 17:03:30,328:DEBUG:acme.jose.json_util:Omitted empty fields: combinations=None, challenges=None, expires=None, status=None
2016-07-19 17:03:30,329:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "xxxxxxxxxxxxx.com"}, "resource": "new-authz"}
2016-07-19 17:03:30,330:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), jwk=None, typ=None, jku=None, cty=None, x5tS256=None, x5u=None, alg=None, x5t=None
2016-07-19 17:03:30,332:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jku=None, cty=None, x5tS256=None, x5u=None, x5t=None, nonce=None
2016-07-19 17:03:30,332:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "rKDIxM9XKqEZ69kyTl7L6l1OZuEaJRJdSje2z4VC8pJt0sxRJXu32BVy5zC7uKLDmj-pUxcR2N5zAZTD4hJC-CwavEp9IT4zsQacQK1E9aGQOewmAF54_qUJQrZal167BOmMIENKcQ-sbVz1OLAhz85oByCAXwW6T8v5qoXCPYIX7pmgp4IuI4WNBcWeBqFv3Joj78oSReZXCuJId8RqsP5DeYRNpetvqUHijj3JGiQnclnUW2iTRUuiilAkqswDqk4J4uAraLylprTt2iQYA4wLZDaC2Con_u3c62aLpYpK5J2D5ZVoGJANjAzzNfkQAhsun3h3LsXLgfZ0Z2n2aw"}}, "protected": "eyJub25jZSI6ICJDZ21kUlFXV2o1X1BQZnZlQUE3YzFvNTB4a09rM2VudHNhQTI3eGxCd21BIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJkZXYuZGlhZ25ldHdvcmsuY29tIn0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ", "signature": "lQjyTE1QljLHo1CxV6T94yrPb76ruaGDNd5ZthPI-9-rUDULu8VnCVHqO0v2ZYlfKlZUza80U6-ZFRmw4lGFaB1gK0w_jV7ONIg0dzjkTu8NEdKZ6PcMUuRdZuCbwsln9coIjy_7f5tQ7ukzSbQJXEbz6MTQ-5UALr5ft_JkSLTifwJFGtejzveY3KrpeP4WaI-hGzwLLOxjnFh_tn3Z2NdOqrTWJzGn_rqvlwX0OlG-GvcV6k9a9eK9aSK4T13Vs0N5ZYqX1IbVNHcqbgvoJ50LVUYlWWTDsihrZ4ttQl_onpmy5jRDKuQSeS8B3hVRKhgdmOh4fI9OYLjpd13Ddg"}'}
2016-07-19 17:03:30,629:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1004
2016-07-19 17:03:30,629:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1004', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'PknRp_fwf5o0vaHUpy_53-SwSKCN0Qwk0kBnm15EexI', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'B_6L7ZtDh3CzsQtRO_e8vceSEcbZGihWBGntNZ6h_G0'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxx.com"\n },\n "status": "pending",\n "expires": "2016-07-26T17:03:30.455575285Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}'
2016-07-19 17:03:30,629:DEBUG:acme.client:Storing nonce: '\x07\xfe\x8b\xed\x9bC\x87p\xb3\xb1\x0bQ;\xf7\xbc\xbd\xc7\x92\x11\xc6\xd9\x1a(V\x04i\xed5\x9e\xa1\xfcm'
2016-07-19 17:03:30,630:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1004', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Boulder-Request-Id': 'PknRp_fwf5o0vaHUpy_53-SwSKCN0Qwk0kBnm15EexI', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'B_6L7ZtDh3CzsQtRO_e8vceSEcbZGihWBGntNZ6h_G0'}): '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxxxxxxx.com"\n },\n "status": "pending",\n "expires": "2016-07-26T17:03:30.455575285Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}'
2016-07-19 17:03:30,630:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859'}
2016-07-19 17:03:30,630:INFO:certbot.auth_handler:Performing the following challenges:
2016-07-19 17:03:30,631:INFO:certbot.auth_handler:tls-sni-01 challenge for xxxxxxxxxxxxxxxxxxxx.com
2016-07-19 17:03:30,643:INFO:certbot.auth_handler:Waiting for verification...
2016-07-19 17:03:30,643:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0", "type": "tls-sni-01", "resource": "challenge"}
2016-07-19 17:03:30,644:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), jwk=None, typ=None, jku=None, cty=None, x5tS256=None, x5u=None, alg=None, x5t=None
2016-07-19 17:03:30,646:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jku=None, cty=None, x5tS256=None, x5u=None, x5t=None, nonce=None
2016-07-19 17:03:30,646:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "rKDIxM9XKqEZ69kyTl7L6l1OZuEaJRJdSje2z4VC8pJt0sxRJXu32BVy5zC7uKLDmj-pUxcR2N5zAZTD4hJC-CwavEp9IT4zsQacQK1E9aGQOewmAF54_qUJQrZal167BOmMIENKcQ-sbVz1OLAhz85oByCAXwW6T8v5qoXCPYIX7pmgp4IuI4WNBcWeBqFv3Joj78oSReZXCuJId8RqsP5DeYRNpetvqUHijj3JGiQnclnUW2iTRUuiilAkqswDqk4J4uAraLylprTt2iQYA4wLZDaC2Con_u3c62aLpYpK5J2D5ZVoGJANjAzzNfkQAhsun3h3LsXLgfZ0Z2n2aw"}}, "protected": "eyJub25jZSI6ICJCXzZMN1p0RGgzQ3pzUXRST19lOHZjZVNFY2JaR2loV0JHbnROWjZoX0cwIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogImJaanllcTM0LWZfVDRiVWN5MURWaFBibnZfQ2FuU3UxYzVQVWV6cmhqcUkuQjd6dVU0djZVbWcwVEdzOGpPSGxfaWhwdHlMdzlwUHNFMWRSelVab091MCIsICJ0eXBlIjogInRscy1zbmktMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "kZkv-CFLZH31z3kZ1naF7g41XcslUbVBPH42wptZzlov3_rWom-N8appf_eaLQ2P7lMVE89-gyM7fHmoWHl0Gpmkk4Xgmer9L4QdQyVixn60mm-1q6QMsWXT35e7Z7zokfUsOYkXQiEImIwZ0sxBc59dzxGIX7LhDFePZfyeZvH4_P0nUgpCgRqqXTni-O32stAM0i00GxLdg0kikc3UVD09iCU6sUpKpXc3kQHNLlkIkfiNN6zAngBnWDAgSMhquYKas2kk0hxnJw1UguyY9Ieu8Kd6vExi3U-yjGVOL2hVP3LkU46GS8eqvphC1mlndILGM-3VD1UYtwNAIsQt_A"}'}
2016-07-19 17:03:30,902:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860 HTTP/1.1" 202 338
2016-07-19 17:03:30,902:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '338', 'Boulder-Request-Id': 'qq5g3DMMDllSKoWuHRIRSY5oy9RNvpHZ9uF_zzYEeuk', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'VHPW9aR8jmuShp8pFrFuxFiQapbdip6SYQNzBaC-b7Y'}. Content: '{\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0"\n}'
2016-07-19 17:03:30,903:DEBUG:acme.client:Storing nonce: 'Ts\xd6\xf5\xa4|\x8ek\x92\x86\x9f)\x16\xb1n\xc4X\x90j\x96\xdd\x8a\x9e\x92a\x03s\x05\xa0\xbeo\xb6'
2016-07-19 17:03:30,903:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '338', 'Boulder-Request-Id': 'qq5g3DMMDllSKoWuHRIRSY5oy9RNvpHZ9uF_zzYEeuk', 'Expires': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860', 'Pragma': 'no-cache', 'Boulder-Requester': '2692481', 'Date': 'Tue, 19 Jul 2016 17:03:30 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'VHPW9aR8jmuShp8pFrFuxFiQapbdip6SYQNzBaC-b7Y'}): '{\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0"\n}'
2016-07-19 17:03:33,906:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0. args: (), kwargs: {}
2016-07-19 17:03:34,184:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0 HTTP/1.1" 200 1473
2016-07-19 17:03:34,185:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1473', 'Expires': 'Tue, 19 Jul 2016 17:03:34 GMT', 'Boulder-Request-Id': 'kbximz8gXN1-tbWUpkkxA5s9PyXQMnZ3DM2mztNnv00', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:34 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '9rCskcPn_HaHylVaCH-VViSBt78YdDh-I10sX5UlXak'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxxxxxxx.com"\n },\n "status": "invalid",\n "expires": "2016-07-26T17:03:30Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:connection",\n "detail": "DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com",\n "status": 400\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0",\n "validationRecord": [\n {\n "hostname": "xxxxxxxxxxxxxxxxxxxx.com",\n "port": "",\n "addressesResolved": null,\n "addressUsed": ""\n }\n ]\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}'
2016-07-19 17:03:34,185:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1473', 'Expires': 'Tue, 19 Jul 2016 17:03:34 GMT', 'Boulder-Request-Id': 'kbximz8gXN1-tbWUpkkxA5s9PyXQMnZ3DM2mztNnv00', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 19 Jul 2016 17:03:34 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '9rCskcPn_HaHylVaCH-VViSBt78YdDh-I10sX5UlXak'}): '{\n "identifier": {\n "type": "dns",\n "value": "xxxxxxxxxxxxxxxxxxxx.com"\n },\n "status": "invalid",\n "expires": "2016-07-26T17:03:30Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859",\n "token": "6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI"\n },\n {\n "type": "tls-sni-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:connection",\n "detail": "DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com",\n "status": 400\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466860",\n "token": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI",\n "keyAuthorization": "bZjyeq34-f_T4bUcy1DVhPbnv_CanSu1c5PUezrhjqI.B7zuU4v6Umg0TGs8jOHl_ihptyLw9pPsE1dRzUZoOu0",\n "validationRecord": [\n {\n "hostname": "xxxxxxxxxxxxxxxxxxxx.com",\n "port": "",\n "addressesResolved": null,\n "addressUsed": ""\n }\n ]\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466861",\n "token": "G581_pOSgF203q69BWk8tmHt1YH8lMLAidtBBQ90vnQ"\n }\n ],\n "combinations": [\n [\n 0\n ],\n [\n 2\n ],\n [\n 1\n ]\n ]\n}'
2016-07-19 17:03:34,186:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'6Z6vCV4zSvxn5U6WxpUcf2imTMT5kLj7rbRN5fmF9GI', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/C8A3Age_Z-MjpcLCotd2af-iWSl02mOqRcBgpacQSw0/184466859'}
2016-07-19 17:03:34,186:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: xxxxxxxxxxxxxxxxxxxx.com
Type: connection
Detail: DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2016-07-19 17:03:34,186:INFO:certbot.auth_handler:Cleaning up challenges
2016-07-19 17:03:34,187:DEBUG:certbot.plugins.standalone:Stopping server at 0.0.0.0:443...
2016-07-19 17:03:34,646:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/main.py", line 744, in main
return config.func(config, plugins)
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/main.py", line 555, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/main.py", line 94, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/client.py", line 276, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/client.py", line 247, in obtain_certificate
self.config.allow_subset_of_names)
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 74, in get_authorizations
self._respond(resp, best_effort)
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 131, in _respond
self._poll_challenges(chall_update, best_effort)
File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 195, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. xxxxxxxxxxxxxxxxxxxx.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for xxxxxxxxxxxxxxxxxxxx.com
If you have an idea.... I'm completly lost
The issue was due to DNSSEC. DNSSEC was activated on the domain because my first registrar could support this option. When I change my registrar for Amazon Route 53, DNSSEC was still activated but Amazon Route 53 don't support this option. Instead of remove the option or a clear warning, Amazon put this information in a tooltip of a lost page... "DNSSEC is activated but not yet supported by Route 53" UI is not their best skill. Thanks for your help anyway !
Two things can happened to result in such error: - You domain DNS records are too new and not listed on all DNS servers yet. If the problem is this, it would be soled by itself if you give it some time such as 2days. - DS record stops your domain from being validated. This was my case and one of my .eu domains couldn't go through Let's Encrypt certbot. I wasn't aware that there is a DS record among my DNS records for this domain. As soon as I removed it, my domain get verified ad installed SSL Certs using certbot. To check for this problem login to your domain panel. Go to DNS Zone File. Look for DS record. Remove and save your Zone File if there is any record there. If this is difficult for you, try to register your domain at cloudflare.com. If your domain has DS record Cloudflare will email you about it. I hope it helps you.