I just installed boringproxy on a fresh server but after giving dns and email I get the following error: “no solvers available for remaining challenges”
What I was trying:
Install boringproxy on a fresh Ubuntu 20.04 LTS Server with a dedicated dns.
What I expected:
→ Successfully acquired admin certificate
Here my last commands:
28 wget https://github.com/boringproxy/boringproxy/releases/download/v0.8.2/boringproxy-linux-x86_64
31 chmod +x boringproxy-linux-x86_64
33 mv boringproxy-linux-x86_64 boringproxy
34 sudo setcap cap_net_bind_service=+ep boringproxy
36 sudo ufw allow 80 443
37 sudo ufw status
44 sudo nano /etc/ssh/sshd_config (changed GateWay to clientspecified)
45 sudo service sshd restart
46 sudo service sshd status
47 ./boringproxy server
Here the result obtained:
Additionnal error message that I get now after 4 attempts:
creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/ (ca=https://acme-v02.api.letsencrypt.org/directory)
Hey @matbgn, thanks for the detailed report. I see a couple things.
Based on the warnings printed, your IPv6 address isn’t accessible from the internet on ports 80/443. boringproxy is probably trying to get the certs over IPv6. I don’t use
ufw, but maybe it only opens IPv4 by default?
Also, you’re sure the DNS records are pointing to your IP? You’ll need AAAA records for IPv6 in addition to the A records for IPv4.
Unfortunately since you hit the LetsEncrypt rate limit, you’ll need to wait a while before attempting again. I really need to add a CLI argument to allow switching to the LetsEncrypt staging server, so people can debug these issues without getting rate limited. I’ll try to get that in the next release.
Oh one other common issue is even though you’re opening the ports on the VPS, your VPS provider may be blocking the ports. AWS for example blocks by default, and you need to add a security group to open ports. I think DigitalOcean has everything open.
First of all an amazing thank you for your quick and advised support!
You were right on many points, just for documentation purpose let me answer to them here:
- ufw was correctly setup with both IPv4 & IPv6
- My AAAA records was not setup → needed to be fixed
- My Openstack Security Groups were also not enough permissive, great catch! → needed to be fixed
I created a new instance on a more permissive, on a security group perspective, provider. Everything went like a charm after that.
As you said I think also that a LetsEncrypt staging server mode would be highly appreciable
Finally, would you please setup a patreon link to give you a bit of financial support ?
Great, glad you got it working. I’ve created an issue for adding the LetsEncrypt staging flag:
I’ve been meaning to set up a GitHub sponsor/Patreon but haven’t gotten around to it yet. I’d prefer to have an actual product to sell, which is my focus with TakingNames.io, but I recognize that some people will prefer purely self-hosted solution and still want to support the project.
I am curious though. I’m currently working on adding a tunneling service to TakingNames.io which would be very similar to boringproxy (they will implement the same protocol). The goal is to make it very easy to connect your domains to services through tunnels, all from a single web UI. Is this something you would pay a $5/mo subscription for, or do you prefer self-hosting the server component? What are the various considerations for you? Any feedback you can give is very helpful.
Hey @matbgn just a heads up that the master branch now has a flag for using the Let’s Encrypt staging servers (
-acme-use-staging) and it will be included in the next release.
Thanks a lot for the staging flag appreciate a lot since then!
I mostly try to host all my stuff but for instance the service provided by SimpleLogin.io is so right to me in regards with costs and efforts that I decided to give them my money and all the project is open source so I still have the guarantee that I can blindness invest on them (cause I will be, with sufficient efforts, able to reproduce it by my-self)