Nginx reverse proxy app has constant dnsConfigured false for certs.

Questions / Help
#1

Hello!
I’m using Minimal Nginx Reverse Proxy setup to proxy heroku app. To verify that my domains are set up correctly, i’m using checkCertificate mutation from GraphQL but dnsConfigured there is constantly false and acmeDnsConfigured sometimes true but sometimes false.

Strange part here that domain is actually working with either http/https but dnsConfigured is false.

Previously i used to deploy my heroku app with turboku to fly and everything worked fine but after switch to nginx it never returns true anymore, so i assume it’s somehow connected to nginx configuration.

Do anybody can help me? What did i miss?

#2

Are you using the dnsConfigured that comes from the check field?

This is terribly confusing, but check.dnsConfigured means the hostname is pointed to your app’s IP. acmeDnsConfigured means there’s an _acme-challenge record pointing where it’s supposed to be.

If those are intermittent it could mean that there are multiple DNS entries for the domain.

What’s your app name? I’ll have a look and see what’s going on.

#3

Are you using the dnsConfigured that comes from the check field?

Yep.

What’s your app name? I’ll have a look and see what’s going on.

avala-review-reverse-proxy

Also is checkCertificate mutation correct request for verification that all CNAMEs setup properly?

#4

The checkCertificate mutation is correct! It’ll verify a certificate is “good” and then go through the issuance process with Lets Encrypt.

I think that dnsConfigured field is being flakey. Actually I know it is. We should be able to clean that up. Try it again in about an hour and see if it’s more consistent?

For what you’re doing, you should probably look at the certificate.configured field that comes back from the mutation. The check field is a bit lower level with flags that we use to determine why certificate.configured might be false. If that mutation returns certificate.configured == true you are good to go.

#5

Hm, i don’t know what happened but i just tested check with few domains and it works like a charm :upside_down_face:
So seems my issue resolved, thanks :grinning:

But i see something strange with certificate in comparison with check:

{
    "data" => {
        "checkCertificate" => {
            "certificate" => {
                "isAcmeAlpnConfigured" => false,
                 "isAcmeDnsConfigured" => true,
                  "isConfigured" => true,
                  "configured" => true
            },
            "check" => {
                "acmeDnsConfigured" => true,
                "dnsConfigured" => false
            }
        }
    }
}

dnsConfigured is legitimately false but configured at the same time true. Am i correct that configured should be true only when both acmeDnsConfigured and dnsConfigured are true?