Cannot Install SSL Cert Using Certbot on Google Compute Engine

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
devopsbroker.org www.devopsbroker.org

I ran this command:
sudo certbot certonly --apache --email edwardsmith@devopsbroker.org -d devopsbroker.org -d www.devopsbroker.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 141, in _new_conn
(self.host, self.port), self.timeout, **extra_kw)
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 60, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File “/usr/lib/python3.6/socket.py”, line 745, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 601, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 346, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 852, in _validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 284, in connect
conn = self._new_conn()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 150, in _new_conn
self, “Failed to establish a new connection: %s” % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7fd1808e3b00>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 440, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File “/usr/lib/python3/dist-packages/urllib3/util/retry.py”, line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7fd1808e3b00>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’,))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7fd1808e3b00>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’,))
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Apache version is 2.4.29

The operating system my web server runs on is (include version):
Ubuntu Server 18.04.2 LTS

My hosting provider, if applicable, is:
Google Compute Engine

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Ok so for some reason I am unable to resolve anything from letsencrypt.org from my GCE server instance. If I do:

dig acme-v02.api.letsencrypt.org

It just hangs on the server. If I do the same command from my local machine (Ubuntu Desktop 18.04.2 LTS with same DNS configuration) it succeeds. If I dig any other site besides letsencrypt.org from my GCE server it works fine.

Any ideas?

2

Hi @edwardsmith

there is no ip address defined ( https://check-your-website.server-daten.de/?q=devopsbroker.org ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
devopsbroker.org A yes 1 0
AAAA yes
www.devopsbroker.org Name Error yes 1 0

You need (minimal) a DNS

  • A entry yourdomain -> your ipv4 address (or / and)
  • AAAA entry yourdomain -> your ipv6 address

The ipv4 / ipv6 must be the ipv4/ipv6 of your webserver.

3

Thanks Juergen for the check your website link!

Unfortunately this is not a DNS issue accessing my site. Instead it is a DNS issue accessing anything from letsencrypt.org from within a virtual machine I have running on Google Compute Engine.

This is preventing Certbot from accessing the letsencrypt.org servers to issue SSL certs.

  • Edward

BTW, I fixed my DNS entries so that www.devopsbroker.org works now. And I am still unable to access the DNS entries for letsencrypt.org from within my GCE server.

4

Nevermind. Official response from Google Cloud Platform:

I am taking my business elsewhere.

5

Yep, that's required. You must be able to connect Letsencrypt.

Perhaps it's a DNS problem, so add

104.87.230.129 acme-v02.api.letsencrypt.org

in your hosts file.

6

is dig +tcp hanging as well ?

7

Interesting that dig +tcp worked

But the query time took 4185 msec

Now the normal dig command over UDP is succeeding as well but query time is 5254 msec

Definitely DNS issues somewhere

1 Like
8

Sounds like a typical not answering dns server.

First dns server -> 2 seconds
Second dns server -> 2 seconds

9

how about dig @8.8.8.8 +tcp ?
if it works better, you can always tweak systemd-resolve to get certbot to behave (I think without hard proof that python use default resolver)

1 Like
10

Yes this works.

However, I am using unbound as the local DNS cache server and its backend are the Google Public DNS nameservers.

I am in the process of switching over to DigitalOcean. As of right now, the dig query takes 5278 msec on Google Compute Engine and just takes 88 msec on DigitalOcean.

Same exact configurations. Go figure.

11

I just love it when people reveal after several exchanges that they are running a fully custom configuration...I don't know unbound, but it's a full blown dns server, not a mere cache like dnsmasq. It may require opened ports to work correctly.

12

I don’t care what you love

What part of it is the exact same configuration, different results, do you not understand?

And I can tell you don’t know either unbound nor dnsmasq. I had to switch off dnsmasq because Ubuntu wouldn’t update the trust-anchors dnsmasq uses for DNSSEC validation.

Just to be clear so that you can be more informed in the future:

  • My “fully custom configuration” works exactly like dnsmasq
  • I run it locally on Ubuntu 18.04 Desktop
  • I run it on both cloud servers in the exact same configuration AS A DNS CACHE just like I do on the desktop
  • GCE is having issues with letsencrypt.org while DigitalOcean and my local Ubuntu 18.04 Desktop do not

Anything else I can do for you to relieve you of your ignorance? I came here to get help not condescending backtalk.

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.