Cannot Install SSL Cert Using Certbot on Google Compute Engine

edwardsmith · June 25, 2019, 4:59pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
devopsbroker.org www.devopsbroker.org

I ran this command:
sudo certbot certonly --apache --email edwardsmith@devopsbroker.org -d devopsbroker.org -d www.devopsbroker.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 141, in _new_conn
(self.host, self.port), self.timeout, **extra_kw)
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 60, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File “/usr/lib/python3.6/socket.py”, line 745, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 601, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 346, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 852, in _validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 284, in connect
conn = self._new_conn()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 150, in _new_conn
self, “Failed to establish a new connection: %s” % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7fd1808e3b00>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 440, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File “/usr/lib/python3/dist-packages/urllib3/util/retry.py”, line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7fd1808e3b00>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’,))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7fd1808e3b00>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’,))
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Apache version is 2.4.29

The operating system my web server runs on is (include version):
Ubuntu Server 18.04.2 LTS

My hosting provider, if applicable, is:
Google Compute Engine

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Ok so for some reason I am unable to resolve anything from letsencrypt.org from my GCE server instance. If I do:

dig acme-v02.api.letsencrypt.org

It just hangs on the server. If I do the same command from my local machine (Ubuntu Desktop 18.04.2 LTS with same DNS configuration) it succeeds. If I dig any other site besides letsencrypt.org from my GCE server it works fine.

Any ideas?

JuergenAuer · June 25, 2019, 5:54pm

Hi @edwardsmith

there is no ip address defined ( https://check-your-website.server-daten.de/?q=devopsbroker.org ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
devopsbroker.org	A		yes	1	0
	AAAA		yes
www.devopsbroker.org		Name Error	yes	1	0

You need (minimal) a DNS

A entry yourdomain -> your ipv4 address (or / and)
AAAA entry yourdomain -> your ipv6 address

The ipv4 / ipv6 must be the ipv4/ipv6 of your webserver.

edwardsmith · June 25, 2019, 6:09pm

Thanks Juergen for the check your website link!

Unfortunately this is not a DNS issue accessing my site. Instead it is a DNS issue accessing anything from letsencrypt.org from within a virtual machine I have running on Google Compute Engine.

This is preventing Certbot from accessing the letsencrypt.org servers to issue SSL certs.

Edward

BTW, I fixed my DNS entries so that www.devopsbroker.org works now. And I am still unable to access the DNS entries for letsencrypt.org from within my GCE server.

edwardsmith · June 25, 2019, 6:27pm

Nevermind. Official response from Google Cloud Platform:

I am taking my business elsewhere.

JuergenAuer · June 25, 2019, 6:47pm

Yep, that's required. You must be able to connect Letsencrypt.

Perhaps it's a DNS problem, so add

104.87.230.129 acme-v02.api.letsencrypt.org

in your hosts file.

gpatel-fr · June 25, 2019, 6:56pm

is dig +tcp hanging as well ?

edwardsmith · June 25, 2019, 7:07pm

Interesting that dig +tcp worked

But the query time took 4185 msec

Now the normal dig command over UDP is succeeding as well but query time is 5254 msec

Definitely DNS issues somewhere

JuergenAuer · June 25, 2019, 7:15pm

Sounds like a typical not answering dns server.

First dns server -> 2 seconds
Second dns server -> 2 seconds

gpatel-fr · June 25, 2019, 8:16pm

how about dig @8.8.8.8 +tcp ?
if it works better, you can always tweak systemd-resolve to get certbot to behave (I think without hard proof that python use default resolver)

edwardsmith · June 27, 2019, 8:42am

Yes this works.

However, I am using unbound as the local DNS cache server and its backend are the Google Public DNS nameservers.

I am in the process of switching over to DigitalOcean. As of right now, the dig query takes 5278 msec on Google Compute Engine and just takes 88 msec on DigitalOcean.

Same exact configurations. Go figure.

gpatel-fr · June 27, 2019, 8:54am

I just love it when people reveal after several exchanges that they are running a fully custom configuration...I don't know unbound, but it's a full blown dns server, not a mere cache like dnsmasq. It may require opened ports to work correctly.

edwardsmith · June 27, 2019, 9:24am

I don’t care what you love

What part of it is the exact same configuration, different results, do you not understand?

And I can tell you don’t know either unbound nor dnsmasq. I had to switch off dnsmasq because Ubuntu wouldn’t update the trust-anchors dnsmasq uses for DNSSEC validation.

Just to be clear so that you can be more informed in the future:

My “fully custom configuration” works exactly like dnsmasq
I run it locally on Ubuntu 18.04 Desktop
I run it on both cloud servers in the exact same configuration AS A DNS CACHE just like I do on the desktop
GCE is having issues with letsencrypt.org while DigitalOcean and my local Ubuntu 18.04 Desktop do not

Anything else I can do for you to relieve you of your ignorance? I came here to get help not condescending backtalk.

system · July 27, 2019, 9:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.