Can't obtain new certs


#1

My domain is: jfoell.de

I ran this command: docker logs -f letsencrypt

It produced this output:

http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your
settings and recreate the container

My web server is (include version): OpenMediaVault 4

The operating system my web server runs on is (include version): Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, OMV

Hey,

my letsencrypt broke after a restart. I read a few topics and i am not sure, if this is my fault, or an error at the letsencrypt site.
What can i do?

Thx for your help


#2

This seems like the system is unable to reach out to https://acme-v02.api.letsencrypt.org/
Is there any way to test/confirm that it can?


#3

You could try running curl -v https://acme-v02.api.letsencrypt.org/directory inside of the same container to see if outbound network access is a problem.


#4

The command “docker exec -it curl -v https://acme-v02.api.letsencrypt.org/directory
returns:

  • Trying 104.104.178.56…
  • TCP_NODELAY set
  • Trying 2a02:26f0:11c:194::3a8e…
  • TCP_NODELAY set
  • Immediate connect fail for 2a02:26f0:11c:194::3a8e: Address not available
  • Trying 2a02:26f0:11c:183::3a8e…
  • TCP_NODELAY set
  • Immediate connect fail for 2a02:26f0:11c:183::3a8e: Address not available
  • Connected to acme-v02.api.letsencrypt.org (104.104.178.56) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

#5

Could you try running an interactive shell and running the command from that shell? (Maybe the output will be exactly the same; I’m just curious.)

This makes me think that there’s some which in which your Docker environment is too restrictive, though I don’t know exactly what way.


#6

The output ist:

  • Trying 2.16.201.212…
  • TCP_NODELAY set
  • Trying 2a02:26f0:11c:194::3a8e…
  • TCP_NODELAY set
  • Immediate connect fail for 2a02:26f0:11c:194::3a8e: Das Netzwerk ist nicht erreichbar
  • Trying 2a02:26f0:11c:183::3a8e…
  • TCP_NODELAY set
  • Immediate connect fail for 2a02:26f0:11c:183::3a8e: Das Netzwerk ist nicht erreichbar
  • Connected to acme-v02.api.letsencrypt.org (2.16.201.212) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
  • Curl_http_done: called premature == 1
  • stopped the pause stream!
  • Closing connection 0
    curl: (35) Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443

so nearly the same

UPDATE!
I found the error: another docker container with an openvpn connection seems to have limited my access. Stopping it fixed everything.
Thank you!