Certbot error when using Pi-Hole als DNS-server

I have Pi-Hole running as docker-container on my Raspberry Pi running ubuntu 20.04.
Now I want to generate/get a certificate via LetsEncrypt.
I'm using the certbot/certbot:arm64v8-latest docker container on the same Pi.

This works very well, if I don't enter Pi-Hole as DNS server on my Fritzbox.
But if I enter pi-hole as DNS server there, I get this error message:

An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xffff899f6400>: Failed to establish a new connection: [Errno -3] Try again'))

I do not see a blocked entry in the Pi-Hole.
The behaviour is even the same if I disable pi-hole.

When I reconfigure my Fritzbox to be the local DNS-Server and reboot my Pi (not sure how to manually change the DNS server setting and flush caches), the certbot does NOT throw an error.
That's the command I'm running - followed this tutorial.

docker run -it --rm -v /home/hajo/docker/letsencrypt/etc/letsencrypt:/etc/letsencrypt -v /home/hajo/docker/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt -v /home/hajo/docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt -v "/home/hajo/docker/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt" certbot/certbot:arm64v8-latest certonly --webroot --register-unsafely-without-email --agree-tos --webroot-path=/data/letsencrypt --staging -d <my domain>

Hi @hajo62

that says: It's not a Certbot problem (so your Certbot command isn't relevant), it's a problem of your pi-hole DNS server. That DNS server doesn't work.

Why? No idea.

There is the confirmation. Your FritzBox DNS server works, your Pi-Hole DNS server not.

Hopefully someone other has an idea. Because I first started in the pi-hole forum and checked a lot of stuff. I was hoping to get some hints WHERE to look for the root cause. Maybe the letsencrypt log might help?!

letsencrypt.log:
2020-11-12 12:01:45,553:DEBUG:certbot._internal.main:certbot version: 1.9.0
2020-11-12 12:01:45,554:DEBUG:certbot._internal.main:Arguments: ['--webroot', '--register-unsafely-without-email', '--agree-tos', '--webroot-path=/data/letsencrypt', '--staging', '-d', '<myDomain>', '--dry-run']
2020-11-12 12:01:45,555:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-11-12 12:01:45,613:DEBUG:certbot._internal.log:Root logging level set at 20
2020-11-12 12:01:45,614:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-11-12 12:01:45,617:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2020-11-12 12:01:45,628:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0xffff8b39bd60>
Prep: True
2020-11-12 12:01:45,630:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0xffff8b39bd60> and installer None
2020-11-12 12:01:45,630:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2020-11-12 12:01:45,640:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/16562209', new_authzr_uri=None, terms_of_service=None), 2d714bb4994b1f3e72a4b7bfb47c7068, Meta(creation_dt=datetime.datetime(2020, 11, 11, 10, 34, 10, tzinfo=<UTC>), creation_host='8dec9dc12e75', register_to_eff=None))>
2020-11-12 12:01:45,642:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2020-11-12 12:01:45,647:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2020-11-12 12:01:50,657:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 159, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 61, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/local/lib/python3.8/socket.py", line 918, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 381, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 308, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 171, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xffff8b392370>: Failed to establish a new connection: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 724, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 439, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xffff8b392370>: Failed to establish a new connection: [Errno -3] Try again'))

During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1362, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1226, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 611, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 256, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 43, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/opt/certbot/src/acme/acme/client.py", line 831, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/opt/certbot/src/acme/acme/client.py", line 1168, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/opt/certbot/src/acme/acme/client.py", line 1118, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xffff8b392370>: Failed to establish a new connection: [Errno -3] Try again'))
2020-11-12 12:01:50,670:ERROR:certbot._internal.log:An unexpected error occurred:
2020-11-12 12:01:50,672:ERROR:certbot._internal.log:requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xffff8b392370>: Failed to establish a new connection: [Errno -3] Try again'))

Certbot works with your other dns configuration.

So your current dns configuration is buggy.

So the Letsencrypt log is unrelevant. That's only the log of one dns user, nothing else.

You have to check your Pi-Hole DNS server, there is something wrong.

1 Like

Thanks for your reply.

But I am not giving up hope to get more constructive hints in this forum.

May someone knows what exactly certbot is trying?

Max retries exceeded with url...

Wrong url, IPv4 vs. IPv6, blocked ports, no reply, ...

1 Like

Certbot tries to connect acme-v02.api.letsencrypt.org to create a new order.

But that doesn't work, if the DNS query acme-v02.api.letsencrypt.org -> ip address doesn't work.

Not working DNS -> Certbot can't connect acme-v02.api.letsencrypt.org -> every order request fails.

1 Like

I think you may be missing the obvious:
DNS has to work (first) before anything on the Internet can work.
If the DNS on the pi-hole is NOT functional everything else is expected to fail.
So...
Step #1 Use only tested/known working DNS servers.
[Ensure the DNS on the pi-hole is working (if you intend on using it for DNS)]

DNS on the Pi-Hole works well.
But seems not to work for the certbot-container. And maybe also not for other containers.

As a work around I used --dns <Router IP> in the docker run command.
See here.