Connection issue from Docker Image (requests.exceptions.ConnectionError)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
idm.ipoac.ch

I ran this command:
certonly --dry-run -d idm.ipoac.ch --agree-tos -m email@example.com --authenticator dns-infomaniak -v -n

It produced this output:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x70f58be393d0>: Failed to establish a new connection: [Errno -3] Try again'))

My web server is (include version):
none

The operating system my web server runs on is (include version):
Proxmox 8.2.2 running an Alpine Linux 3.19 LXC Container which in turn runs a modified Docker Image running Alpine Linux 3.18 which is based on the official Docker Image

My hosting provider, if applicable, is:
myself

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.11.0

Issue while running container

Hi,
my setup might be a bit convoluted and the issue may not be directly related to LetsEncrypt / Certbot, but I am still hoping someone can offer some ideas for solving my problem.
When I run the container on my server, I do that via rootless podman kube play, I get the following error:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x70f58be393d0>: Failed to establish a new connection: [Errno -3] Try again'))

BUT

• When running the exact same image with the same parameters on WSL openSUSE Tumbleweed the certificate is issued without problem.
• When running the exact same image on the exact same host, but interactively and execute the certbot certonly command, the certificate is issued without any issues as well.
  podman command:

  lxc: ~$ podman run --rm -it --entrypoint ash  ghcr.io/fipoac/certbot-dns-infomaniak:latest
  /opt/certbot # certbot certonly --dry-run -d idm.ipoac.ch --agree-tos -m email@example.com --authenticator dns-infomaniak -v -n
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator dns-infomaniak, Installer None
  Simulating a certificate request for idm.ipoac.ch
  Performing the following challenges:
  dns-01 challenge for idm.ipoac.ch
  Waiting 120 seconds for DNS changes to propagate
  Waiting for verification...
  Cleaning up challenges
  The dry run was successful.
  

I'm thankful for any solution approaches

That is usually a problem with the DNS Resolver running in that system. In fact, instead of "Try again" it usually says something about the name not resolving.

See if dig works in that same container for any domain name. Or if curl works to any other destination (like https://google.com). These probably don't work either.

Thank you for your answer
Dig from the container resolves correctly:

/opt/certbot # dig acme-v02.api.letsencrypt.org

; <<>> DiG 9.18.24 <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9839
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.  IN      A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 4942 IN   CNAME   prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 117   IN      CNAME   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 113 IN A 172.65.32.248

;; Query time: 201 msec
;; SERVER: 10.0.2.3#53(10.0.2.3) (UDP)
;; WHEN: Fri Jun 07 14:21:32 UTC 2024
;; MSG SIZE  rcvd: 155

wget is available via busybox and this does work too:

lxc:~$ podman run --rm --entrypoint ""  ghcr.io/fipoac/certbot-dns-infomaniak:latest wget https://acme-v02.api.letsencrypt.org/directory
Connecting to acme-v02.api.letsencrypt.org (172.65.32.248:443)
saving to 'directory'
directory            100% |********************************|   746  0:00:00 ETA

But if I put the same command alone in entrypoint.sh it does not work.
So it seems, it is not a problem with LetsEncrypt or Cerbot but with podman on Alpine Linux LXC handling entrypoints differently than commands.

Thanks for pointing me in the right direction.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.