ConnectionError when using Ubuntu 18.04 LTS + Docker


#1

My domain is: anuyart.forest.go.th

I ran this command:

docker run -it --rm \
    --mount type=bind,source=/docker/www,target=/docker/www \
    --mount type=volume,source=docker_certdata,target=/etc/letsencrypt \
    certbot/certbot certonly --webroot -w /docker/www -d anuyart.forest.go.th

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): my@email.com
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f6811a01310>: Failed to establish a new connection: [Errno -3] Try again',))
Please see the logfiles in /var/log/letsencrypt for more details.

letsencrypt.log:

2018-06-01 05:22:24,770:DEBUG:certbot.main:certbot version: 0.24.0
2018-06-01 05:22:24,771:DEBUG:certbot.main:Arguments: ['--webroot', '-w', '/docker/www', '-d', 'anuyart.forest.go.th']
2018-06-01 05:22:24,771:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-06-01 05:22:24,803:DEBUG:certbot.log:Root logging level set at 20
2018-06-01 05:22:24,804:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-01 05:22:24,805:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-06-01 05:22:24,811:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fa28ee4cf10>
Prep: True
2018-06-01 05:22:24,812:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fa28ee4cf10> and installer None
2018-06-01 05:22:24,812:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2018-06-01 05:22:30,573:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-06-01 05:22:30,576:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-06-01 05:22:35,584:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/main.py", line 1315, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/main.py", line 1190, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/certbot/src/certbot/main.py", line 637, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/certbot/src/certbot/main.py", line 516, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/opt/certbot/src/certbot/client.py", line 164, in register
    acme = acme_from_config_key(config, key)
  File "/opt/certbot/src/certbot/client.py", line 46, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/opt/certbot/src/acme/acme/client.py", line 718, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/opt/certbot/src/acme/acme/client.py", line 1041, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/opt/certbot/src/acme/acme/client.py", line 990, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 508, in send
    raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa28ee57310>: Failed to establish a new connection: [Errno -3] Try again',))
2018-06-01 05:22:35,587:ERROR:certbot.log:An unexpected error occurred:

My web server is (include version): nginx 1.13.12-alpine (docker)

The operating system my web server runs on is (include version):

  • Ubuntu 18.04 LTS
  • Docker version 18.05.0-ce, build f150324
  • docker-compose version 1.21.2, build a133471

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I used this command successfully in another host with Ubuntu 16.04 LTS.


#2

I think your nginx configuration is blocking requests that begin with a period (.), e.g. /.htaccess, /.git, /.well-known/acme-challenge.

The error reported by your Docker run indicates that you do not have outbound connectivity to the internet. Can you try

curl -vvv https://acme-v02.api.letsencrypt.org/directory

You can also try:

docker run --rm -it --entrypoint "/bin/sh" certbot/certbot

and once inside, run

wget -S https://acme-v02.api.letsencrypt.org/directory

#3

Thanks. I’ve added an exception for /.well-known/acme-challenge

From the host I can access Let’s Encrypt normally:

$ curl -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 125.252.246.8...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (125.252.246.8) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 25 00:25:19 2018 GMT
*  expire date: Aug 23 00:25:19 2018 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /directory HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 658
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 01 Jun 2018 07:16:34 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 01 Jun 2018 07:16:34 GMT
< Connection: keep-alive
< 
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "ph9llg6Sh_M": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
}

However, inside the container, wget command failed:

/opt/certbot # wget -S https://acme-v02.api.letsencrypt.org/directory
wget: bad address 'acme-v02.api.letsencrypt.org'

Perhaps Docker doesn’t get along with Ubuntu 18 yet?


#4

Ubuntu 18 is my daily OS and that same test works fine for me.

What repo did you install Docker from? Are the bridge interfaces used by Docker up?

It looks like you don’t have DNS inside the container, but do you have any network at all? e.g.

ip a
ping 8.8.8.8

Maybe try restart the Docker service on your host as well, maybe some of the network configurations/routes/firewall rules got lost.


#5

I installed it from the test repo. The bridge interface is down.

I think network inside the container works:

/opt/certbot # wget -S 210.246.245.16
Connecting to 210.246.245.16 (210.246.245.16:80)
  HTTP/1.1 200 OK
  Date: Fri, 01 Jun 2018 08:08:35 GMT
  Server: Apache/2
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Set-Cookie: PHPSESSID=3fuetrfs0rjbo8cmdkhcpmdt66; path=/
  Set-Cookie: logview=1; expires=Fri, 01-Jun-2018 08:28:35 GMT
  Set-Cookie: log-intro-view-0=a%3A2%3A%7Bs%3A2%3A%22IP%22%3Bs%3A15%3A%22110.170.148.217%22%3Bs%3A4%3A%22TIME%22%3Bs%3A19%3A%222018-06-01+15%3A08%3A35%22%3B%7D; expires=Sat, 02-Jun-2018 08:08:35 GMT; path=http://210.246.245.16/
  Upgrade: h2,h2c
  Connection: Upgrade, close
  Vary: Accept-Encoding,User-Agent
  Transfer-Encoding: chunked
  Content-Type: text/html
  
index.html           100% |*****************************************************************************************| 11160   0:00:00 ETA

Restarted Docker service but still doesn’t have DNS.

Will try to reinstall Docker.


#6

Huh, looks like just DNS doesn’t work.

You can try running the Docker container with

--dns 1.1.1.1

or another resolver that you know works.


#7

That works!

Thanks for spending so much time with my Docker issue.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.