Context deadline exceeded - cannot get certs

I try to install Traefik with Lets Encrypt by using this manual Traefik 2 Basic Configuration
My VPS allow 80 and 443 ports and they are open.
When traefik try to get certs the ssh terminal is waiting and nothing happens. I used letsdebug page and got this message:


[ANotWorking]

ERROR

domain.com has an A (IPv4) record ($IP address) but a request to this address over port 80 did not succeed.

A timeout was experienced while communicating with domain.com/IPadress: Get "http://domain.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://domain.com/.well-known/acme-challenge/letsdebug-test (using initial IP address)
@0ms: Dialing IPadress
@10000ms: Experienced error: context deadline exceeded

[IssueFromLetsEncrypt]

ERROR

A test authorization for domain.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

Fetching http://domain.com/.well-known/acme-challenge/ZraNbL53FBajpr6I6R1Crny3gPUrDcs1nLOREqBuQzw: Timeout during connect (likely firewall problem)

IPtables allow input 80 and 443 traffic.

Hi @Getedeke

your domain name is required. And a working port 80 is required if you want to use http validation.

2 Likes

The domain and port 80 are already there. The domain points to the server and port is opened.
That's the problem, I cannot figure what's wrong.

That's the reason your missing domain name is required.

No, it's not.

2 Likes

NSlookup shows the domain points to the server and I checked the port while traefik is active - is opened (listening).

When you opened this thread in the #Help section, you should have been given the questionnaire I've pasted below. Please answer all questions to the best of your knowledge:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like
level=error msg="Unable to obtain ACME certificate for domains \"domain.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:50147->127.0.0.11:53: i/o timeout" routerName=traefik-secure@docker providerName=letsencrypt.acme rule="Host(`domain.com`)"

It is with and without iptables on.

I looked up your domain in the Let's Debug database, and the port is definitely not listening.

I get "connection refused" when connecting from my laptop as well.

Maybe check what the bind address is on the Docker host:

sudo ss -tlnp

It should be *:80 or 0.0.0.0:80 or something, not a private address.

Also maybe check whether you have enabled port 80 and 443 (from all source addresses) on the web hosting L3 firewall: Managing firewall - Tutorial - UpCloud.

1 Like

It is something with Embeded DNS 127.0.0.11 of Docker. Not sure what to do to solve the problem. Tried some solutions founded on the net with no luck.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.