EOFError when using dns-cloudflare in docker-compose along with HTTPS-only NGINX webserver

My domain is:
underheaven.net

I ran this command:
docker-compose.yml
cloudflare.ini

It produced this output:

2020-05-26 16:25:28,541:DEBUG:certbot._internal.main:certbot version: 1.4.0
2020-05-26 16:25:28,542:DEBUG:certbot._internal.main:Arguments: ['--dns-cloudflare', '--dns-cloudflare-credentials', '/.secrets/certbot/cloudflare.ini', '-d', '*.underheaven.net']
2020-05-26 16:25:28,542:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-05-26 16:25:28,564:DEBUG:certbot._internal.log:Root logging level set at 20
2020-05-26 16:25:28,564:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-05-26 16:25:28,565:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None
2020-05-26 16:25:28,571:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare = certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator
Initialized: <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f7897c97f10>
Prep: True
2020-05-26 16:25:28,572:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f7897c97f10> and installer None
2020-05-26 16:25:28,572:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2020-05-26 16:25:28,572:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1217, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 603, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 516, in _determine_account
    config.email = display_ops.get_email()
  File "/opt/certbot/src/certbot/certbot/display/ops.py", line 50, in get_email
    code, email = z_util(interfaces.IDisplay).input(
  File "/opt/certbot/src/certbot/certbot/display/util.py", line 178, in input
    ans = input_with_timeout(message)
  File "/opt/certbot/src/certbot/certbot/display/util.py", line 85, in input_with_timeout
    raise EOFError
EOFError
2020-05-26 16:25:28,574:ERROR:certbot._internal.log:An unexpected error occurred:

My web server is (include version):
nginx version: nginx/1.17.10
Running on nginx:alpine image

The operating system my web server runs on is (include version):
Host: Linux underheaven-3 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Container: Linux aab20eeadb0c 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64 Linux

My hosting provider, if applicable, is:
Self-hosted, running on Docker containers, also using CloudFlare for DNS/DDOS prevention services

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Only Namecheap and CloudFlare control panels. Everything else CLI.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I don’t think I can check it since it automatically turns off after executing the “main” command and there is no way to run side commands when the main process isn’t running.
I can assume it’s the newest version 1.4.0 because whenever I make changes I don’t reload the containers, but delete them and create them again with
docker-compose down -v and docker-compose up -d

I disabled proxy for underheaven.net on CloudFlare (www.underheaven.net is proxied) so I’d be able to use my own certificate (I want to use one wildcard certificate for everything) and enabled Full mode.
Also I’m using dns-cloudflare because my website will be HTTPS-only and it could cause issues using other methods AFAIK like The chicken or the egg? problem as some article metnioned.
When going on the site, NET::ERR_CERT_AUTHORITY_INVALID is caused due to me using origin certificates from CloudFlare, which then I learned are only trusted by CloudFlare and not the browsers.

EDIT:
Forgot to mention, certbot’s directory for SSL is different for testing, but none were generated nonetheless.

1 Like

Hi,

The two files you linked to are not accessible by me.
and what i’m suspecting is that certbot inside that container is trying to ask for your email to register for a ACME account, and container certainly doesn’t allow you to input that which is why it failed.

P.S. You might want to consider using certbot or other acme clients on your host machine, obtained that certificate (with DNS-01) and share the certificate directory with your docker (container) once the certificate are issued. In this way, when you delete or rebuild a container it will not request another certificate from Let’s Encrypt, hence impact your rate limit.
(If you delete and rebuild your container more than 5 times a week, you will not be able to obtain a certificate until 7 days after the first certificate is issued, it’s duplicate certificate limit)

4 Likes

If you run Certbot with the -n option, Certbot should show an error message explaining what it wants to ask you about.

Given the traceback, I’m guessing it was prompting for your email address, which can be supplied with the -m option.

Or can you run it interactively?

3 Likes

Sorry for not responding for almost a month.

Here are the files that were missing
cloudflare.ini
docker-compose.yml

Here’s the error when executing with the -n option

2020-06-20 18:14:33,646:DEBUG:certbot._internal.main:certbot version: 1.4.0
2020-06-20 18:14:33,647:DEBUG:certbot._internal.main:Arguments: ['-n', '--dns-cloudflare', '--dns-cloudflare-credentials', '/.secrets/certbot/cloudflare.ini', '-d', '*.underheaven.net']
2020-06-20 18:14:33,647:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-20 18:14:33,675:DEBUG:certbot._internal.log:Root logging level set at 20
2020-06-20 18:14:33,676:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-20 18:14:33,681:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None
2020-06-20 18:14:33,688:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare = certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator
Initialized: <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7fbbc66df910>
Prep: True
2020-06-20 18:14:33,688:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7fbbc66df910> and installer None
2020-06-20 18:14:33,688:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2020-06-20 18:14:33,689:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/display/ops.py", line 50, in get_email
    code, email = z_util(interfaces.IDisplay).input(
  File "/opt/certbot/src/certbot/certbot/display/util.py", line 516, in input
    self._interaction_fail(message, cli_flag)
  File "/opt/certbot/src/certbot/certbot/display/util.py", line 462, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Enter email address (used for urgent renewal and security notices)


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1217, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 603, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 516, in _determine_account
    config.email = display_ops.get_email()
  File "/opt/certbot/src/certbot/certbot/display/ops.py", line 56, in get_email
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

This is the log after I added what cert-bot was asking for
https://pastebin.com/nLTZvK5j

Anyway it seems to work? The certificate is still CloudFlare’s and it still warns me about the site being in-secure, but I guess I just need to fiddle around with it. I won’t close it just yet if anyone has something to say.