tldr; Migrating setup over to Rpi for long-term/24-7 use. Letsencrypt reporting connection errors to the acme api, but all my (limited) manual tests, seem to show that there are no communication problems.
My domain is: http://www.scruffies.co.uk
My web server is (include version): docker lsioarmhf/letsencrypt:latest
The operating system my web server runs on is (include version):Rpi3 B Stretch:Lite
As a proof of concept/trial ((for my own sanity not the toolsets! ) I have been successfully running a number of docker packages on unRAID, reverse-proxied via the lsio/letsencrypt container package or Ngnix & Letsencrypt etc.
I am now attempting to migrate a number of these services over to a Raspberry Pi 3B for 24/7 operation in my home setup.
Whilst the Letsencrypt container on unRAID ((they are all now in a ‘stopped’ state)) successfully generated certificates and attempted renewals for a number of subdomains, I am encountering connection issues with what I’d thought was a replica of the install on my Rpi 3.
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7529ea10>: Failed to establish a new connection: [Errno -3] Try again',)) Please see the logfiles in /var/log/letsencrypt for more details. ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
Thus far I have a standard debian:Stretch-Lite image installed, along with 3 containers; 'Portainer’, ‘Pi-Hole’ and ‘Letsencrypt’.
Using docker-compose I am:
- Only requesting subdomain certs
- Certs for a single subdomain pihole (pihole.scruffies.co.uk)
- Validating requests via DNS
- Using Cloudflare plugin and providing the corresponding login/api keys entered into dns-conf/cloudflare.ini file
Default ports of 80:80 and 443:443 assigned to the container
Created new port-forwarding profiles (TCP&UDP) in my router for HTTP 80/ HTTPS 443 mappings to the Rpi 3’s fixed ip address
Disabled the existing 80/443 rules to my unRAID test machine
Confirmed that my external ip is successfully updating/resolving against the name(s) being requested.
Following the error message it looks like the request is being bounced/lost somewhere along the way (my skills are good enough to determine where ) but a search of similar threads seemed to suggest that perhaps a firewall or some other system was blocking the outbound connection?
So as per a similar thread I tested a few sample requests from my Rpi 3 CLI
Python 2.7.13 (default, Nov 24 2017, 17:33:09)
[GCC 6.3.0 20170516] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
This appears to show that the Rpi can actually connect out to the acme api? so now I am well and truly stumped! :