Error: Acme-v02.api Connection Failed


#1

tldr; Migrating setup over to Rpi for long-term/24-7 use. Letsencrypt reporting connection errors to the acme api, but all my (limited) manual tests, seem to show that there are no communication problems.

My domain is: http://www.scruffies.co.uk

My web server is (include version): docker lsioarmhf/letsencrypt:latest

The operating system my web server runs on is (include version):Rpi3 B Stretch:Lite

Challenge:


As a proof of concept/trial ((for my own sanity not the toolsets! :smile:) I have been successfully running a number of docker packages on unRAID, reverse-proxied via the lsio/letsencrypt container package or Ngnix & Letsencrypt etc.
I am now attempting to migrate a number of these services over to a Raspberry Pi 3B for 24/7 operation in my home setup.

Whilst the Letsencrypt container on unRAID ((they are all now in a ‘stopped’ state)) successfully generated certificates and attempted renewals for a number of subdomains, I am encountering connection issues with what I’d thought was a replica of the install on my Rpi 3.

Error Message:


An unexpected error occurred:

ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7529ea10>: Failed to establish a new connection: [Errno -3] Try again',))


Please see the logfiles in /var/log/letsencrypt for more details.


ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

Current Configuration:


Thus far I have a standard debian:Stretch-Lite image installed, along with 3 containers; 'Portainer’, ‘Pi-Hole’ and ‘Letsencrypt’.

Using docker-compose I am:

  • Only requesting subdomain certs
  • Certs for a single subdomain pihole (pihole.scruffies.co.uk)
  • Validating requests via DNS
  • Using Cloudflare plugin and providing the corresponding login/api keys entered into dns-conf/cloudflare.ini file
    Default ports of 80:80 and 443:443 assigned to the container
    Created new port-forwarding profiles (TCP&UDP) in my router for HTTP 80/ HTTPS 443 mappings to the Rpi 3’s fixed ip address
    Disabled the existing 80/443 rules to my unRAID test machine
    Confirmed that my external ip is successfully updating/resolving against the name(s) being requested.

Investigations:


Following the error message it looks like the request is being bounced/lost somewhere along the way (my skills are good enough to determine where :tired_face:) but a search of similar threads seemed to suggest that perhaps a firewall or some other system was blocking the outbound connection?

So as per a similar thread I tested a few sample requests from my Rpi 3 CLI

Python 2.7.13 (default, Nov 24 2017, 17:33:09)
[GCC 6.3.0 20170516] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.

import requests
requests.get(“https://www.google.com/”)
<Response [200]>

requests.get(“https://acme-staging.api.letsencrypt.org/directory”)
<Response [200]>

requests.get(“https://acme-v02.api.letsencrypt.org/”)
<Response [200]>

This appears to show that the Rpi can actually connect out to the acme api? so now I am well and truly stumped! :


#2

Hi @Richyread,

I don’t have the right expertise to debug this, but I assume the trouble is that the container doesn’t have the right permissions (or files) necessary to make outbound connections, while the host system does. The error message that you’re seeing related entirely to outbound HTTPS connections, and not at all to inbound ones.


#3

Hi @schoen,

Thanks for taking a look -at the very least you’ve managed to narrow down the issue by 50% :wink:

It’s quite possibly a permissions issue…especially as this is a freshly flattened and rebuilt pi from my failed attempts last weekend when I screwed up many a permission and nothing would run.

Shall go back over my notes and see if I can spot where I might have missed a step or two.

Much appreciated.

Richy.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.