Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

I have the following problem. I install "Nginx Proxy Manager" in a Docker container. When I do this on my Synology NAS everything works fine. I can request certificates for domains.
When I do exactly the same on my Raspberry Pi with Debian and Docker, I have the following problem, please see the log.

Log from Raspberry/Debian combination:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_perms.sh: executing... 
Changing ownership of /data/logs to 0:0
[cont-init.d] 01_perms.sh: exited 0.
[cont-init.d] 01_s6-secret-init.sh: executing... 
[cont-init.d] 01_s6-secret-init.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/resolvers.conf
  ❯ /etc/nginx/conf.d/default.conf
  ❯ /etc/nginx/conf.d/production.conf
❯ Enabling IPV6 in hosts: /data/nginx
  ❯ /data/nginx/default_host/site.conf
  ❯ /data/nginx/dead_host/1.conf
  ❯ /data/nginx/proxy_host/10.conf
  ❯ /data/nginx/proxy_host/6.conf
  ❯ /data/nginx/proxy_host/11.conf
  ❯ /data/nginx/proxy_host/21.conf
  ❯ /data/nginx/proxy_host/7.conf
  ❯ /data/nginx/proxy_host/1.conf
  ❯ /data/nginx/proxy_host/13.conf
  ❯ /data/nginx/proxy_host/19.conf
  ❯ /data/nginx/proxy_host/9.conf
  ❯ /data/nginx/proxy_host/2.conf
[1/26/2022] [7:10:09 PM] [Global   ] › ℹ  info      No valid environment variables for database provided, using default SQLite file '/data/database.sqlite'
[1/26/2022] [7:10:11 PM] [Migrate  ] › ℹ  info      Current database version: none
[1/26/2022] [7:10:12 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[1/26/2022] [7:10:12 PM] [Setup    ] › ℹ  info      Logrotate completed.
[1/26/2022] [7:10:12 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[1/26/2022] [7:10:12 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[1/26/2022] [7:10:32 PM] [IP Ranges] › ✖  error     getaddrinfo EAI_AGAIN ip-ranges.amazonaws.com
[1/26/2022] [7:10:32 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[1/26/2022] [7:10:32 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[1/26/2022] [7:10:32 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[1/26/2022] [7:10:32 PM] [Global   ] › ℹ  info      Backend PID 245 listening on port 3000 ...
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Model#$omit is deprected and will be removed in 3.0.
[1/26/2022] [7:12:35 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/26/2022] [7:12:35 PM] [SSL      ] › ℹ  info      Renew Complete
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[1/26/2022] [7:14:53 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/26/2022] [7:14:58 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #26: DOMAIN-URL
[1/26/2022] [7:14:58 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-26" --agree-tos --authenticator webroot --email "MAILADRESSE" --preferred-challenges "dns,http" --domains "DOMAIN-URL" 
[1/26/2022] [7:15:21 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/26/2022] [7:15:21 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-26" --agree-tos --authenticator webroot --email "MAILADRESSE" --preferred-challenges "dns,http" --domains "DOMAIN-URL" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xffffaf32d898>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Here the Log, from my NAS/Docker combination. Only the start procedure because the certificate request works here.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_perms.sh: executing... 
Changing ownership of /data/logs to 0:0
[cont-init.d] 01_perms.sh: exited 0.
[cont-init.d] 01_s6-secret-init.sh: executing... 
[cont-init.d] 01_s6-secret-init.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/resolvers.conf
  ❯ /etc/nginx/conf.d/default.conf
  ❯ /etc/nginx/conf.d/production.conf
❯ Enabling IPV6 in hosts: /data/nginx
  ❯ /data/nginx/default_host/site.conf
  ❯ /data/nginx/proxy_host/7.conf
  ❯ /data/nginx/proxy_host/9.conf
  ❯ /data/nginx/proxy_host/13.conf
  ❯ /data/nginx/proxy_host/2.conf
  ❯ /data/nginx/proxy_host/6.conf
  ❯ /data/nginx/proxy_host/10.conf
  ❯ /data/nginx/proxy_host/11.conf
  ❯ /data/nginx/proxy_host/1.conf
  ❯ /data/nginx/proxy_host/21.conf
  ❯ /data/nginx/proxy_host/19.conf
  ❯ /data/nginx/dead_host/1.conf
[1/26/2022] [7:02:48 PM] [Global   ] › ℹ  info      No valid environment variables for database provided, using default SQLite file '/data/database.sqlite'
[1/26/2022] [7:02:49 PM] [Migrate  ] › ℹ  info      Current database version: none
[1/26/2022] [7:02:50 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[1/26/2022] [7:02:50 PM] [Setup    ] › ℹ  info      Logrotate completed.
[1/26/2022] [7:02:50 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[1/26/2022] [7:02:50 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[1/26/2022] [7:02:52 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[1/26/2022] [7:02:52 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[1/26/2022] [7:02:53 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[1/26/2022] [7:02:53 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[1/26/2022] [7:02:53 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[1/26/2022] [7:02:53 PM] [Global   ] › ℹ  info      Backend PID 248 listening on port 3000 ...
[1/26/2022] [7:02:54 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/26/2022] [7:02:54 PM] [SSL      ] › ℹ  info      Renew Complete
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Model#$omit is deprected and will be removed in 3.0.
[1/26/2022] [8:02:53 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[1/26/2022] [8:02:55 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/26/2022] [8:02:55 PM] [SSL      ] › ℹ  info      Renew Complete

I don't think the problem can be in the Docker container as it is the same on both systems.

On the Raspberry Docker first I get the error

"error getaddrinfo EAI_AGAIN ip-ranges.amazonaws.com"

and then at the end

"An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xffaf32d898>: Failed to establish a new connection: [Errno -3] Temporary name resolution error')).
Ask for help or search for solutions at https://community.letsencrypt.org. For more information, see the log file /var/log/letsencrypt/letsencrypt.log or run Certbot again with -v.".

I think it could be a DNS Problem on my Raspberry, but, commands like dig acme-v02.api.letsencrypt.org work fine.
Here is the output:

root@pi:/docker/nginx-proxy# dig acme-v02.api.letsencrypt.org
; <<>> DiG 9.16.22-Debian <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27887
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org. IN A
;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 3959 IN CNAME prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 300 IN CNAME ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 300 IN A 172.65.32.248
;; Query time: 87 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Wed Jan 26 20:36:11 CET 2022
;; MSG SIZE rcvd: 155

I would like to mention that on my Raspberry also runs a Pi-hole/Unbound combination. However, the Pi-hole admin GUi listens on port 8080 and the Nginx proxy manager listens on ports 80, 81 and 443. I know it's not optimal to run both on one machine but I think it should still work. Both systems listen to different ports.

It would be great if anyone has an idea and a tip on what I can change to fix this.
I would be very grateful.

EDIT:
I noticed that the Debian is running AppAmor. Could it be something like that?

In the past, Docker's embedded DNS resolver has stopped working for me randomly. To fix it, I had to restart the Docker daemon/service.

It sounds to me like that might be the case here.

If you've got the Pi set up to use the Unbound container for its own DNS, that might be an issue as well. You could try set it to use some normal public resolvers and see if it makes any difference.

3 Likes

Unfortunately it did not help. The first thing I did was restart the Docker service, without success. Then I changed the DNS server on my Pi-hole to the one from OpenDNS. According to dnsleak test, now the servers of OpenDNS are used.
But the error message remains exactly the same. When starting the Docker container, first the getaddrinfo error occurs and when trying to request a certificate, the error described above occurs.

Maybe another idea?

EDIT:
What I also want to mention, the Pi-hole is not running in a Docker container but directly on the Pi.

Check DNS settings in all containers.
/etc/resolv.conf

3 Likes

On Synology Docker Installation:
domain fritz.box
nameserver 192.168.1.2
On the host is additional a IP6 nameserver entry.

On Debian Docker Installation:
domain fritz.box
search fritz.box
nameserver 192.168.1.2
On the host is exactly the same entries as in the Docker Container. In Pi-hole I have not IP6 activ....

I think this is ok? The IP Adresse is the IP from the Pi.

Try using a public DNS server.

3 Likes

@rg305
You are great, thank you very much. It works if I set the nameserver to my router or directly to a public DNS server.
On startup the getaddrinfo error is now gone and certificates can be created.

[1/27/2022] [10:02:55 AM] [Global   ] › ℹ  info      No valid environment variables for database provided, using default SQLite file '/data/database.sqlite'
[1/27/2022] [10:02:57 AM] [Migrate  ] › ℹ  info      Current database version: none
[1/27/2022] [10:02:57 AM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[1/27/2022] [10:02:57 AM] [Setup    ] › ℹ  info      Logrotate completed.
[1/27/2022] [10:02:57 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[1/27/2022] [10:02:57 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[1/27/2022] [10:02:59 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[1/27/2022] [10:02:59 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[1/27/2022] [10:02:59 AM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[1/27/2022] [10:02:59 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[1/27/2022] [10:02:59 AM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[1/27/2022] [10:02:59 AM] [Global   ] › ℹ  info      Backend PID 246 listening on port 3000 ...
QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Model#$omit is deprected and will be removed in 3.0.
[1/27/2022] [10:03:03 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/27/2022] [10:03:03 AM] [SSL      ] › ℹ  info      Renew Complete

This is really great now that I can move the proxy server from the NAS to the Raspberry.

But I still don't understand the issue.
Why does it work on the NAS server which also has "only" 192.168.1.2 (Pi-hole/Unbound) as DNS server but not directly on the Pi (192.168.1.2)? This is not clear to me yet. Does this make sense?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.