Failure to Connect to acme-staging-v02.api.letsencrypt.org

Help
1

Hey everyone. I've been trying to debug the following problem for awhile now to no avail.
Any help would be appreciated. For context, this is running within a docker container.

My domain is: unittest.cleandesign.network

I ran this command:

  certbot certonly --test-cert --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot

It produced this output:

An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f4890ecaf40>: Failed to establish a new connection: [Errno -3] Try again'))

My web server is (include version):

The operating system my web server runs on is (include version): Occurs on both Debian 10 and Manjaro

My hosting provider, if applicable, is: Azure and Local

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Occurs on v1.27 and v1.26

1 Like
2

@lestaff this is the third one I see. Any opinions?

@mkingsley can you show me the output of this?

curl -vvv https://acme-v02.api.letsencrypt.org/directory

2 Likes
4

It seems that from within the contaienr I can't resolve the DNS address:

Output of: curl -vvv https://acme-v02.api.letsencrypt.org/directory

* Could not resolve host: acme-v02.api.letsencrypt.org
* Closing connection 0
curl: (6) Could not resolve host: acme-v02.api.letsencrypt.org
5

staging did just switch over to only allowing TLS1.2 but Could not resolve host seems more like a dns or IP routing problem.

4 Likes
6

Agreed. I think the timing with server maintenance is fishy, but probably not the cause.

I've since tried adding 1.1.1.1 to my container's DNS options and it is still unable to resolve. The Docker host is having no issues resolving.

8

Outbound DNS being blocked by firewall rules?
[check both systems]

Try something simpler like:
ping 1.1.1.1
curl -I 172.65.32.248
[that's the IP for acme-v02.api.letsencrypt.org]

3 Likes
9

Ping on 1.1.1.1 is successful, I can also curl -I 1.1.1.1 successfully.

However when I try to reach acme-v02.api.letsencrypt.org via curl -I 172.65.32.248 I am getting:

curl -I 172.65.32.248
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (56) Recv failure: Connection reset by peer

I am able to successfully ping 172.65.32.248.

10

Okay. I think I have resolved the issue.
In docker it seems that my container was not binding properly to my host network stack.

It is safe to say that this isn't a LetsEncrypt problem.

Thanks for all the help!

4 Likes
11

Glad you found the problem.

Just noting the "reset by peer" is expected for that request. The acme endpoint requires HTTPS://

3 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.