Network error ordering certificate from local Boulder

Hello. I’m afraid this question is a little vague, but any advice on how to debug will help.

The goal is to test my Java ACME client with Boulder.

I have an org.shredzone.acme4j.Order that I build using an Account created on Boulder.
I perform the authorization on the Order which is an http-01 challenge. This returns status valid.
Next I create a CSRBuilder and sign it.
Finally, I order the certificate using Order.execute using the CSR. This is where I hit a wall. I get the following:

Caused by: org.shredzone.acme4j.exception.AcmeNetworkException: Network error
at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:421)
at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:346)
at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:153)
at org.shredzone.acme4j.Order.execute(Order.java:169)
… 40 more
Caused by: java.net.SocketTimeoutException: Read timed out
… 44 more
Caused by: java.net.SocketTimeoutException: Read timed out
at java.base/java.net.SocketInputStream.socketRead0(Native Method)
at java.base/java.net.SocketInputStream.socketRead(SocketInputStream.java:115)
at java.base/java.net.SocketInputStream.read(SocketInputStream.java:168)
at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140)
at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252)
at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:292)
at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:351)
at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:746)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:689)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1610)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3094)
at org.shredzone.acme4j.connector.DefaultConnection.getNonce(DefaultConnection.java:229)
at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:413)
… 44 more

Here is the order prior to the execute call:

{“status”:“pending”,“expires”:“2020-03-12T20:42:14.2851915Z”,“identifiers”:[{“type”:“dns”,“value”:“domain.com”}],“authorizations”:[“http://localhost:33415/acme/authz-v3/1"],“finalize”:"http://localhost:33415/acme/finalize/1/1”}

It looks like the authz and finalize URLs were supposed to be populated with values replacing the 1’s but I’m not sure when that happens. Any ideas?

I see a bunch of messages from Boulder like this before the error:

Request failed, backing-off on http://boulder:4510 for 1s: Post http://boulder:4510/ct/v1/add-pre-chain: dial tcp: lookup boulder on 127.0.0.11:53: server misbehaving

It looks like you are working on developing a client, I have updated your topic title and location to reflect that.

2 Likes

The 1s are normal. It just means it’s the first account. order and authz in the local Boulder database.

Did you make any DNS-related changes to the Docker environment or to Boulder in order to do the actual HTTP validation? Such as to use 1.1.1.1 or 8.8.8.8 or another DNS server? If so, how did you do it?

2 Likes

Yes, I’m using the Pebble challenge test server, and I added an a-record to redirect domain.com to my test machine (I think it uses 172.17.0.3 which is the docker bridge IP). I can see this part work because the http-01 challenge is successful.

As in you made a call to the challtestsrv embedded in Boulder’s docker-compose environment? (http://localhost:8055/add-a).

Humm. That should work fine. No idea why Docker DNS would start failing like that :frowning: .

Yes, I used 8055/add-a.

It works when I use Pebble. I see some additional trace from the Pebble server that seems relevant:

authz Dz0-z1orLj0Oicrq_syTHch1KiU1zEHN_vJrh4HHL5A set VALID by completed challenge j20d6d-TUshfFM8YIIf6DY5Yxjn2Sr59lO9pyTfyGrU
POST /chalZ/ -> calling handler()

And the order:

{“status”:“pending”,“expires”:“2020-03-06T20:45:09Z”,“identifiers”:[{“type”:“dns”,“value”:“domain.com”}],“finalize”:“https://localhost:33433/finalize-order/dKYwUyjZV7s3X3i00PazIoPBO_Hhl67bLbhlxg0yGS8",“authorizations”:["https://localhost:33433/authZ/Dz0-z1orLj0Oicrq_syTHch1KiU1zEHN_vJrh4HHL5A”]}

So I guess this doesn’t work either (with Boulder running)?

docker exec boulder_boulder_1 ping -c 1 boulder

Maybe stop Boulder and restart the entire Docker daemon too, to try reset the networking.

2 Likes

I am using Testcontainers which means I get random container names and hostnames. I needed to explicitly set my hostname to “boulder.”

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.