Nginx Proxy Manager GUI / Setting up new SSL cert

buksa · May 18, 2022, 11:54am

I am running newst stable versjon of Nginx Proxy Manager, in Docker on Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-110-generic x86_64).

The strangest thing, is that I have successfully enabled SSL certificates on 3 proxy hosts without any concerns so far. I am doing the exact same thing this fourth time, and I run into the same error log every single time. I've been trying with and without an enabled vHost in Nginx.

How come, that I suddenly won't be able to set up a new SSL certificate ?

This is the error message I am getting while trying. Since I am not using CLI/the job is fully automated by Nginx through the GUI, I cannot state what CLI parameters I am using. I have, though, pasted in the error log underneath.
And since Nginx have very limited ways/options when doing this, it isn't so much I can do different.

Ports open are 80 and 443, both NATed to the Nginx Proxy Manager. The other SSL-enabled proxy hosts are working perfect over port 443 and HTTPS.

I have, just to try, opened ALL ports to the VM running the container just to make sure it is not a network issue. This didn't change anything, of course. The sub domain is pointing to the Nginx public IP, just to have mentioned that as well.

I have also checked that I reach the world from inside the container, and it resolves DNS queries. I can see of the error log that something times out. I tried to ping, and it answers:

[root@docker-b0f8a23e65bf:/app]# ping letsencrypt.org
PING letsencrypt.org (18.192.76.182) 56(84) bytes of data.
64 bytes from ec2-18-192-76-182.eu-central-1.compute.amazonaws.com (18.192.76.182): icmp_seq=1 ttl=50 time=6.46 ms
64 bytes from ec2-18-192-76-182.eu-central-1.compute.amazonaws.com (18.192.76.182): icmp_seq=2 ttl=50 time=6.50 ms
64 bytes from ec2-18-192-76-182.eu-central-1.compute.amazonaws.com (18.192.76.182): icmp_seq=3 ttl=50 time=6.93 ms
^C
--- letsencrypt.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 6.462/6.631/6.929/0.221 ms
[root@docker-b0f8a23e65bf:/app]#

Error log:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-26" --agree-tos --authenticator webroot --email "anders@buksa.org" --preferred-challenges "dns,http" --domains "emby.buksa.org" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:399:12)
    at ChildProcess.emit (node:events:526:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

Have scratched my head over this for 2 weeks without having a single idea of what is going on here.
I did a lot of googling, and I came by another post with the same errors, and there it was said that it was too many failed faults within the hour. But I cannot see that this is the same problem.

Thanks for any help here.

9peppe · May 18, 2022, 8:56pm

Try with

curl -vvv https://acme-v02.api.letsencrypt.org/directory

Both from the host and from inside the container.

rg305 · May 18, 2022, 10:48pm

Hi @buksa, and welcome to the LE community forum

The command line doesn't indicate which webroot (directory) location should be used.
Perhaps it is using a default which doesn't match the webroot for this FQDN.

Osiris · May 19, 2022, 6:09am

@rg305 I'm pretty sure that's all automated by the horrible piece of software called "NPM". Could be correct, could be incorrect, I don't know. It shouldn't have any influence on the time out currently presented though.

rg305 · May 19, 2022, 5:38pm

Then the statement:

Must be incorrect and something is being done differently.
OR
Something else has changed so that now all requests would actually fail [not just this one].

buksa · May 19, 2022, 6:54pm

@9peppe thank for helping me out. The first one is from the Docker host, the second is from within the Nginx container:

Docker host:

:~$ curl -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* TCP_NODELAY set
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* TCP_NODELAY set

^C

From within container:

 _   _       _            ____                      __  __                                   
| \ | | __ _(_)_ __ __  _|  _ \ _ __ _____  ___   _|  \/  | __ _ _ __   __ _  __ _  ___ _ __ 
|  \| |/ _` | | '_ \\ \/ / |_) | '__/ _ \ \/ / | | | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '__|
| |\  | (_| | | | | |>  <|  __/| | | (_) >  <| |_| | |  | | (_| | | | | (_| | (_| |  __/ |   
|_| \_|\__, |_|_| |_/_/\_\_|   |_|  \___/_/\_\\__, |_|  |_|\__,_|_| |_|\__,_|\__, |\___|_|   
       |___/                                  |___/                          |___/           
Version 2.9.18 (cce73be) 2022-03-31 05:46:34 UTC, OpenResty 1.19.9.1, debian 10 (buster), Certbot certbot 1.26.0
Base: debian:buster-slim, linux/amd64
Certbot: nginxproxymanager/nginx-full:latest, linux/amd64
Node: nginxproxymanager/nginx-full:certbot, linux/amd64

[root@docker-b0f8a23e65bf:/app]# curl -vvv https://acme-v02.api.letsencrypt.org/directory
* Expire in 0 ms for 6 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 0 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 1 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 2 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 3 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 3 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 3 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 3 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 4 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 8 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 6 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 6 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 8 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 7 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 7 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 8 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 8 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 8 ms for 1 (transfer 0x56080a3a8d40)
* Expire in 10 ms for 1 (transfer 0x56080a3a8d40)
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Expire in 200 ms for 4 (transfer 0x56080a3a8d40)
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
* TCP_NODELAY set
* Expire in 149984 ms for 3 (transfer 0x56080a3a8d40)
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Cannot assign requested address
^C

Is this a network problem after all ?
I can look up other domains, I have assigned Google DNS servers.

[root@docker-b0f8a23e65bf:/app]# ping vg.no
PING vg.no (195.88.54.16) 56(84) bytes of data.
64 bytes from www.vg.no (195.88.54.16): icmp_seq=1 ttl=241 time=23.8 ms
64 bytes from www.vg.no (195.88.54.16): icmp_seq=2 ttl=241 time=24.1 ms
64 bytes from www.vg.no (195.88.54.16): icmp_seq=3 ttl=241 time=24.1 ms
64 bytes from www.vg.no (195.88.54.16): icmp_seq=4 ttl=241 time=24.2 ms
64 bytes from www.vg.no (195.88.54.16): icmp_seq=5 ttl=241 time=24.0 ms
^C
--- vg.no ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 9ms
rtt min/avg/max/mdev = 23.847/24.066/24.221/0.212 ms
[root@docker-b0f8a23e65bf:/app]# ping youtube.com
PING youtube.com (142.250.185.110) 56(84) bytes of data.
64 bytes from fra16s49-in-f14.1e100.net (142.250.185.110): icmp_seq=1 ttl=116 time=5.47 ms
64 bytes from fra16s49-in-f14.1e100.net (142.250.185.110): icmp_seq=2 ttl=116 time=5.53 ms
64 bytes from fra16s49-in-f14.1e100.net (142.250.185.110): icmp_seq=3 ttl=116 time=5.43 ms
64 bytes from fra16s49-in-f14.1e100.net (142.250.185.110): icmp_seq=4 ttl=116 time=5.64 ms
64 bytes from fra16s49-in-f14.1e100.net (142.250.185.110): icmp_seq=5 ttl=116 time=5.45 ms
64 bytes from fra16s49-in-f14.1e100.net (142.250.185.110): icmp_seq=6 ttl=116 time=5.52 ms
^C
--- youtube.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 13ms
rtt min/avg/max/mdev = 5.426/5.504/5.641/0.119 ms

And:

[root@docker-b0f8a23e65bf:/app]# ufw status
bash: ufw: command not found

buksa@docker:~$ sudo ufw status
sudo: unable to resolve host docker: Name or service not known
[sudo] password for buksa: 
Status: inactive

Ports NATed into the Nginx container:

0.0.0.0:80-81->80-81/tcp, :::80-81->80-81/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp

buksa · May 21, 2022, 12:12pm

Hi, I am still having the same issue.
Tried to reboot the docker vm.

I wonder if making a copy of the Nginx containers 1:1 with a new name would be worth a try, in a new directory so that any config created isn't following. And then try setting up the same certificates again. But maybe it will be a problem since the certificates actually already exists/are handed out?

Thanks for any advise on this.

MikeMcQ · May 21, 2022, 1:20pm

buksa:

Docker host:

:~$ curl -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* TCP_NODELAY set
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* TCP_NODELAY set

^C

I think you should focus on why your host cannot connect to the Let's Encrypt acme URL. Is that the host your container runs on? I don't quite follow your explanation of your setup but if the host can't connect the container won't either.

buksa · May 21, 2022, 3:02pm

@MikeMcQ , thanks.

Yes.
I tried to curl the same URL from the hypervisor host, and it reached it.
I also tried it from a random other Ubuntu vm, and didn't reach it. The docker host is running on a vm in Proxmox by the way, and is behind a PFsense firewall. Well at least I thought I had control over the fw rules here, but maybe something is lurking. I have opened 80 and 443 between the public IP which the sub domain is pointing towards and the vm running Docker. Further Docker is as mentioned NATing the 80 and 443 traffic into the Nginx container.

Let me just ask you this; is it incoming traffic or outgoing which times out? Is it waiting for a reply, or is it trying to reach the server? Just so I know where to look.

And, the strange thing is that I have had issues with the firewall before, and therefore I tend to open up all ports just for a short while when trying to create a certificate with Letsencrypt. Like this time...

MikeMcQ · May 21, 2022, 3:36pm

So, if I understand right the controlling hypervisor host can connect fine. But, any VM cannot. So, must be something wrong between the VM and hypervisor host.

When you do a curl to the LE acme URL that is an outbound request. When requesting a cert the LE server will also make a request to your server so that is inbound to you. I am able to make requests to your server and get a reasonable response. I don't know if it is the right response given your complex configuration.

The LE server request is similar as shown below for http challenges. The value Test1 will be different and the 404 Not Found is expected since Test1 does not exist.

curl -I emby.buksa.org/.well-known/acme-challenge/Test1

HTTP/1.1 404 Not Found
Server: openresty
Date: Sat, 21 May 2022 15:31:56 GMT
Content-Type: text/html
Content-Length: 34
Connection: keep-alive
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Token, X-Emby-Client, X-Emby-Client-Version, X-Emby-Device-Id, X-Emby-Device-Name, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Allow-Private-Network: true

buksa · May 21, 2022, 4:59pm

Thank you for giving this time, @MikeMcQ

<<--- Yes. The hypervisor itself has it's own IP. But I have routed in a /28 subnet, which all have been added as VIPs on my PFsense firewall. It all plays well, have been for years, actually. I have a 1:1 NAT between on of the public IPs in that subnet to the VM running Docker. So that vm have it's own public IP address.
In addition, I have, of course opened port 80, and 443. I have verified that both is listened to, from the outside. All traffic out from the VM works completely fine. As pasted in above, I can ping different domains and get replys. hmm. I feel like this might be SOME kind of DNS problem.... But how. Or is it ?

MikeMcQ · May 21, 2022, 6:29pm

IDK. DNS lookup seems fine. Have you figured out why the curl to the acme-v02 URL fails yet? You can see the IP addresses it tries came from the public DNS for that domain name. But the curl fails both IPv4 and IPv6. Or I assume it failed and that the ^C meant you cancelled the request before letting it timeout. Try adding -m10 to shorten timeout.

One of the first steps in getting a cert is for the ACME client on your server to make a request like this. It is important that this curl succeeds.

buksa:

Docker host:

:~$ curl -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* TCP_NODELAY set
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* TCP_NODELAY set
^C

And, what does this show (in host and failing VM):

curl -I https://google.com

buksa · May 21, 2022, 6:55pm

Hi @MikeMcQ

curl -I https://google.com in Docker VM:

buksa@docker:~$ curl -I https://google.com
HTTP/2 301 
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Sat, 21 May 2022 18:50:58 GMT
expires: Sat, 21 May 2022 18:50:58 GMT
cache-control: private, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
set-cookie: CONSENT=PENDING+766; expires=Mon, 20-May-2024 18:50:58 GMT; path=/; domain=.google.com; Secure
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

From host/hypervisor:

:~$ curl -I https://google.com
HTTP/2 301 
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Sat, 21 May 2022 18:53:00 GMT
expires: Sat, 21 May 2022 18:53:00 GMT
cache-control: private, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
set-cookie: CONSENT=PENDING+833; expires=Mon, 20-May-2024 18:53:00 GMT; path=/; domain=.google.com; Secure
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

Sorry if I am completely off track. Have no experience with how curl or certbot at all, works. And the process of establishing a certificate. As of what it seems, it both looks the same while trying it with google. And which means ..?

Thanks,

buksa · May 21, 2022, 7:06pm

One more thing.
I have tried both before- and after creating the vhost itself. (proxy host in Nginx).

Because when the proxy host is active, the traffic on port 80 is forwarded to the server it is redirecting it to. Which I first though would be the whole problem. But even if I delete the proxy host, I'm getting the same error.

There is something else:
When the proxy host is active and in the dialogue for creating the certificate, I can initiate a test for verifying that the web server is reachable from Site24x7 via the supplied domain name-lookup.

If the proxy host on port 80 is set up by the time I run the test, it fails saying it found a web server running on the IP-address but it isn't Nginx Proxy Manager. Suggesting some typical scenarios etc.

Turning the proxy host off/removing it first, it has no further redirects and it detects everything as normal, and says it's good to go. That is why, I thought first it would be best to create the certificate before adding the proxy host...

MikeMcQ · May 21, 2022, 7:06pm

And what does this do from the same spots as you checked google?

curl -I https://acme-v02.api.letsencrypt.org/directory

buksa · May 21, 2022, 7:09pm

On the host:

:~$ curl -I https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200 
server: nginx
date: Sat, 21 May 2022 19:07:23 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0001IAuCBD04S5xvgaZtI4Bin486fuvklWCu1gv9VSYNV2s
x-frame-options: DENY
strict-transport-security: max-age=604800

In the Docker VM it times out. Nothing comes out of it. WHY !?

MikeMcQ · May 21, 2022, 7:14pm

What does this do in the Docker VM:

curl -4 ifconfig.co
curl -6 ifconfig.co

rg305 · May 21, 2022, 7:15pm

also:
traceroute -I4 acme-v02.api.letsencrypt.org
traceroute -I6 acme-v02.api.letsencrypt.org

buksa · May 21, 2022, 7:16pm

The -4 shows my public IP.
-6 shows nothing because no IPv6 is assigned.

rg305 · May 21, 2022, 7:19pm

That statement conflicts with the attempts:

buksa:

Docker host:

:~$ curl -vvv https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* TCP_NODELAY set
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* TCP_NODELAY set

[where we see it trying via IPv6]