SSL for LXD Container websites


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot certonly --standalone -d --non-interactive --agree-tos --email --http-01-port=8888
It produced this output:

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

I have multiple LXD containers with websites. I also have a container running haproxy ( I port forward (iptables) ports 80, 443 and 8888 from the host to the haproxy container. lpc1 is a container I can ping
from external internet.

Running the following command:
root@HAPROXY:/etc/ssl# sudo certbot certonly --standalone -d --non-interactive --agree-tos --email --http-01-port=8888
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Connection refused


  • The following errors were reported by the server:

    Type: connection
    Detail: Fetching
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


On the face of it, the error seems to indicate that your public IP address ( does not actually have port 80 forwarded to your HAProxy container…


I have this port forwarding active is the haproxy container:

sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d --dport 443 -j DNAT --to-destination
sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d --dport 80 -j DNAT --to-destination
sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d --dport 8888 -j DNAT --to-destination


Unfortunately it doesn’t work:

$ curl -X GET -I
curl: (7) Failed to connect to port 80: Connection refused

If you run this from your LXD host, does it work?

curl -X GET -I


So I think I have everything fixed as far as configuration goes. I can access the website in the container using https. However, I have an iFrame within the index.html page that will not connects.
The iFrame src is:

See the image for network headers:


Hi @rayj00

I see your http and https. But your http + /.well-known/acme-challenge has a http status 503 (checked with ):

Domainname Http-Status redirect Sec. G 200 0.280 H 200 2.700 B 503 3.293 S
Service Unavailable

Why is there a 503?


Looks like you have fixed the problem. There is a recheck of your domain
expires in 90 days - 1 entry

and the Letsencrypt certificate is new.

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.