SSL for LXD Container websites


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: streamingworld.us

I ran this command:
sudo certbot certonly --standalone -d lpc1.streamingworld.us --non-interactive --agree-tos --email rayjender@gmail.com --http-01-port=8888
It produced this output:

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

I have multiple LXD containers with websites. I also have a container running haproxy (10.106.37.15). I port forward (iptables) ports 80, 443 and 8888 from the host to the haproxy container. lpc1 is a container 10.106.37.94. I can ping lpc1.streamingworld.us
from external internet.

Running the following command:
root@HAPROXY:/etc/ssl# sudo certbot certonly --standalone -d lpc1.streamingworld.us --non-interactive --agree-tos --email rayjender@gmail.com --http-01-port=8888
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lpc1.streamingworld.us
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. lpc1.streamingworld.us (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://lpc1.streamingworld.us/.well-known/acme-challenge/Clc71dZDKioynV4OC5oWgEKxSfXkCngbgMyRs5Eo-bw: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: lpc1.streamingworld.us
    Type: connection
    Detail: Fetching
    http://lpc1.streamingworld.us/.well-known/acme-challenge/Clc71dZDKioynV4OC5oWgEKxSfXkCngbgMyRs5Eo-bw:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#2

On the face of it, the error seems to indicate that your public IP address (23.239.31.177) does not actually have port 80 forwarded to your HAProxy container…


#3

I have this port forwarding active 10.106.37.15 is the haproxy container:

sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 23.239.31.177/32 --dport 443 -j DNAT --to-destination 10.106.37.15:443
sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 23.239.31.177/32 --dport 80 -j DNAT --to-destination 10.106.37.15:80
sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 23.239.31.177/32 --dport 8888 -j DNAT --to-destination 10.106.37.15:8888


#4

Unfortunately it doesn’t work:

$ curl -X GET -I 23.239.31.177
curl: (7) Failed to connect to 23.239.31.177 port 80: Connection refused

If you run this from your LXD host, does it work?

curl -X GET -I 10.106.37.15:80

#5

So I think I have everything fixed as far as configuration goes. I can access the website in the container using https. However, I have an iFrame within the index.html page that will not connects.
The iFrame src is:

See the image for network headers:


#6

Hi @rayj00

I see your http and https. But your http + /.well-known/acme-challenge has a http status 503 (checked with https://check-your-website.server-daten.de/?q=lpc1.streamingworld.us ):

Domainname Http-Status redirect Sec. G
http://lpc1.streamingworld.us/
23.239.31.177 200 0.280 H
https://lpc1.streamingworld.us/
23.239.31.177 200 2.700 B
http://lpc1.streamingworld.us/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
23.239.31.177 503 3.293 S
Service Unavailable

Why is there a 503?


#7

Looks like you have fixed the problem. There is a recheck of your domain

CN=lpc1.streamingworld.us
	27.02.2019
	28.05.2019
expires in 90 days	lpc1.streamingworld.us - 1 entry

and the Letsencrypt certificate is new.


closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.