Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:cgi.dev-rs.cicc.com
I ran this command:certonly --manual --preferred-challenges http -d cgi.dev-rs.cicc.com
It produced this output:
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f410a830580>: Failedto establish a new connection: [Errno -3] Temporary failure in name resolution'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Try using another DNS server [not 10.96.0.10]
Like: nslookup acme-v02.api.letsencrypt.org 114.114.114.114 nslookup acme-v02.api.letsencrypt.org 8.8.8.8 nslookup acme-v02.api.letsencrypt.org 9.9.9.9 nslookup acme-v02.api.letsencrypt.org 1.1.1.1
Does this server have outgoing Internet connectivity in general? (Can it reach Internet services outside of the LAN or data center?)
Apparently in Chinese it is normally called 防火长城 and refers to systems that implement government policies to restrict connections between the Chinese Internet and the rest of the world's Internet. This can sometimes cause unpredictable errors for Internet users in China.
In the past, users in China have been able to get Let's Encrypt certificates successfully, so I don't think this is a very likely explanation for this problem. (The government policy that caused the most trouble is the ICP license, where the Chinese government also requires people to have a license in order to operate public Internet services, and hosting companies may prevent incoming connections to servers that have not demonstrated that they are in possession of this license. However, that would cause a very different error if it were the problem in this case.)
I agree with the diagnosis that perhaps the k8s instance does not have any outgoing Internet connectivity, which would need to be configured before it can use the Let's Encrypt API.
As @rg305 said, we are mostly not experts on k8s here since this forum is more specialized for Let's Encrypt questions. Some people may know about it but most questions relate much more to other environments (usually people running on a VPS or even a bare-metal server instead of k8s).
You might also want to look at the host command (for performing DNS queries from the command line) and ping for testing IP connectivity on the command line. Good luck!
