Communication error with letencrypt server

Hi everyone,
Currently, I tried to deploy linuxserver/letencrypt for my personal nas. I follow the procedure wrote in this blog: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/
First time when I started my new container I had an error about connection timeout. after adding --add-host argument on creation of contaner a new error occurred with the SSL hanshake.
I will join the command and the log. Now I don’t have any idea to try but I will apreciated any support.
Thanks.

Command:
docker create
–name=letsencrypt
–cap-add=NET_ADMIN
-e PUID=1000
-e PGID=1000
-e TZ=America/Montreal
-e URL=ydra.duckdns.org
-e SUBDOMAINS=wildcard
-e VALIDATION=duckdns
-e DUCKDNSTOKEN=d1eb6f41b3a8425a879b7dd4b3b88588
-p 443:443
-p 80:80 #optional
-v /media/USB_NTFS/letsencrypt/appdata/letsencrypt:/config
–restart unless-stopped
–add-host acme-v01.api.letsencrypt.org:104.107.50.145
linuxserver/letsencrypt

Why are you manually setting dns records?

Post a docker log so we can see what’s going on

Also, if the drive is formatted to ntfs, that could also cause issues

Good question,

First time when I started without the add-host command, I received an HttpsConnctionTimeout. After many research on the internet, I understood that my container was not able to connect to the acme server of letsencrypt. I validate it with a curl command directly in the container.

After this modification, I had the second error. So currently I cannot publish the log because the log has more than 2 URL link.

So I’m interested to know why NTFS can cause an issue because I’m able to map the volume of the container in another drive is necessary.

The added FUSE layer adds complications to docker itself. Switch the drive to EXT4 and you shouldn’t have any problems.

For the log I add **** on some URL

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.14.165-172 armv7l)

  • Documentation: https*****://help.ubuntu.com

  • Management: https*****://landscape.canonical.com

  • Support: https*****://ubuntu.com/advantage

  • Latest Kubernetes 1.18 beta is now available for your laptop, NUC, cloud

    instance or Raspberry Pi, with automatic updates to the final GA release.

    sudo snap install microk8s --channel=1.18/beta --classic

  • Multipass 1.1 adds proxy support for developers behind enterprise

    firewalls. Rapid prototyping for cloud operations just got easier.

    https*****://multipass.run/

Last login: Fri Mar 13 00:37:49 2020 from 192.168.2.15

fcharron@odroid:~$ sudo docker logs letsencrypt -f

[sudo] password for fcharron:

[s6-init] making user provided files available at /var/run/s6/etc…exited 0.

[s6-init] ensuring user provided files have correct perms…exited 0.

[fix-attrs.d] applying ownership & permissions fixes…

[fix-attrs.d] done.

[cont-init.d] executing container initialization scripts…

[cont-init.d] 01-envfile: executing…

[cont-init.d] 01-envfile: exited 0.

[cont-init.d] 10-adduser: executing…


      _         () 

     | |  ___   _    __ 

     | | / __| | |  /  \  

     | | \__ \ | | | () | 

     |_| |___/ |_|  \__/ 

Brought to you by linuxserver.****io

We gratefully accept donations at:

https*****://www.linuxserver.io/donate/


GID/UID


User uid: 1000

User gid: 1000


[cont-init.d] 10-adduser: exited 0.

[cont-init.d] 20-config: executing…

[cont-init.d] 20-config: exited 0.

[cont-init.d] 30-keygen: executing…

generating self-signed keys in /config/keys, you can replace these with your own keys if required

Generating a RSA private key

…+++++

…+++++

writing new private key to ‘/config/keys/cert.key’


[cont-init.d] 30-keygen: exited 0.

[cont-init.d] 50-config: executing…

Variables set:

PUID=1000

PGID=1000

TZ=America/Montreal

URL=ydra******.duckdns.org

SUBDOMAINS=wildcard

EXTRA_DOMAINS=

ONLY_SUBDOMAINS=false

DHLEVEL=2048

VALIDATION=duckdns

DNSPLUGIN=

EMAIL=

STAGING=

Created donoteditthisfile.conf

Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…++++++++

DH parameters successfully created - 2048 bits

SUBDOMAINS entered, processing

Wildcard cert for ydra****.duckdns.org will be requested

No e-mail address entered or address invalid

duckdns validation is selected

the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www*****.subdomain.duckdns.org

Generating new certificate

Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator manual, Installer None

Registering without email!

An unexpected error occurred:

Traceback (most recent call last):

File “/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py”, line 485, in wrap_socket

cnx.do_handshake() 

File “/usr/lib/python3.8/site-packages/OpenSSL/SSL.py”, line 1934, in do_handshake

self._raise_ssl_error(self._ssl, result) 

File “/usr/lib/python3.8/site-packages/OpenSSL/SSL.py”, line 1646, in _raise_ssl_error

raise WantReadError() 

OpenSSL.SSL.WantReadError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 376, in _make_request

self._validate_conn(conn) 

File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 994, in _validate_conn

conn.connect() 

File “/usr/lib/python3.8/site-packages/urllib3/connection.py”, line 352, in connect

self.sock = ssl_wrap_socket( 

File “/usr/lib/python3.8/site-packages/urllib3/util/ssl_.py”, line 370, in ssl_wrap_socket

return context.wrap_socket(sock, server_hostname=server_hostname) 

File “/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py”, line 488, in wrap_socket

raise timeout("select timed out") 

socket.timeout: select timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File “/usr/lib/python3.8/site-packages/requests/adapters.py”, line 439, in send

resp = conn.urlopen( 

File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 719, in urlopen

retries = retries.increment( 

File “/usr/lib/python3.8/site-packages/urllib3/util/retry.py”, line 400, in increment

raise six.reraise(type(error), error, _stacktrace) 

File “/usr/lib/python3.8/site-packages/urllib3/packages/six.py”, line 735, in reraise

raise value 

File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 665, in urlopen

httplib_response = self._make_request( 

File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 379, in _make_request

self._raise_timeout(err=e, url=url, timeout_value=conn.timeout) 

File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 330, in _raise_timeout

raise ReadTimeoutError( 

urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host=’******acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

During handling of the above exception, another exception occurred:

requests.exceptions.ReadTimeout: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

Please see the logfiles in /var/log/letsencrypt for more details.

ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct.

It looks like you’re having networking issues that you need to fix.
Also ntfs (may or may not be related) is likely to cause issues. I’d recommend using a local folder or a disk formatted to ext4

Ok, Now I use local folder: /docker/letsencript/ and I removed the --add-host argument. The behavior changed. But doesn’t work.
Now is a HTTPSConnectionPool max retry error.
So, when I define a mtu to 1300 in /etc/docker/daemon. json, I have a VerifiedHTTPSConnection error.
I will join the two logs.

[cont-finish.d] executing container finish scripts…
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc…exited 0.
[s6-init] ensuring user provided files have correct perms…exited 0.
[fix-attrs.d] applying ownership & permissions fixes…
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts…
[cont-init.d] 01-envfile: executing…
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing…
usermod: no changes


      _         ()
     | |  ___   _    __
     | | / __| | |  /  \ 
     | | \__ \ | | | () |
     |_| |___/ |_|  \__/

Brought to you by linuxserver****.io
We gratefully accept donations at:
https****://www.linuxserver.io/donate/

GID/UID

User uid: 1000
User gid: 1000

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing…
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing…
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘/config/keys/cert.key’

[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing…
Variables set:
PUID=1000
PGID=1000
TZ=America/Montreal
URL=ydra*.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=duckdns
DNSPLUGIN=
EMAIL=
STAGING=

Created donoteditthisfile.conf
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…++++++++
DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Wildcard cert for ydra*.duckdns.org will be requested
No e-mail address entered or address invalid
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.*org
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Registering without email!
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/urllib3/connection.py”, line 156, in _new_conn
conn = connection.create_connection(
File “/usr/lib/python3.8/site-packages/urllib3/util/connection.py”, line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File “/usr/lib/python3.8/socket.py”, line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 665, in urlopen
httplib_response = self._make_request(
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 376, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 994, in _validate_conn
conn.connect()
File “/usr/lib/python3.8/site-packages/urllib3/connection.py”, line 300, in connect
conn = self._new_conn()
File “/usr/lib/python3.8/site-packages/urllib3/connection.py”, line 168, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0xb5011af0>: Failed to establish a new connection: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/requests/adapters.py”, line 439, in send
resp = conn.urlopen(
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 719, in urlopen
retries = retries.increment(
File “/usr/lib/python3.8/site-packages/urllib3/util/retry.py”, line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.*org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0xb5011af0>: Failed to establish a new connection: [Errno -3] Try again’))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.*org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0xb5011af0>: Failed to establish a new connection: [Errno -3] Try again’))
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct.

[cont-finish.d] executing container finish scripts…
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc…exited 0.
[s6-init] ensuring user provided files have correct perms…exited 0.
[fix-attrs.d] applying ownership & permissions fixes…
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts…
[cont-init.d] 01-envfile: executing…
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing…
usermod: no changes


      _         ()
     | |  ___   _    __
     | | / __| | |  /  \ 
     | | \__ \ | | | () |
     |_| |___/ |_|  \__/

Brought to you by linuxserver.*io
We gratefully accept donations at:
https://www.linuxserver.*io/donate/

GID/UID

User uid: 1000
User gid: 1000

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing…
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing…
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘/config/keys/cert.key’

[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing…
Variables set:
PUID=1000
PGID=1000
TZ=America/Montreal
URL=ydra.duckdns.*org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=duckdns
DNSPLUGIN=
EMAIL=
STAGING=

Created donoteditthisfile.conf
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…+…+…+…+…+…

!!! A LOT OF LINES REMOVED HERE FOR THE POST !!!

…+…+…+…+…+…+…+…+…+…+…+…+…+…+…++++++++
DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Wildcard cert for ydra.duckdns.*org will be requested
No e-mail address entered or address invalid
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.*org
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Registering without email!
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/urllib3/connection.py”, line 156, in _new_conn
conn = connection.create_connection(
File “/usr/lib/python3.8/site-packages/urllib3/util/connection.py”, line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File “/usr/lib/python3.8/socket.py”, line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 665, in urlopen
httplib_response = self._make_request(
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 376, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 994, in _validate_conn
conn.connect()
File “/usr/lib/python3.8/site-packages/urllib3/connection.py”, line 300, in connect
conn = self._new_conn()
File “/usr/lib/python3.8/site-packages/urllib3/connection.py”, line 168, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0xb511b3e8>: Failed to establish a new connection: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/requests/adapters.py”, line 439, in send
resp = conn.urlopen(
File “/usr/lib/python3.8/site-packages/urllib3/connectionpool.py”, line 719, in urlopen
retries = retries.increment(
File “/usr/lib/python3.8/site-packages/urllib3/util/retry.py”, line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.*org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0xb511b3e8>: Failed to establish a new connection: [Errno -3] Try again’))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.*org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0xb511b3e8>: Failed to establish a new connection: [Errno -3] Try again’))
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct.

Should I retry with —add-host arg?

Someone have idea? Container should be autonomous. Should I open a specific port on my device?
Can be because I use an DuckDNS domain?

Like we said before, you’re having networking issues on your host/docker service. Nothing to do with the container. You gotta fix those issues before you can run this container.

On my host I can reach the server. Maybe is un docker service but I don’t know what check.

When I ping from my host to acme-v01.api.letsencrypt.org the ip is 104.99.248.78. So when I do same thing from the container, the result is 172.65.32.248.
From my computer, the result is 172.65.32.248
This could be the problem?

**** was put in some url due to restriction for new user on this forum.

So now I resolved why my host had a bad IP address for a ping request. This IP was defined for this address in the hosts file.
After a executed a test. I do this request on my host and container. curl -v https://acme-v02.api.letsencript.org/directory.
On my host everything was correct. But in my container the result was different.

  • Trying 172.65.32.248:443…
  • TCP_NODELAY set
  • Connected to acme****-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme****-v02.api.letsencrypt.org:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme****-v02.api.letsencrypt.org:443

The problem seems to be network configuration with my docker/container but I don’t have any idea about what is the problem.

Ok after putting daemon.json file on /etc/docker directory the certificat generation work fine.
{
mtu=1300
}

Now it is the name resolution who have the problem.
By example, Heimdall container isn’t resolved by letsencrypt container. Each shared same bridge. But When I put the ip of this container in heimdall.subfolder.conf file, it’s work fine. But this solution don’t work for jellyfin. First is how resolve container name.
I dont know if is same case or isn’t better to close this case and open another case.

Container names have to be all lowercase, otherwise nginx can’t resolve
Also, they need to be in the same user defined bridge network, not the default bridge

Good now it’s work for heimdall but for jellyfin I have this message: Unable to find the specified file

context?
I don’t have a crystal ball, you know