Letsencrypt times out with ports open on router

LSIO Discussion Container Support
1

Good day,

I followed a tutorial on youtube(techno dad life) to get SSL certificates so I can connect to my server more securely. However the when I check the docker logs I see that the certificates don’t exist. Here is some info:

  • OS: OpenMediaVault 4.1.32-1 (OMV Arrakis)
  • Router: TC7200 Technicolor with OpenVPN for DNS service
  • The container is being pulled from “linuxserver/letsencrypt:latest”
  • Domain name mp-nas.duckdns. org
  • The A record is assigned to my IP address, and the A record has been tested with dnschecker.org
  • The router has port forwarding configured for public port 80 and 443 to the server.
  • When I change the OMV web UI to port 80 or 443, it does NOT externally access my domain at mp-nas.duckdns. org
Summary 
  [s6-init] making user provided files available at /var/run/s6/etc...exited 0.                                                                                                                                      
[s6-init] ensuring user provided files have correct perms...exited 0.                                                                                                                                              
[fix-attrs.d] applying ownership & permissions fixes...                                                                                                                                                            
[fix-attrs.d] done.                                                                                                                                                                                                
[cont-init.d] executing container initialization scripts...                                                                                                                                                        
[cont-init.d] 01-envfile: executing...                                                                                                                                                                             
[cont-init.d] 01-envfile: exited 0.                                                                                                                                                                                
[cont-init.d] 10-adduser: executing...                                                                                                                                                                             
                                                                                                                                                                                                                   
-------------------------------------                                                                                                                                                                              
          _         ()                                                                                                                                                                                             
         | |  ___   _    __                                                                                                                                                                                        
         | | / __| | |  /  \                                                                                                                                                                                       
         | | \__ \ | | | () |                                                                                                                                                                                      
         |_| |___/ |_|  \__/                                                                                                                                                                                       
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
Brought to you by linuxserver.io                                                                                                                                                                                   
We gratefully accept donations at:                                                                                                                                                                                 
https://www.linuxserver.io/donate/                                                                                                                                                                                 
-------------------------------------                                                                                                                                                                              
GID/UID                                                                                                                                                                                                            
-------------------------------------                                                                                                                                                                              
                                                                                                                                                                                                                   
User uid:    REDACTED                                                                                                                                                                                                  
User gid:    REDACTED                                                                                                                                                                                                   
-------------------------------------                                                                                                                                                                              
                                                                                                                                                                                                                   
[cont-init.d] 10-adduser: exited 0.                                                                                                                                                                                
[cont-init.d] 20-config: executing...                                                                                                                                                                              
[cont-init.d] 20-config: exited 0.                                                                                                                                                                                 
[cont-init.d] 30-keygen: executing...                                                                                                                                                                              
using keys found in /config/keys                                                                                                                                                                                   
[cont-init.d] 30-keygen: exited 0.                                                                                                                                                                                 
[cont-init.d] 50-config: executing...                                                                                                                                                                              
Variables set:                                                                                                                                                                                                     
PUID=REDACTED                                                                                                                                                                                              
PGID=REDACTED                                                                                                                                                                                                         
TZ=REDACTED                                                                                                                                                                                                
URL=mp-nas.duckdns.org                                                                                                                                                                                             
SUBDOMAINS=                                                                                                                                                                                                        
EXTRA_DOMAINS=                                                                                                                                                                                                     
ONLY_SUBDOMAINS=false                                                                                                                                                                                              
DHLEVEL=2048                                                                                                                                                                                                       
VALIDATION=http                                                                                                                                                                                                    
DNSPLUGIN=                                                                                                                                                                                                         
EMAIL=REDACTED                                                                                                                                                                                        
STAGING=                                                                                                                                                                                                           
                                                                                                                                                                                                                   
2048 bit DH parameters present                                                                                                                                                                                     
No subdomains defined                                                                                                                                                                                              
E-mail address entered: REDACTED                                                                                                                                                                     
http validation is selected                                                                                                                                                                                        
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created                                                                  
Generating new certificate                                                                                                                                                                                         
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?                                                                                                    
  if x is 0 or x is 1:                                                                                                                                                                                             
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?                                                                                                    
  if x is 0 or x is 1:                                                                                                                                                                                             
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?                                                                                                    
  elif y is 0 or y is 1:                                                                                                                                                                                           
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?                                                                                                    
  elif y is 0 or y is 1:                                                                                                                                                                                           
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?                                                                                                   
  if original_result is 0:                                                                                                                                                                                         
Saving debug log to /var/log/letsencrypt/letsencrypt.log                                                                                                                                                           
Plugins selected: Authenticator standalone, Installer None                                                                                                                                                         
Obtaining a new certificate                                                                                                                                                                                        
Performing the following challenges:                                                                                                                                                                               
http-01 challenge for mp-nas.duckdns.org                                                                                                                                                                           
Waiting for verification...                                                                                                                                                                                        
Challenge failed for domain mp-nas.duckdns.org                                                                                                                                                                     
http-01 challenge for mp-nas.duckdns.org                                                                                                                                                                           
Cleaning up challenges                                                                                                                                                                                             
Some challenges have failed.                                                                                                                                                                                       
IMPORTANT NOTES:                                                                                                                                                                                                   
 - The following errors were reported by the server:                                                                                                                                                               
                                                                                                                                                                                                                   
   Domain: mp-nas.duckdns.org                                                                                                                                                                                      
   Type:   connection                                                                                                                                                                                              
   Detail: Fetching                                                                                                                                                                                                
   http://mp-nas.duckdns.org/.well-known/acme-challenge/KueUUtUr-YiVp9JCkUYmtzRJnRGQo6yw25DtNIrKco0:                                                                                                               
   Timeout during connect (likely firewall problem)                                                                                                                                                                
                                                                                                                                                                                                                   
   To fix these errors, please make sure that your domain name was                                                                                                                                                 
   entered correctly and the DNS A/AAAA record(s) for that domain                                                                                                                                                  
   contain(s) the right IP address. Additionally, please check that                                                                                                                                                
   your computer has a publicly routable IP address and that no                                                                                                                                                    
   firewalls are preventing the server from communicating with the                                                                                                                                                 
   client. If you're using the webroot plugin, you should also verify                                                                                                                                              
   that you are serving files from the webroot path you provided.                                                                                                                                                  
 - Your account credentials have been saved in your Certbot                                                                                                                                                        
   configuration directory at /etc/letsencrypt. You should make a                                                                                                                                                  
   secure backup of this folder now. This configuration directory will                                                                                                                                             
   also contain certificates and private keys obtained by Certbot so                                                                                                                                               
   making regular backups of this folder is ideal.                                                                                                                                                                 
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container.
2

Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

3

Hi Aptalca,

You’ve linked an article that essentially describes how to forward your ports. I’ve checked and tested the ports I would like to use dozens of times and it doesn’t seem to be working. I cannot connect to my domain on those “open” ports. The settings are checked(both Lets Encrypt and my router settings) and I ran it through dnschecker.org which did show the domain as being able to be reached.

4

The article tells you how to “test” and “confirm” whether your domain is reachable by substituting our nginx container for letsencrypt: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/#troubleshootingports

Did you do that?

5

Hey Aptalca,

Right now I am able to reach the nginx page on the http(81 port). However the https(443 port) still refuses the connection. On this request I should be seeing a warning in my browser that the certificate is invalid because it’s self-signed but that page I still have issues with. The port settings are the same and the nginx image is loaded, updated and running.

Using this command:

netstat -tulpen | grep 443

Output:

tcp6 0 0 :::9443 :::* LISTEN 0 23363 1637/docker-proxy
udp6 0 0 :::443 :::* 0 104121 26599/docker-proxy

Does that mean the port is open but can’t be accessed? It seems the docker-proxy(nginx image) is seen or am I wrong?

6

your port 443 is only listening on UDP, http(s) is tcp traffic. share your docker compose (or a screenshot of your setup if you used the gui)

actually now im confused, you have your router forwarding 443 to 450, you also talk about port 81 working but you only show a forward of 80 to 90… you’re just leaving out a lot of information here.
you’re showing 443 as the proxy port in netstat; im going to guess you didn’t map 450 to 443 on your letsencrypt container, but i need more info.

7

Hi Driz,

In my last post I tried to follow these troubleshooting instructions as mentioned by aptalca: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/#troubleshootingports

I also forwarded a range of ports 80 to 90 and 443 to 450. I hope that clears up any confusion for you.

8

I can see what you forwarded (i mentioned it in my reply) as i mentioned though, your router takes 443 and sends to 450

but you only show us

tcp6 0 0 :::9443 :::* LISTEN 0 23363 1637/docker-proxy
udp6 0 0 :::443 :::* 0 104121 26599/docker-proxy

show us 450; the 443 above is only listening on UDP which will not work (http(s) uses tcp)

please share your docker run command or your compose.

9

@driz

In which way would you get the proper information? Currently I use Shell with ‘docker logs -f letsencrypt’ to check if the certs have been generated and saved properly but I get what you see in summary. Which commands would I need to use to give you the information you require regarding my docker compose?

10

I want the data IN your docker-compose.yml or the command you entered to start the container if you used docker run

apparently omv has some weird gui to do this… i guess a screenshot of how you set it up?

11

@driz
Here are the options I used: https://i.imgur.com/9yzXsE7.png
As for portforwarding under Network I used:

HostIP: 0.0.0.0 HostPort: 450 ExposedPort: 443/tcp Protocol: TCP
HostIP: 0.0.0.0 HostPort: 90 ExposedPort: 80/tcp Protocol: TCP

These are the logs:

I am able to reach my server on port 90 but it gets timed out/connection refused when I try to use https

12

I’m guessing here because im not familiar with omv but

you have 443 come into your router and then forward as 450 to your docker host
but looking at your network section, it looks like you mapped 443 to 450 instead of 450 to 443 (same with the 90 to 80 bit)

can you show a docker ps

13

@driz here is the docker ps output:

linuxserver/letsencrypt:latest “/init --cap-add=NET…” About an hour ago Up 9 minutes 0.0.0.0:90->80/tcp, 0.0.0.0:450->443/tcp letsencrypt
linuxserver/duckdns:latest “/init” 2 weeks ago Up 3 days duckdns

I also have Pihole and OpenVpn running but havent included them in the paste to keep it somewhat tidy.

I cant seem to post links anymore, but the ports are setup the same for 80 and 443.

Input 450:

netstat -tulpen | grep 450

Output:

tcp6 0 0 :::450 :::* LISTEN 0 2598583 17230/docker-proxy

Input 443:

netstat -tulpen | grep 443

Output:

tcp6 0 0 :::9443 :::* LISTEN 0 26927 1412/docker-proxy

14

ok this all looks right then; router takes 443, port forwards to port 450 on the docker host ip (im assuming you have the right ip in your port forward) ; it should hit your exposed port 450 on the host and nat into the letsencrypt container.

in the location where you created your /config, you should have a log directory which has an nginx directory in it. you’ll see an access.log and an error.log; do a tail -f access.log error.log and then try to access the site, you should see traffic on the log, hopefully you will just see the issue and resolve it. If not, redact any personal info and share the log on pastebin

it also might save you some time if you just come on discord, it’s a bit quicker getting support there :slight_smile: