LetsEncrypt failure in Single bench containerized installation

DemoGuy · February 7, 2022, 2:55pm

Hello team,

I am facing an issue with setting up HTTPS via LetsEncrypt. I am using containerized installation for a Single Bench installation. I am using env-production as the base for my .env file (Yes, I do have a publicly accessible IP and a DNS record pointing to it).

When I check logs on my traefik container, I am getting the following error:

time="2022-02-07T12:51:59Z" level=info msg="Configuration loaded from flags."
time="2022-02-07T12:52:10Z" level=error msg="Unable to obtain ACME certificate for domains \"my.domain.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": x509: certificate signed by unknown authority" providerName=myresolver.acme routerName=erpnext-nginx@docker rule="Host(`my.domain.com`)"
time="2022-02-07T15:04:47Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2022-02-07T15:04:47Z" level=error msg="close tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2022-02-07T15:04:47Z" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=web
time="2022-02-07T15:04:47Z" level=error msg="close tcp [::]:80: use of closed network connection" entryPointName=web
time="2022-02-07T15:04:47Z" level=error msg="Cannot connect to docker server context canceled" providerName=docker

This is my .env file:

LETSENCRYPT_EMAIL=me@myemail.co,
ERPNEXT_VERSION=edge
FRAPPE_VERSION=edge
MARIADB_HOST=mariadb
MYSQL_ROOT_PASSWORD=mypassword
SITE_NAME=my.domain.com
SITES=`my.domain.com`
DB_ROOT_USER=root
ADMIN_PASSWORD=mypassword
INSTALL_APPS=erpnext
ENTRYPOINT_LABEL=traefik.http.routers.erpnext-nginx.entrypoints=websecure
CERT_RESOLVER_LABEL=traefik.http.routers.erpnext-nginx.tls.certresolver=myresolver
HTTPS_REDIRECT_RULE_LABEL=traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
HTTPS_REDIRECT_ENTRYPOINT_LABEL=traefik.http.routers.http-catchall.entrypoints=web
HTTPS_REDIRECT_MIDDLEWARE_LABEL=traefik.http.routers.http-catchall.middlewares=redirect-to-https
HTTPS_USE_REDIRECT_MIDDLEWARE_LABEL=traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
SKIP_NGINX_TEMPLATE_GENERATION=0
WORKER_CLASS=gthread

I have not made any changes to my docker-compose yaml file. Posting the relevant part (Let me know if anything else is needed too):

 traefik:
    image: "traefik:v2.2"
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=${LETSENCRYPT_EMAIL}"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    labels:
      # enable traefik
      - "traefik.enable=true"
      # global redirect to https for production only
      - "${HTTPS_REDIRECT_RULE_LABEL}"
      - "${HTTPS_REDIRECT_ENTRYPOINT_LABEL}"
      - "${HTTPS_REDIRECT_MIDDLEWARE_LABEL}"
      # middleware redirect for production only
      - "${HTTPS_USE_REDIRECT_MIDDLEWARE_LABEL}"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - cert-vol:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    userns_mode: "host"
 erpnext-nginx:
    image: frappe/erpnext-nginx:${ERPNEXT_VERSION}
    restart: on-failure
    environment:
      - FRAPPE_PY=erpnext-python
      - FRAPPE_PY_PORT=8000
      - FRAPPE_SOCKETIO=frappe-socketio
      - SOCKETIO_PORT=9000
      - SKIP_NGINX_TEMPLATE_GENERATION=${SKIP_NGINX_TEMPLATE_GENERATION}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.erpnext-nginx.rule=Host(${SITES})"
      - "${ENTRYPOINT_LABEL}"
      - "${CERT_RESOLVER_LABEL}"
      - "traefik.http.services.erpnext-nginx.loadbalancer.server.port=8080"
    volumes:
      - sites-vol:/var/www/html/sites:rw
      - assets-vol:/assets:rw

TIA!

revant_one · February 7, 2022, 4:19pm

try re creating traefik after removing traefik volume.

try searching for the error response from letsencrypt.

DemoGuy · February 7, 2022, 4:35pm

Let me try that. LetsEncrypt, so far I haven’t got anything useful. Couple of pages suggested to update ca-certificates so I tried that on the container too but no luck. I will report back with this in 5 odd minutes.

DemoGuy · February 7, 2022, 4:45pm

Hi @revant_one,

Identical result. I did a complete hard reset in a way with
$ docker-compose --project-name DemoProd down

followed by
$ sudo docker volume rm $(sudo docker volume ls -q)

and finally
$ docker-compose --project-name DemoProd up -d

No change in Let’sEncrypt status.

DemoGuy · February 7, 2022, 5:50pm

Another thing I wanted to try was to run certbot on my VM and then copy those to ngnix container but that container is completely locked - as in no root access, no packages installed (need Vi or Vim)

DemoGuy · February 8, 2022, 10:48am

Hello team,
Realized after speaking with the IT Team that the firewall was apparently interfering with the LetsEncrypt. Post a change in the hardware firewall configuration and a machine reboot, I am now able to apply certificates successfully.
Thanks!