From 936bc981e5dfeb430b95069a50f7f5084bd93319 Mon Sep 17 00:00:00 2001 From: Patrick Bellasi Date: Sun, 7 Feb 2021 17:01:19 +0100 Subject: [PATCH] Ensure ACME Server is valid Starting this container can fail at certbot initialization with this error (reported at the end of /var/log/letsencrypt/letsencrypt.log): HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory "[Errno -3] Try again" which does not tell much about the real problem and it just sounds like a possible DNS resolution issue. However, by logging into the container after the error above, a simple: wget https://acme-v02.api.letsencrypt.org/directory usually works. It works also the exact same certbot command logged in /var/log/letsencrypt/letsencrypt.log. This has been verified happening for example while installing the contained on a QNAP NAS with a bridged network setup. Turns out that on some systems a small delay is required before running network access operations (e.g. running certbot). Add a tight look to ckeck for a valid resolution of ACMESERVER. Report a clearer error in case we cannot resolve the server withing 1 min. Otherwise, continue with the init script, as soon as nslook is happy. No overheads for generic systems: just a local nslookup will be performed, which response caching will benifit anyway the following certbot connection. Signed-off-by: Patrick Bellasi --- root/etc/cont-init.d/50-config | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 42cdd77..ed9ee7f 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -139,6 +139,15 @@ else ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" fi +# check for the ACME server to be valid +ACMEHOST=$(echo $ACMESERVER | awk -F/ '{print $3}') +echo "Waiting (up to 1min) for [$ACMEHOST] to be reachable..." +timeout 1m bash -c "until nslookup $ACMEHOST >/dev/null; do sleep 1; done" +if [ $? -ne 0 ]; then + echo "ERROR: Cannot resolv $ACMEHOST" + sleep infinity +fi + # figuring out url only vs url & subdomains vs subdomains only if [ -n "$SUBDOMAINS" ]; then echo "SUBDOMAINS entered, processing"