Certificate issuing troubles

Question

Certificate issuing troubles

RaduNico opened this issue 2 years ago · 1 comments

On running sudo docker compose up xsshunterexpress I hit the following issue:

[...]
xsshunter-express-xsshunterexpress-1  | changing `configDir` from '/app/greenlock.d' to './greenlock.d'
xsshunter-express-xsshunterexpress-1  | Listening on 0.0.0.0:80 for ACME challenges, and redirecting to HTTPS
xsshunter-express-xsshunterexpress-1  | Listening on 0.0.0.0:443 for secure traffic
xsshunter-express-xsshunterexpress-1  | Ready to Serve:
xsshunter-express-xsshunterexpress-1  |          <domain_name>
xsshunter-express-xsshunterexpress-1  | ACME Directory URL: https://acme-v02.api.letsencrypt.org/directory
xsshunter-express-xsshunterexpress-1  | 
xsshunter-express-xsshunterexpress-1  | By using this software you (<private_email>) are agreeing to the following:
xsshunter-express-xsshunterexpress-1  | ACME Subscriber Agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
xsshunter-express-xsshunterexpress-1  | Greenlock/ACME.js Terms of Use: https://rootprojects.org/legal/#terms
xsshunter-express-xsshunterexpress-1  | 
xsshunter-express-xsshunterexpress-1  | set greenlockOptions.notify to override the default logger
xsshunter-express-xsshunterexpress-1  | Error cert_issue:
xsshunter-express-xsshunterexpress-1  | connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  | code: ETIMEDOUT
xsshunter-express-xsshunterexpress-1  | Error: connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  |     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)
xsshunter-express-xsshunterexpress-1  | Error cert_issue:
xsshunter-express-xsshunterexpress-1  | connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  | code: ETIMEDOUT
xsshunter-express-xsshunterexpress-1  | Error: connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  |     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)
xsshunter-express-xsshunterexpress-1  | Error cert_issue:
xsshunter-express-xsshunterexpress-1  | connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  | code: ETIMEDOUT
xsshunter-express-xsshunterexpress-1  | Error: connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  |     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)

It appears the server is created and is listening on ports 80 and 443, but the certificate issuing process fails. Is there a way to manually generate the lets encrypt certificate in order to bypass this issue.

Answer 1 · 2022-07-14T14:29:35.000Z

I managed to solve the issue. In the process of generating a certificate greenlock has a sanity check which attempts to access http://<public_ip> from the machine on which we are setting up xsshunter. Depending on the network setup, it is possible that the machine from the internal network cannot access itself via the public IP.

I solved this by adding an entry on /etc/hosts with '127.0.0.1 my.public.domain' and the certificate was issued with no further problems.