IPv6 only instance cannot obtain certificates
MelHiour opened this issue · 1 comments
MelHiour commented
Hello team,
I played a little bit with Snippet using this guide. I've noticed weird behaviour if I use IPv6 only instance to run containers. Certbot is not able to reach its endpoint.
With IPv6 only I can see the following
ubuntu@ip-10-0-1-186:/etc/snikket$ sudo docker-compose up
Starting snikket-portal ... done
Starting snikket-certs ... done
Starting snikket-proxy ... done
Starting snikket ... done
...
snikket | .
snikket | Waiting for certificates...
snikket | .
...
snikket-certs | requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f1ff9c9da60>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
If I go to the container bash I don't think it has internet reachability at all
ubuntu@ip-10-0-1-186:/etc/snikket$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0abeaf31abf4 snikket/snikket-cert-manager:beta "/usr/bin/tini /bin/…" 13 minutes ago Up 2 minutes snikket-certs
...
ubuntu@ip-10-0-1-186:/etc/snikket$ sudo docker exec -it 0abeaf31abf4 bash
root@0abeaf31abf4:/# apt-get update
Err:1 http://deb.debian.org/debian bullseye InRelease
Could not connect to deb.debian.org:80 (199.232.26.132), connection timed out
Err:2 http://deb.debian.org/debian bullseye-updates InRelease
Unable to connect to deb.debian.org:80:
Err:3 http://security.debian.org/debian-security bullseye-security InRelease
Could not connect to security.debian.org:80 (151.101.2.132), connection timed out Could not connect to security.debian.org:80 (151.101.66.132), connection timed out Could not connect to security.debian.org:80 (151.101.194.132), connection timed out Could not connect to security.debian.org:80 (151.101.130.132), connection timed out
Reading package lists... Done
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease Could not connect to deb.debian.org:80 (199.232.26.132), connection timed out
W: Failed to fetch http://security.debian.org/debian-security/dists/bullseye-security/InRelease Could not connect to security.debian.org:80 (151.101.2.132), connection timed out Could not connect to security.debian.org:80 (151.101.66.132), connection timed out Could not connect to security.debian.org:80 (151.101.194.132), connection timed out Could not connect to security.debian.org:80 (151.101.130.132), connection timed out
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye-updates/InRelease Unable to connect to deb.debian.org:80:
W: Some index files failed to download. They have been ignored, or old ones used instead.
I suppose the networking needs to be fixed somehow.
Instance itself is able to reach acme-v02.api.letsencrypt.org'
ubuntu@ip-10-0-1-186:/etc/snikket$ curl https://acme-v02.api.letsencrypt.org/directory
{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"rd_MKany4Hg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
ubuntu@ip-10-0-1-186:/etc/snikket$ host acme-v02.api.letsencrypt.org
acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c
ubuntu@ip-10-0-1-186:/etc/snikket$ host stengah.labnfun.ru
stengah.labnfun.ru has IPv6 address 2a05:d018:13d2:b601:68b0:a17e:e76d:e4bc
ubuntu@ip-10-0-1-186:/etc/snikket$ host groups.stengah.labnfun.ru
groups.stengah.labnfun.ru is an alias for stengah.labnfun.ru.
stengah.labnfun.ru has IPv6 address 2a05:d018:13d2:b601:68b0:a17e:e76d:e4bc
ubuntu@ip-10-0-1-186:/etc/snikket$ host share.stengah.labnfun.ru
share.stengah.labnfun.ru is an alias for stengah.labnfun.ru.
stengah.labnfun.ru has IPv6 address 2a05:d018:13d2:b601:68b0:a17e:e76d:e4bc
At the same time IPv4 only instance works just fine.
mwild1 commented
Hi, thanks for the report!
- Edit your
docker-compose.yml
file, and look for the line that sayssnikket_certs:
. - Under this, add
network_mode: host
(indented to the same level as the lines below). - Save, exit the editor
- Run
docker-compose up -d
Does this fix your issue? If so, I'll include the fix in the next release.