Problem with letsencrypt, port 443 and dnsmasq

I have a problem with letsencrypt: When I try to setup the domain in the wizard, I get this error:

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x76866b70>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’,))
Please see the logfiles in /var/log/letsencrypt for more details.76866b70>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’,))
Please see the logfiles in /var/log/letsencrypt for more details.

I have tried to disable the SPI-firewall in my tp-link router settings and to use different ports in nc-forward-ports, but I always get the same error!

Another problem: When dnsmasq is activated, I can’t update ncp!

Thanks for help :slight_smile:

Something is broken with your DNS resolver. Maybe the firewall blocks it, or maybe some network issue - hard to say. But try first to lookup the host on the commandline, to check if you get the same error:

dig acme-v02.api.letsencrypt.org

Check also if you got a working upstream resolver in /etc/resolv.conf (or /etc/systemd/resolv.conf, if you have a newer distro using systemd for lookups)

Consider to use google or cloudflare as upstream resolver, it often solves such problems. Cloudflare DNS is at 1.1.1.1, easy to remember and works well.

You can test from commandline if they work with your firewall/router without changing resolv.conf - type this to test cloudflare fex:

dig acme-v02.api.letsencrypt.org @1.1.1.1

dnsmasq enabled:

; <<>> DiG 9.10.3-P4-Raspbian <<>> acme-v02.api.letsencrypt.og*
;; global options: +cmd
;; connection timed out; no servers could be reached

file content:
# Generated by resolvconf
nameserver 127.0.0.1

; <<>> DiG 9.10.3-P4-Raspbian <<>> acme-v02.api.letsencrypt.og @1.1.1.1*
;; global options: +cmd
;; connection timed out; no servers could be reached

ncp-update with enabled dnsmasq:
fatal: unable to access 'htps://github.cm/nextcloud/nextcloudpi.git/’: Could not resolve host: github.cm*
No internt connectivity*

dnsmasq disabled:

; <<>> DiG 9.10.3-P4-Raspbian <<>> acme-v02.api.letsencrypt.og*
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64242
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 8, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.og. IN A*

;; ANSWER SECTION:
acme-v02.api.letsencrypt.og. 1171 IN CNAME api.letsencrypt.og-ng.edgekey.nt.*
api.letsencrypt.og-ng.edgekey.nt. 1533 IN CNAME e14990.dscx.akamaiedge.nt.*
e14990.dscx.akamaiedge.nt. 20 IN A 104.111.246.175*

;; AUTHORITY SECTION:
dscx.akamaiedge.nt. 665 IN NS n6dscx.akamaiedge.nt.
dscx.akamaiedge.nt. 665 IN NS n2dscx.akamaiedge.nt.
dscx.akamaiedge.nt. 665 IN NS n4dscx.akamaiedge.nt.
dscx.akamaiedge.nt. 665 IN NS n7dscx.akamaiedge.nt.
dscx.akamaiedge.nt. 665 IN NS n5dscx.akamaiedge.nt.
dscx.akamaiedge.nt. 665 IN NS n1dscx.akamaiedge.nt.
dscx.akamaiedge.nt. 665 IN NS n3dscx.akamaiedge.nt.
dscx.akamaiedge.nt. 665 IN NS n0dscx.akamaiedge.nt.

;; ADDITIONAL SECTION:
n0dscx.akamaiedge.nt. 665 IN A 88.221.81.192*
n1dscx.akamaiedge.nt. 665 IN A 2.20.190.217*
n2dscx.akamaiedge.nt. 665 IN A 72.247.179.198*
n4dscx.akamaiedge.nt. 665 IN A 2.16.187.62*
n7dscx.akamaiedge.nt. 665 IN A 2.16.187.47*
n0dscx.akamaiedge.nt. 665 IN AAAA 2600:1480:e800::c0*

;; Query time: 11 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Apr 17 17:25:27 BST 2019
;; MSG SIZE rcvd: 434

; <<>> DiG 9.10.3-P4-Raspbian <<>> acme-v02.api.letsencrypt.o*g @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

How can I change the upstream resolver?

NOTE: I had to replace net, com, http and org with nt, cm, htp and og, because I can’t post more than 4 links…

Thanks for your help! @ztein

I have tried letsencrypt with disabled dnsmasq:

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
htp-01 challenge for mo-nc.ddns.nt
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Challenge failed for domain mo-nc.ddns.nt
ht
p-01 challenge for mo-nc.ddns.n*t
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: mo-nc.ddns.nt
Type: connection
Detail: Fetching
ht
p://mo-nc.ddns.n*t/.well-known/acme-challenge/rVtETS1yB4HnbW-xQLgzvgqZYkytYPBkmi3vXK9_CoE:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your cmputer has a publicly routable IP address and that no
firewalls are preventing the server from c
mmunicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I have now a tp-link router and I had no such problems in my old home with the old router!

Yeah looks like a router/firewall problem. Guess you have to dig in the tp router manual/support to figure out how to solve it. On most routers you can assign DMZ IP/ports for your device/server, but this might require the firewall to be running. So I think you have to fix that first.

For the resolver, just replace the ip address in /etc/resolver.conf - change it from 127.0.0.1 to 1.1.1.1

But it sounds like your outgoing routing is okay - but not the incoming.