I’ve been trying for a week to get kobo-install to work. I figured out some initial mistakes, but now I’m stuck at the point where LetsEncrypt certificates are downloaded. Prior to that, downloading components from the internet works fine.
The error messages (in full below) suggest a firewall problem. It might be – I’ve asked the firewall team on campus to open ports 80 and 443 to the server, but I don’t know whether it’s been done and they haven’t answered several status requests (they’re understaffed). I also don’t know Docker or nginx so I’m not sure how to test if the dockerized nginx is visible to the world or even the local network. (It would be good if kobo-install set up an “I’m here” test page to help with this). The error messages suggest looking at log files, but those files don’t exist – maybe they only exist inside the container.
Any help in tracking down and fixing the problem is appreciated.
Setup:
kobo host: Ubuntu 22.04.2 LTS (Jammy Jellyfish) running as a VM
VM host: Proxmox 7
The kobo-install directory is on the kobo host.
Transcript from install session (CryptographyDeprecation warnings after the first one were removed). I’m especially curious about the “ERROR: 1” just before downloading recommended TLS parameters.
Creating network “nginx-certbot_default” with the default driver
Pulling certbot (certbot/certbot:)…
Creating nginx-certbot_certbot_run … done
/snap/docker/2746/lib/python3.6/site-packages/paramiko/transport.py:32: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography (40.0) will be the last to support Python 3.6.
from cryptography.hazmat.backends import default_backend
Pulling nginx_ssl_proxy (nginx:1.21-alpine)…
Creating nginx-certbot_nginx_ssl_proxy_1 … done
Creating nginx-certbot_certbot_run … done
Creating nginx-certbot_certbot_run … done
ERROR: 1Downloading recommended TLS parameters …
Creating dummy certificate for kf.survey.piar.potsdam.edu,kc.survey.piar.potsdam.edu,ee.survey.piar.potsdam.edu …
latest: Pulling from certbot/certbot
Digest: sha256:5562b49a93285e6a63756f1ae7f2d0da76f23d392381c033ef125db40f6e2c5c
Status: Downloaded newer image for certbot/certbot:latest
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/privkey.pem’Starting nginx …
1.21-alpine: Pulling from library/nginx
Digest: sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
Status: Downloaded newer image for nginx:1.21-alpineDeleting dummy certificate for kf.survey.piar.potsdam.edu,kc.survey.piar.potsdam.edu,ee.survey.piar.potsdam.edu …
Requesting Let’s Encrypt certificate for kf.survey.piar.potsdam.edu,kc.survey.piar.potsdam.edu,ee.survey.piar.potsdam.edu …
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for kf.survey.piar.potsdam.edu and 2 more domainsCertbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ee.survey.piar.potsdam.edu
Type: connection
Detail: 137.143.38.222: Fetching http://ee.survey.piar.potsdam.edu/.well-known/acme-challenge/HZ1moP_ZI2x23wGVysxmE_xZfQvHoFoIpm03iicSU4E: Timeout during connect (likely firewall problem)Domain: kc.survey.piar.potsdam.edu
Type: connection
Detail: 137.143.38.222: Fetching http://kc.survey.piar.potsdam.edu/.well-known/acme-challenge/4Pkw-wPucVwWOHUOknQvS2VMf7kgLcISYm94vfce914: Timeout during connect (likely firewall problem)Domain: kf.survey.piar.potsdam.edu
Type: connection
Detail: 137.143.38.222: Fetching http://kf.survey.piar.potsdam.edu/.well-known/acme-challenge/DI40uKtlK2Cd2nY1KuoPHEOnumIICJAEnRVM0IZTNzY: Timeout during connect (likely firewall problem)Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.Reloading nginx …
2023/04/11 18:29:12 [emerg] 11#11: cannot load certificate “/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem”: BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(‘/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate “/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem”: BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(‘/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
An error has occurred