Cannot get kobo-install to work. Firewall? Docker? OS version? Something else?

I’ve been trying for a week to get kobo-install to work. I figured out some initial mistakes, but now I’m stuck at the point where LetsEncrypt certificates are downloaded. Prior to that, downloading components from the internet works fine.

The error messages (in full below) suggest a firewall problem. It might be – I’ve asked the firewall team on campus to open ports 80 and 443 to the server, but I don’t know whether it’s been done and they haven’t answered several status requests (they’re understaffed). I also don’t know Docker or nginx so I’m not sure how to test if the dockerized nginx is visible to the world or even the local network. (It would be good if kobo-install set up an “I’m here” test page to help with this). The error messages suggest looking at log files, but those files don’t exist – maybe they only exist inside the container.

Any help in tracking down and fixing the problem is appreciated.

Setup:
kobo host: Ubuntu 22.04.2 LTS (Jammy Jellyfish) running as a VM
VM host: Proxmox 7
The kobo-install directory is on the kobo host.

Transcript from install session (CryptographyDeprecation warnings after the first one were removed). I’m especially curious about the “ERROR: 1” just before downloading recommended TLS parameters.

Creating network “nginx-certbot_default” with the default driver
Pulling certbot (certbot/certbot:)…
Creating nginx-certbot_certbot_run … done
/snap/docker/2746/lib/python3.6/site-packages/paramiko/transport.py:32: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography (40.0) will be the last to support Python 3.6.
from cryptography.hazmat.backends import default_backend
Pulling nginx_ssl_proxy (nginx:1.21-alpine)…
Creating nginx-certbot_nginx_ssl_proxy_1 … done
Creating nginx-certbot_certbot_run … done
Creating nginx-certbot_certbot_run … done
ERROR: 1

Downloading recommended TLS parameters …

Creating dummy certificate for kf.survey.piar.potsdam.edu,kc.survey.piar.potsdam.edu,ee.survey.piar.potsdam.edu …

latest: Pulling from certbot/certbot
Digest: sha256:5562b49a93285e6a63756f1ae7f2d0da76f23d392381c033ef125db40f6e2c5c
Status: Downloaded newer image for certbot/certbot:latest
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/privkey.pem’

Starting nginx …

1.21-alpine: Pulling from library/nginx
Digest: sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
Status: Downloaded newer image for nginx:1.21-alpine

Deleting dummy certificate for kf.survey.piar.potsdam.edu,kc.survey.piar.potsdam.edu,ee.survey.piar.potsdam.edu …

Requesting Let’s Encrypt certificate for kf.survey.piar.potsdam.edu,kc.survey.piar.potsdam.edu,ee.survey.piar.potsdam.edu …

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for kf.survey.piar.potsdam.edu and 2 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ee.survey.piar.potsdam.edu
Type: connection
Detail: 137.143.38.222: Fetching http://ee.survey.piar.potsdam.edu/.well-known/acme-challenge/HZ1moP_ZI2x23wGVysxmE_xZfQvHoFoIpm03iicSU4E: Timeout during connect (likely firewall problem)

Domain: kc.survey.piar.potsdam.edu
Type: connection
Detail: 137.143.38.222: Fetching http://kc.survey.piar.potsdam.edu/.well-known/acme-challenge/4Pkw-wPucVwWOHUOknQvS2VMf7kgLcISYm94vfce914: Timeout during connect (likely firewall problem)

Domain: kf.survey.piar.potsdam.edu
Type: connection
Detail: 137.143.38.222: Fetching http://kf.survey.piar.potsdam.edu/.well-known/acme-challenge/DI40uKtlK2Cd2nY1KuoPHEOnumIICJAEnRVM0IZTNzY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Reloading nginx …

2023/04/11 18:29:12 [emerg] 11#11: cannot load certificate “/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem”: BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(‘/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate “/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem”: BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(‘/etc/letsencrypt/live/kf.survey.piar.potsdam.edu/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
An error has occurred

You can check if something is wrong with your server that prevents letencrypt process from running properly, by using this letencrypt debug tool: https://letsdebug.net/.

I have been having different issue with letsencrypt, it turned out that the firewall was the culprit. The acme protocol has to be allowed.

Thanks, I’ll give that a try if I have some time. I’ve been running into so many problems with Docker version issues, as well as LetsEncrypt, that my boss requested I abandon the effort for now and turn to other priorities. I have to wonder if installation would be easier without Docker. Instead of Docker, it would be much, much easier if there were a VM utility available (something along the lines of Bitnami or Turnkey Linux).

The http-01 protocol (which I believe is what kobo-install uses) requires the firewall to allow https on 443 outbound from the local machine, and http/80 inbound. As long as the firewall allows these, it should work. Of course, once the local machine goes live for testing or production you’ll want https/443 open for incoming traffic.

It turns out that at least some of the problems are with our host organization’s IT department. Not putting some of the domain names in DNS, and not opening the firewall to our server on ports 80 and 443. Hopefully once that’s done I’ll have some more luck. It would be helpful if such common errors were detected by kobo-install and reported.