Letsencrypt trouble to authenticate (Proxmox 5.1)

Nugraha

Member
Mar 25, 2019
7
0
6
43
Hello all,

I have problems when installing certificate ( Letsencrypt ) from my proxmox, the problems is :

Code:
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

i was open the port 80 to make it sure that can communicate with my public ip :

Code:
root@pve:/var/log# curl -v URL
* Rebuilt URL to: URL
*   Trying 10.10.11.2...
* TCP_NODELAY set
* Connected to URL (10.10.11.2) port 80 (#0)
> GET / HTTP/1.1
> Host: MyUrl.com
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.2
< Date: Mon, 25 Mar 2019 06:35:30 GMT
< Content-Type: text/html
< Content-Length: 11125
< Last-Modified: Mon, 18 Mar 2019 10:12:46 GMT
< Connection: keep-alive
< ETag: "5c8f6f1e-2b75"
< Accept-Ranges: bytes

i don't know where the problem is , so here are my netstat status :

Code:
root@pve:/var/log# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:85            0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:25                  :::*                    LISTEN
tcp6       0      0 :::111                  :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
udp        0      0 0.0.0.0:111             0.0.0.0:*
udp        0      0 0.0.0.0:658             0.0.0.0:*
udp6       0      0 :::111                  :::*
udp6       0      0 :::658                  :::*

May somebody here have an same issues ?
 
Hi, stoiko ivanov,

Thanks for answer, but i'm little confused about port 80, i'm already set it free :

Code:
root@pve:~# ss -tlnp
State                    Recv-Q                    Send-Q                                        Local Address:Port                                       Peer Address:Port                   
LISTEN                   0                         128                                                 0.0.0.0:22                                              0.0.0.0:*                        users:(("sshd",pid=1568,fd=3))
LISTEN                   0                         128                                                 0.0.0.0:3128                                            0.0.0.0:*                        users:(("spiceproxy work",pid=2022,fd=6),("spiceproxy",pid=2019,fd=6))
LISTEN                   0                         100                                               127.0.0.1:25                                              0.0.0.0:*                        users:(("master",pid=1787,fd=13))
LISTEN                   0                         128                                                 0.0.0.0:8006                                            0.0.0.0:*                        users:(("pveproxy worker",pid=14542,fd=6),("pveproxy worker",pid=1992,fd=6),("pveproxy worker",pid=1991,fd=6),("pveproxy",pid=1988,fd=6))
LISTEN                   0                         128                                                 0.0.0.0:111                                             0.0.0.0:*                        users:(("rpcbind",pid=937,fd=8))
LISTEN                   0                         128                                               127.0.0.1:85                                              0.0.0.0:*                        users:(("pvedaemon worke",pid=1947,fd=6),("pvedaemon worke",pid=1946,fd=6),("pvedaemon worke",pid=1945,fd=6),("pvedaemon",pid=1942,fd=6))
LISTEN                   0                         128                                                    [::]:22                                                 [::]:*                        users:(("sshd",pid=1568,fd=4))
LISTEN                   0                         100                                                   [::1]:25                                                 [::]:*                        users:(("master",pid=1787,fd=14))
LISTEN                   0                         128                                                    [::]:111                                                [::]:*                        users:(("rpcbind",pid=937,fd=11))

I set the port 80 free, here i check with netstat -tulpn (just make me sure) :

Code:
root@pve:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1568/sshd
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      2019/spiceproxy
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1787/master
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      1988/pveproxy
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      937/rpcbind
tcp        0      0 127.0.0.1:85            0.0.0.0:*               LISTEN      1942/pvedaemon
tcp6       0      0 :::22                   :::*                    LISTEN      1568/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1787/master
tcp6       0      0 :::111                  :::*                    LISTEN      937/rpcbind
udp        0      0 0.0.0.0:111             0.0.0.0:*                           937/rpcbind
udp        0      0 0.0.0.0:689             0.0.0.0:*                           937/rpcbind
udp6       0      0 :::111                  :::*                                937/rpcbind
udp6       0      0 :::689                  :::*                                937/rpcbind

But when i call : pvenode acme cert order
Code:
root@pve:~# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: URL/acme/order/8648084/28304883

Getting authorization details from 'URL/acme/authz/EYk0gS3pTviCGZ8amkTRxap-qHy2orgcA8A4X8TmwVE'
... pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
validating challenge 'URL/acme/authz/EYk0gS3pTviCGZ8amkTRxap-qHy2orgcA8A4X8TmwVE' failed
Task validating challenge 'URL/acme/authz/EYk0gS3pTviCGZ8amkTRxap-qHy2orgcA8A4X8TmwVE' failed

Realiy confusing for me, i have already following the prerequisites to use Let’s Encrypt guides.

Thanks for your kindness.
 
That's a different error from before - before you had:
Problem binding to port 80: Could not bind to IPv4 or IPv6.

* Do you see anything relevant in the task-log (you can check it from the GUI) - for the acme task?
* Do you see anything relevant in the journal for the timeperiod?
 
Hello Stoiko,

Thanks very much for your answer, i will crossing-check the GUI for acme task and do a command (journalctl -r) in console for make me sure.

this is from my latest task log :
Code:
()
Loading ACME account details
Placing ACME order
Order URL: URL/acme/order/8648084/28311314

Getting authorization details from 'URL/acme/authz/za2vVsaj5POPF_9y5aLA4AFOCxR0wStDVo6JVirvX54'
... pending!
Setting up webserver
TASK ERROR: failed setting up webserver - Failed to initialize HTTP daemon

Best regards,
Nugraha
 
TASK ERROR: failed setting up webserver - Failed to initialize HTTP daemon
seems something prevents PVE from opening the server socket on port 80.
You can try to open the socket with netcat to check if that would work: ` nc -vl -p 80`
 
Hi,

Ok i try netcat to open socket but it seems nothing happens :

Code:
root@pve:~# nc -vl -p 80
listening on [any] 80 ...
 
anything in the journal for this issue ?
also any other specifics? (ipv6 only host)?
please also post your `/etc/hosts` and the output of `uname -n`
 
Sorry for late reoly,

Code:
root@pve:~# uname -n
pve

Inside my /etc/hosts
Code:
root@pve:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.7.5 pve.*myurl* pve

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

is there anything wrong ?

Sorry forgot to mention, that i'm using NAT to forward port 80 from my node, one of my node i'm using only for web services, here my NAT setting :

Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

iface eth1 inet manual

iface eth2 inet manual

iface eth3 inet manual

auto vmbr0
iface vmbr0 inet static
        address  192.168.7.5
        netmask  255.255.255.0
        gateway  192.168.7.1
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet static
        address  10.10.11.1
        netmask  255.255.255.0
        bridge-ports vmbr0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094


# Adding Custom Configuration

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.11.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.11.0/24' -o vmbr0 -j MASQUERADE

# HTTP
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.11.2:80
        post-down iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.11.2:80

Thanks so much for your help, and attention.
 
Ok - I see 2 issues.
* first the network-setup is a bit odd - why do you put vmbr0 as a bridge-port of vmbr1 - it should work if you just leave bridge-ports none
(check the reference-documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_configuration (3.3.5))
This could be the reason for the not being able to start the HTTP-listener for the Let's Encrypt challenge

The second issue explains this error:
Sleeping for 5 seconds validating challenge 'URL/acme/authz/EYk0gS3pTviCGZ8amkTRxap-qHy2orgcA8A4X8TmwVE' failed Task validating challenge 'URL/acme/authz/EYk0gS3pTviCGZ8amkTRxap-qHy2orgcA8A4X8TmwVE' failed

If you forward all connections to port 80 to '10.10.11.2', then also the connection from let's encrypt for validating the http-challenge ends up on 10.10.11.2
 
Hello stoikov,

I follow your first step solutions, i set the bridge-ports to none, for second issues i comment all the port-forward configuration, and voila its working!.

But another problems appear, when i need to use https from application inside the node but anyway Thanks a ton for your help.

Best regards.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!