search

bitwarden / self-host

Bitwarden's self-hosted release repository
GNU General Public License v3.0
331 stars 60 forks source link

Certbot Connection Timeout Issue on IPv6-Only Servers during Installation #220

Closed tecChris closed 5 months ago

tecChris commented 7 months ago

Description:

When attempting to set up Bitwarden on an IPv6-only server following the official installation guide, we encounter a connection timeout error during the Certbot operation for obtaining SSL certificates from Let's Encrypt. The issue specifically arises during the step where Certbot tries to connect to acme-v02.api.letsencrypt.org via HTTPS on port 443, leading to a connection timeout error. This issue does not occur on servers with Dual Stack (IPv4 and IPv6) configurations. Additionally, the log file that should be created according to the error message (/etc/letsencrypt/logs/letsencrypt.log) is not found in the specified location, suggesting that the process may not reach the point of log file creation or there might be an issue with the logging path.

Steps to Reproduce:

  1. Set up a server with an IPv6-only network configuration.
  2. Follow the Bitwarden official on-premise Linux installation guide.
  3. Observe the error during the Certbot step for obtaining SSL certificates.

Expected Behavior:

Certbot should successfully connect to Let's Encrypt's API and obtain an SSL certificate, without any connection timeouts, regardless of the server being IPv6-only or Dual Stack.

Actual Behavior:

On an IPv6-only server, Certbot fails to connect to acme-v02.api.letsencrypt.org on port 443 after several retries, resulting in a connection timeout error. The expected log file at /etc/letsencrypt/logs/letsencrypt.log is not created, making further diagnosis challenging.

Additional Information:

The error message received is as follows: Using default tag: latest latest: Pulling from certbot/certbot Digest: sha256:953b5daac63b14e4f8b77aacf4831f916faac836c67cd12fcc6408201554962e Status: Image is up to date for certbot/certbot:latest docker.io/certbot/certbot:latest Saving debug log to /etc/letsencrypt/logs/letsencrypt.log An unexpected error occurred: requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f1b3bf8f230>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)')) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /etc/letsencrypt/logs/letsencrypt.log or re-run Certbot with -v for more details.

No reverse proxy is utilized, and both ports 80 and 443 are open in the firewall. This issue has been observed on multiple IPv6-only servers. Dual Stack servers (IPv4 and IPv6) do not exhibit this problem.

notnamed commented 5 months ago

Hello! Docker merged a change in v26 that I believe was causing this issue:

https://github.com/moby/moby/pull/47512

The LetsEncrypt container resolving the LE server to IPv4 and then being unable to communicate to it in an IPv6-only environment should be resolved by upgrading to at least Docker 26.0.0. Other changes were made in this version to improve stability in IPv6-only environments, as described in the release notes:

https://docs.docker.com/engine/release-notes/26.0/#2600