search

snikket-im / snikket-server

Image builder for Snikket server
https://snikket.org/service/
Apache License 2.0
265 stars 30 forks source link

IPv6 only instance cannot obtain certificates #209

Closed MelHiour closed 9 months ago

MelHiour commented 9 months ago

Hello team,

I played a little bit with Snippet using this guide. I've noticed weird behaviour if I use IPv6 only instance to run containers. Certbot is not able to reach its endpoint.

With IPv6 only I can see the following

ubuntu@ip-10-0-1-186:/etc/snikket$ sudo docker-compose up
Starting snikket-portal ... done
Starting snikket-certs  ... done
Starting snikket-proxy  ... done
Starting snikket        ... done
...
snikket           | .
snikket           | Waiting for certificates...
snikket           | .
...
snikket-certs     | requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f1ff9c9da60>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))

If I go to the container bash I don't think it has internet reachability at all

ubuntu@ip-10-0-1-186:/etc/snikket$ sudo docker ps
CONTAINER ID   IMAGE                               COMMAND                  CREATED          STATUS                     PORTS     NAMES
0abeaf31abf4   snikket/snikket-cert-manager:beta   "/usr/bin/tini /bin/…"   13 minutes ago   Up 2 minutes                         snikket-certs
...
ubuntu@ip-10-0-1-186:/etc/snikket$ sudo docker exec -it 0abeaf31abf4 bash
root@0abeaf31abf4:/# apt-get update 
Err:1 http://deb.debian.org/debian bullseye InRelease                                                   
  Could not connect to deb.debian.org:80 (199.232.26.132), connection timed out
Err:2 http://deb.debian.org/debian bullseye-updates InRelease                                           
  Unable to connect to deb.debian.org:80:
Err:3 http://security.debian.org/debian-security bullseye-security InRelease
  Could not connect to security.debian.org:80 (151.101.2.132), connection timed out Could not connect to security.debian.org:80 (151.101.66.132), connection timed out Could not connect to security.debian.org:80 (151.101.194.132), connection timed out Could not connect to security.debian.org:80 (151.101.130.132), connection timed out
Reading package lists... Done                           
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  Could not connect to deb.debian.org:80 (199.232.26.132), connection timed out
W: Failed to fetch http://security.debian.org/debian-security/dists/bullseye-security/InRelease  Could not connect to security.debian.org:80 (151.101.2.132), connection timed out Could not connect to security.debian.org:80 (151.101.66.132), connection timed out Could not connect to security.debian.org:80 (151.101.194.132), connection timed out Could not connect to security.debian.org:80 (151.101.130.132), connection timed out
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye-updates/InRelease  Unable to connect to deb.debian.org:80:
W: Some index files failed to download. They have been ignored, or old ones used instead.

I suppose the networking needs to be fixed somehow.

Instance itself is able to reach acme-v02.api.letsencrypt.org'

ubuntu@ip-10-0-1-186:/etc/snikket$ curl https://acme-v02.api.letsencrypt.org/directory
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "rd_MKany4Hg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

ubuntu@ip-10-0-1-186:/etc/snikket$ host acme-v02.api.letsencrypt.org
acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c
ubuntu@ip-10-0-1-186:/etc/snikket$ host stengah.labnfun.ru
stengah.labnfun.ru has IPv6 address 2a05:d018:13d2:b601:68b0:a17e:e76d:e4bc

ubuntu@ip-10-0-1-186:/etc/snikket$ host groups.stengah.labnfun.ru
groups.stengah.labnfun.ru is an alias for stengah.labnfun.ru.
stengah.labnfun.ru has IPv6 address 2a05:d018:13d2:b601:68b0:a17e:e76d:e4bc

ubuntu@ip-10-0-1-186:/etc/snikket$ host share.stengah.labnfun.ru
share.stengah.labnfun.ru is an alias for stengah.labnfun.ru.
stengah.labnfun.ru has IPv6 address 2a05:d018:13d2:b601:68b0:a17e:e76d:e4bc

At the same time IPv4 only instance works just fine.

mwild1 commented 9 months ago

Hi, thanks for the report!

  1. Edit your docker-compose.yml file, and look for the line that says snikket_certs:.
  2. Under this, add network_mode: host (indented to the same level as the lines below).
  3. Save, exit the editor
  4. Run docker-compose up -d

Does this fix your issue? If so, I'll include the fix in the next release.