ACME fails to get certificate: Temporary failure in name resolution

mtogp · February 18, 2023, 5:07pm

I’m trying to set up a self-hosted nextcloud in a container with https.

I followed loosely this guide, except I decided to use a nixos container.

So I have in my host configuration

  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "venet0";
    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
  };

  networking.firewall.allowedTCPPorts = [ 443 ];

  containers = {
    nextcloud = {
      autoStart = true;
      privateNetwork = true;
      hostAddress = "192.168.100.10";
      localAddress = "192.168.100.11";
      hostAddress6 = "fc00::1";
      localAddress6 = "fc00::2";
      forwardPorts = [{
        protocol = "tcp";
        hostPort = 443;
        containerPort = 443;
      }];
      config = import ./nextcloud.nix;
    };
  };

And in the imported nextcloud.nix:

{
  ...
  security.acme = {
    acceptTerms = true;
    defaults.email = email; # variable contains email
  };

  services.nginx = {
    enable = true;

    # Use recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    # Only allow PFS-enabled ciphers with AES256
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    # Setup Nextcloud virtual host to listen on ports
    virtualHosts = {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
      };
    };
  };

  services.nextcloud = { ... };
  services.postgresql = { ... };

  networking.firewall.allowedTCPPorts = [ 443 ];

  system.stateVersion = "23.05";
}

Unfortunately, I get an error when the server tries to get https sertificates:

2023/02/18 18:36:58 Could not create client: get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: Get “https://acme-v02.api.letsencrypt.org/directory”: dial tcp: lookup acme-v02.api.letsencrypt.org: Temporary failure in name resolution

Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.

I’ve seen a few similar threads here (example) as well as this issue, but they don’t seem to be causing my problem - and the workaround supplied there (ensure acme services start after others) don’t seem to work for me.

adamcstephens · February 18, 2023, 7:49pm

Are you able to execute DNS queries from within the container?

mtogp · February 18, 2023, 8:06pm

I can ping google.com (and other domains) and get a response without any issue.