Exposing port http and https to the docker container but still can't communicate

Question

Edit #3:

fix by disabling FirewallD. It turns out because of my lack of understanding about CentOS. I did not have this problem before because Alibaba Cloud decide it is best to just disable firewalld in the first place.

Docker use iptables, and CentOS have their own version of iptables, which is firewalld but interestingly firewalld still use iptables command to communicate with netfilter kernel hooks.

$ systemctl stop firewalld
$ systemctl disable firewalld
$ systemctl mask firewalld
$ yum install iptables-services

Edit #2:

Do not follow this quick fix

This broke the NGINX proxy IP address log (instead of the real IP address, NGINX log 172.21.0.1).

volumes/nginx/proxy.conf

proxy_set_header X-Real-IP $remote_addr;

Edit:

Quick fix, what do you think?

$ firewall-cmd --zone=public --add-masquerade --permanent && firewall-cmd --reload

This problem is related to UpCloud centos 8.0 distribution.

I am new both to UpCloud and Cloudflare. I decided to use Cloudflare instead of Alibaba Cloud DNS (high latency slow the TTFB) and plan to host smaller project with UpCloud, because UpCloud's egress pricing is 10x cheaper than Alibaba Cloud, so I can reach out to smaller clients.

I am used to use Alibaba Cloud and their DNS product and I did not have this problem, ACME challenge failed, before, so I use a quick fix to solve the docker no route to host's issue.

Expected Behavior

ACME challenge success

Current Behavior

ping request from the docker container

$ ping acme-v02.api.letsencrypt.org
ping: bad address 'acme-v02.api.letsencrypt.org'
$ ping google.com
ping: bad address 'google.com'

ACME challenge failed.

letsencrypt       | An unexpected error occurred:
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 159, in _new_conn
letsencrypt       |     conn = connection.create_connection(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/connection.py", line 61, in create_connection
letsencrypt       |     for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
letsencrypt       |   File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
letsencrypt       |     for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
letsencrypt       | socket.gaierror: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
letsencrypt       |     httplib_response = self._make_request(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 381, in _make_request
letsencrypt       |     self._validate_conn(conn)
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
letsencrypt       |     conn.connect()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 308, in connect
letsencrypt       |     conn = self._new_conn()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 171, in _new_conn
letsencrypt       |     raise NewConnectionError(
letsencrypt       | urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
letsencrypt       |     resp = conn.urlopen(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 724, in urlopen
letsencrypt       |     retries = retries.increment(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/retry.py", line 439, in increment
letsencrypt       |     raise MaxRetryError(_pool, url, error or ResponseError(cause))
letsencrypt       | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       | Please see the logfiles in /var/log/letsencrypt for more details.
letsencrypt       | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

Steps to Reproduce

git clone https://github.com/tempatkerja/docker-odoo
Follow the instructions
Quick fix for the Docker no route to host issue "I use cloud providers Alibaba Cloud and I never have to do this"

I am not sure why but UpCloud's centos distribution behave strangely with Docker, what I mean by that is the Docker container can't communicate between container, although the port is exposed or the container is linked.

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 4 -i docker0 -j ACCEPT && firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.17.0.0/16 accept' && firewall-cmd --reload
sysctl net.bridge.bridge-nf-call-iptables=0
sysctl net.bridge.bridge-nf-call-arptables=0
sysctl net.bridge.bridge-nf-call-ip6tables=0
systemctl restart docker

Environment

OS: Centos 8.0

CPU architecture: I am not sure.

How docker service was installed: https://github.com/jasononggo/docs/blob/master/DOCKER.md

Command used to create docker container (run/create/compose/screenshot)

I changed the URL, the DNSPLUGIN, and the EMAIL parameter. docker-compose.yml

Docker logs

letsencrypt       | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
letsencrypt       | [s6-init] ensuring user provided files have correct perms...exited 0.
letsencrypt       | [fix-attrs.d] applying ownership & permissions fixes...
letsencrypt       | [fix-attrs.d] done.
letsencrypt       | [cont-init.d] executing container initialization scripts...
letsencrypt       | [cont-init.d] 01-envfile: executing...
letsencrypt       | [cont-init.d] 01-envfile: exited 0.
letsencrypt       | [cont-init.d] 10-adduser: executing...
letsencrypt       | usermod: no changes
letsencrypt       |
letsencrypt       | -------------------------------------
letsencrypt       |           _         ()
letsencrypt       |          | |  ___   _    __
letsencrypt       |          | | / __| | |  /  \
letsencrypt       |          | | \__ \ | | | () |
letsencrypt       |          |_| |___/ |_|  \__/
letsencrypt       |
letsencrypt       |
letsencrypt       | Brought to you by linuxserver.io
letsencrypt       | -------------------------------------
letsencrypt       |
letsencrypt       | To support the app dev(s) visit:
letsencrypt       | Let's Encrypt: https://letsencrypt.org/donate/
letsencrypt       |
letsencrypt       | To support LSIO projects visit:
letsencrypt       | https://www.linuxserver.io/donate/
letsencrypt       | -------------------------------------
letsencrypt       | GID/UID
letsencrypt       | -------------------------------------
letsencrypt       |
letsencrypt       | User uid:    1000
letsencrypt       | User gid:    1000
letsencrypt       | -------------------------------------
letsencrypt       |
letsencrypt       | [cont-init.d] 10-adduser: exited 0.
letsencrypt       | [cont-init.d] 20-config: executing...
letsencrypt       | [cont-init.d] 20-config: exited 0.
letsencrypt       | [cont-init.d] 30-keygen: executing...
letsencrypt       | using keys found in /config/keys
letsencrypt       | [cont-init.d] 30-keygen: exited 0.
letsencrypt       | [cont-init.d] 50-config: executing...
letsencrypt       | Variables set:
letsencrypt       | PUID=1000
letsencrypt       | PGID=1000
letsencrypt       | TZ=UTC
letsencrypt       | SUBDOMAINS=www,
letsencrypt       | EXTRA_DOMAINS=
letsencrypt       | ONLY_SUBDOMAINS=false
letsencrypt       | DHLEVEL=4096
letsencrypt       | VALIDATION=dns
letsencrypt       | DNSPLUGIN=cloudflare
letsencrypt       | STAGING=
letsencrypt       |
letsencrypt       | 4096 bit DH parameters present
letsencrypt       | SUBDOMAINS entered, processing
letsencrypt       | SUBDOMAINS entered, processing
letsencrypt       | dns validation via cloudflare plugin is selected
letsencrypt       | Generating new certificate
letsencrypt       | Saving debug log to /var/log/letsencrypt/letsencrypt.log
letsencrypt       | Plugins selected: Authenticator dns-cloudflare, Installer None
letsencrypt       | An unexpected error occurred:
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 159, in _new_conn
letsencrypt       |     conn = connection.create_connection(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/connection.py", line 61, in create_connection
letsencrypt       |     for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
letsencrypt       |   File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
letsencrypt       |     for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
letsencrypt       | socket.gaierror: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
letsencrypt       |     httplib_response = self._make_request(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 381, in _make_request
letsencrypt       |     self._validate_conn(conn)
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
letsencrypt       |     conn.connect()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 308, in connect
letsencrypt       |     conn = self._new_conn()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 171, in _new_conn
letsencrypt       |     raise NewConnectionError(
letsencrypt       | urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
letsencrypt       |     resp = conn.urlopen(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 724, in urlopen
letsencrypt       |     retries = retries.increment(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/retry.py", line 439, in increment
letsencrypt       |     raise MaxRetryError(_pool, url, error or ResponseError(cause))
letsencrypt       | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       | Please see the logfiles in /var/log/letsencrypt for more details.
letsencrypt       | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

Sincerely, Jason

@mforsetti thanks for the reference, I will take a look. I did a quick fix ``firewall-cmd --zone=public --add-masquerade --permanent && firewall-cmd --reload` what do you think? — Jason Rich Darmawan, May 11 '20 at 04:10
can you ping to anywhere? `acme-v02.api.letsencrypt.org` for example? — mforsetti, May 11 '20 at 04:34
After applying the quick fix, yes. but somehow it broke the NGINX proxy IP address log, although I have set the header to show Real IP address. `64 bytes from 172.65.32.248: seq=0 ttl=57 time=2.315 ms` — Jason Rich Darmawan, May 11 '20 at 04:44