Wget fails from webserver to self behind traefik

Hello

I have a dev setup that runs in docker-compose, all the sites are hidden behind traefik reverse proxy so that I can show the sites to my clients before I move them to the production server.

I now have a site that needs to run a 'cron job' it needs to trigger cron.php and normally I would do this by wget, but wget gets "Connection refused"

-- IP and site URL have been masked

wget https://sp.website.dk
--2023-02-10 17:06:19--  https://sp.website.dk/
Resolving sp.website.dk (sp.website.dk)... x.x.x.x (Public ip)
Connecting to sp.website.dk (sp.website.dk)|x.x.x.x(Public ip)|:443... connected.
GnuTLS: The TLS connection was non-properly terminated.
Unable to establish SSL connection.

This happens for all my docker containers.

When I run the same command from WSL or any other system it works:

wget https://sp.website.dk
--2023-02-10 18:08:18--  https://sp.website.dk/
Resolving sp.website.dk (sp.website.dk)... x.x.x.x(Public ip)
Connecting to sp.website.dk (sp.website.dk)|x.x.x.x(Public ip)|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://sp.website.dk/da/ [following]
--2023-02-10 18:08:19--  https://sp.website.dk/da/
Reusing existing connection to sp.website.dk:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                        [ <=>                                              ]  70.74K  --.-KB/s    in 0.006s

2023-02-10 18:08:19 (11.9 MB/s) - ‘index.html’ saved [72436]

Ping works from all locations.

Traefic config:

version: "3.3"

services:
  traefik:
    image: "traefik:v2.9.1"
    container_name: "traefik"
    restart: always
    command:
      - "--log.level=DEBUG"
#      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls.domains[0].main=website.dk"
      - "--entrypoints.websecure.http.tls.domains[1].sans=*.website.dk"
      - "--entrypoints.websecure.http.tls.domains[2].sans=*.db.website.dk"
      - "--entrypoints.websecure.http.tls.domains[3].sans=*.pest.db.website.dk"
      - "--entrypoints.websecure.http.tls.domains[4].sans=*.pest.website.dk"
      - "--entrypoints.websecure.http.tls.domains[5].sans=*.influx.website.dk"
      - "--entrypoints.websecure.http.tls.certresolver=myresolver"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.myresolver.acme.email=website@email.dk"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--entrypoints.db.address=:3306"
    environment:
      - "CF_API_EMAIL=my@email.dk"
      - "CF_API_KEY=someGreatAPIKey"
    ports:
      - "80:80"
      - "443:443"
#      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.http.middlewares.auth-traefik-dashboard.basicauth.users=myUser:someVeryGreatPassword"
      - "traefik.http.routers.traefik-dashboard.middlewares=auth-traefik-dashboard"
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-dashboard.rule=Host(`t.website.dk`)"
      - "traefik.http.routers.traefik-dashboard.service=traefik-dashboard"
      - "traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080"
#
#network:
#  traefik_default:


Docker composer file:

version: '3.8'

services:

  http:
    container_name: $name
    hostname: $name.website.dk
    restart: unless-stopped
    build:
      dockerfile: ./Dockerfile # this line is actually redundant here - you need it only if you want to use some custom name for your Dockerfile
      context: ./xdebug # a path to a directory containing a Dockerfile, or a url to a git repository

#    logging:
#      driver: none

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"
      - "traefik.http.routers.$name-secure.entrypoints=websecure"
      - "traefik.http.routers.$name-secure.rule=Host(`$name.website.dk`)"

    depends_on:
      - db

    volumes:
      - './src:/var/www/html'
      - './xdebug/conf.d:/usr/local/etc/php/conf.d'
#      - type: bind
#        source: './xdebug/files-to-copy/usr/local/etc/php/conf.d/xdebug.ini'
#        target: '/usr/local/etc/php/conf.d/xdebug.ini'
#      - ' ${PWD}./xdebug/files-to-copy/usr/local/etc/php/conf.d/xdebug.ini:/usr/local/etc/php/conf.d/xdebug.ini'

    networks:
      - backend-wpd
      - traefik_default
    extra_hosts:
      - "${name}.website.dk:x.x.x.x"

  db:
    #container_name: mysql-wpd
    image: mysql:8.0.20
    command: --default-authentication-plugin=mysql_native_password
    restart: unless-stopped
#    logging:
#      driver: none
    cap_add:
      - SYS_NICE  # CAP_SYS_NICE

    environment:
      #MYSQL_RANDOM_ROOT_PASSWORD: '1' # You can use this instead of the option right above if you do not want to be able login to MySQL under root
      MYSQL_ROOT_PASSWORD: SomeGreatPassword
      MYSQL_DATABASE: $name
      MYSQL_USER: karlog
      MYSQL_PASSWORD: SomeGreatPassword

#    ports:
#      -  "9$port:3306" # I prefer to keep the ports available for external connections in the Development environment to be able to work with the database
      # from programs like e.g. HeidiSQL on Windows or DBeaver on Mac.
    volumes:
      - database:/var/lib/mysql


    networks:
      - backend-wpd

  phpmyadmin:
    depends_on:
      - db
    image: phpmyadmin:5.2.0
    restart: unless-stopped
#    logging:
#      driver: none
    environment:
      PMA_HOST: db
      MYSQL_PASSWORD: SomeGreatPassword
      MYSQL_ROOT_PASSWORD: SomeGreatPassword

    networks:
      - backend-wpd
      - traefik_default
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"
      - "traefik.http.routers.db-$name-secure.entrypoints=websecure"
      - "traefik.http.routers.db-$name-secure.rule=Host(`$name.db.website.dk`)"
volumes:
  database:

networks:
  backend-wpd:
  traefik_default:
    external: true

The webserver just have a few extra modules like git and xdebug

Docker file:

FROM php:7.4-apache
WORKDIR /var/www/html
RUN usermod -u 1000 www-data;


RUN apt-get update && \
    apt-get -y install git
RUN apt-get install -y libzip-dev zip && docker-php-ext-install zip
RUN docker-php-ext-install opcache
RUN apt-get install -y libicu-dev
RUN docker-php-ext-configure intl
RUN docker-php-ext-install intl

RUN apt-get install -y libjpeg-dev
RUN apt-get install -y libfreetype6-dev
RUN apt-get install -y sendmail libpng-dev
RUN docker-php-ext-configure gd --with-jpeg && \
    docker-php-ext-install gd
# Install Xdebug
RUN yes | pecl install xdebug-3.1.6 \
    && echo "zend_extension=$(find $(php-config --extension-dir) -name xdebug.so)" \
         > /usr/local/etc/php/conf.d/xdebug.ini

# Configure apache
RUN a2enmod rewrite
# Copy xdebug.ini to /usr/local/etc/php/conf.d/



# works here, and we can use it to enable xdebug:
RUN docker-php-ext-enable xdebug
RUN echo "--insecure" >| ~/.curlrc #TODO find better way to accept self signed cert


# Setup the OS
RUN apt-get -qq update ; apt-get -y install unzip curl sudo subversion mariadb-client \
        && apt-get autoclean \
        && chsh -s /bin/bash www-data

# Install wp-cli
RUN curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar > /usr/local/bin/wp.phar \
        && echo "#!/bin/bash" > /usr/local/bin/wp \
        && echo "su www-data -c \"/usr/local/bin/wp.phar --path=/var/www/html \$*\"" >> /usr/local/bin/wp \
        && chmod 755 /usr/local/bin/wp* \
        && echo "*** wp-cli command installed"



RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
        && php composer-setup.php \
        && php -r "unlink('composer-setup.php');" \
        && mv composer.phar /usr/local/bin/ \
        && echo "#!/bin/bash" > /usr/local/bin/composer \
        && echo "su www-data -c \"/usr/local/bin/composer.phar --working-dir=/var/www/html/ \$*\"" >> /usr/local/bin/composer \
        && chmod ugo+x /usr/local/bin/composer \
        && echo "*** composer command installed"


RUN docker-php-ext-install pdo pdo_mysql

RUN docker-php-ext-enable xdebug
RUN echo "--insecure" >| ~/.curlrc #TODO find better way to accept self signed cert

RUN service apache2 restart

I have spent a few days looking for a solution so any help is very appreciated.

You say “connection refused”, but it’s says “connected” and TLS problem. Are you always using the same domain address?

You have 4 levels to test:

  1. ping to see if IP works and is correct
  2. telnet with IP and port to test connection
  3. openssl s_client test plain TLS
  4. curl/wget to test http

Thanks for taking the time:

  1. Ping looks fine:
ping sp.website.dk
PING sp.website.dk (x.x.x.x) 56(84) bytes of data.
64 bytes from myIsp.dk (x.x.x.x): icmp_seq=1 ttl=63 time=1.89 ms
64 bytes from myIsp.dk (x.x.x.x): icmp_seq=2 ttl=63 time=4.36 ms
64 bytes from myIsp.dk (x.x.x.x): icmp_seq=3 ttl=63 time=1.09 ms
^C
--- sp.website.dk ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.093/2.448/4.357/1.388 ms

  1. Telnet looks to be working
telnet sp.website.dk 443
Trying x.x.x.x...
Connected to sp.website.dk.
Escape character is '^]'.
  1. Looks wrong from inside docker I get:
openssl s_client -connect x.x.x.x:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify return:1
---
Certificate chain
 0 s:CN = TRAEFIK DEFAULT CERT
   i:CN = TRAEFIK DEFAULT CERT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIQJSHkeR0OhrEeOOr0vLAH+zANBgkqhkiG9w0BAQsFADAf
MR0wGwYDVQQDExRUUkFFRklLIERFRkFVTFQgQ0VSVDAeFw0yMzAyMTAxMDI0Mjha
Fw0yNDAyMTAxMDI0MjhaMB8xHTAbBgNVBAMTFFRSQUVGSUsgREVGQVVMVCBDRVJU
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAokRewNx8exzdXP6iWAss
iz3i+pHOBplsgNvDZraDlB0wOyQGJtFRzEAfQFofhpryyHTLQX07XICNrvNi1xlu
5/HGDIL0ZWapKAWHeX+SNFcuHSctDMCjyGP+vhEfVJv48QlGxJ8Y9Sultx2uSfm8
llbJlRV9JmZvhQe1ouHBKoZVEsw5S3lsfjhqIZZ0rvv94kNmg5EzkhsjQ6k/FGDD
6NHFREMcesXgdA+L+QRlnUPaJ05kvfAJSbIlQVT5z3LJ5vDHhLRKFTisbGQAsQVv
oxBzyyX52JaaaxEKdS3V6dWC1QfKai5xFrS4lJ/n00+pcEjhE1nQtzXs6bff9zia
IwIDAQABo4GUMIGRMA4GA1UdDwEB/wQEAwIDuDATBgNVHSUEDDAKBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMFwGA1UdEQRVMFOCUThmMzMyNWVjMTI2YzY5MGFlM2E5
YmI5MGI0NWQzM2YwLjJhOWM3NzQ1NWEyYmY0MmE2ZDFlNjNkMDU2ZTAyOTQ0LnRy
YWVmaWsuZGVmYXVsdDANBgkqhkiG9w0BAQsFAAOCAQEAPoUMv6bw1mXLo0ng+0Wi
Kr3y0YUeAQuIfbcQ7memj8aH7RZqNDS3PYcy3en1WMLt+uUM/JQPX8F7WWb6C0iM
P2uFOQTOiN+AfM1s2Zva9EPYsuCy4RsbzRKenfhSeNpCUAUBlf1cBopWHcha8+Gg
LL8YyT7GVGeRmxswxfrHIJvLz7pIcJ7mCQlQnfR/KJOQrVm2VFigB/TJtLuhaTkk
Ml0XTlJJyV+UEJ0NkGYT5okgUHffHZOpiTMyIfP6ebMZSI67t2JtKb20xb/Gg1UF
5+9vGYLx4rctmyK3ROq02ysUfJpT9Rd6HqYZT6ArQK63es35i7CNWwsdiqkKCD8w
8A==
-----END CERTIFICATE-----
subject=CN = TRAEFIK DEFAULT CERT

issuer=CN = TRAEFIK DEFAULT CERT

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1405 bytes and written 347 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 204273587CC4D21C8888AC06CEB76F22019BC204FDDA8203E248139D3F0B593F
    Session-ID-ctx:
    Resumption PSK: 20E1460F576A8EA841100AF254C6108E5C3F392157364556889868F85630D6BA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 2a 50 12 22 ac ba b6 6a-2a 1c 46 7e 64 f5 b7 ee   *P."...j*.F~d...
    0010 - 28 28 ec 1e 1e ed 65 23-95 09 aa 63 77 16 e2 f8   ((....e#...cw...
    0020 - aa fd 12 85 0d 38 d1 b4-42 db 95 bc dd 02 54 a3   .....8..B.....T.
    0030 - 27 03 01 67 41 77 d5 3d-47 d2 86 24 4c 77 f0 9d   '..gAw.=G..$Lw..
    0040 - bd 0e 28 1b 37 ad 88 67-72 62 d3 32 e7 50 01 b9   ..(.7..grb.2.P..
    0050 - a2 83 de e4 59 0c dc cf-0e e7 e1 2e 97 ab a1 24   ....Y..........$
    0060 - 00 2b 48 1b 8f ce 20 c1-b9 f0 92 2f 8e 9b 63 50   .+H... ..../..cP
    0070 - 37                                                7

    Start Time: 1676056564
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Requestclosed


While from my computer I get:

openssl s_client -connect sp.website.dk:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = website.dk
verify return:1
---
Certificate chain
 0 s:CN = website.dk
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGMjCCBRqgAwIBAgISA4T4WjuNWLItzYANg/+3ebl8MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjEyMTkwOTI0MjhaFw0yMzAzMTkwOTI0MjdaMBMxETAPBgNVBAMT
CGRvdWJ0LmRrMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuyBdDYZp
Ywk1ngKaRoAZzYWDqeMuV134a/Y1SQuFzoWcs9sJfB5azHht0Pkq1uHKaDNITj5r
xcylCFVQ2si4+UuGEKj9XrWUXMn1rkJ9tSyfaPyiXPW2Is2HyoqKTMvzFYGwKnhs
yCvbR/PCJBzeAps17FlWZmd6zvRP16KsZcj0pfgnaREhA4XAykGlZj7pcHcLtqKH
H7puvv2PH13YOLhz3bcQZgyB1my43VpnhviOouo3pCB/bgVm9ND9EbVLW2K8APQe
VK3tdAU0+oJF1hZV6Zl+728t747A0PW7TRRRvxLAproWULJVex9KP85c0cv7sCz+
0pYSUe7XZC35RUOK7rh1pACpPp43DfC9SJYZ3HGrMQ6bIwFhMS/NT/+on1geMjbO
Sg/TNecl5PCsQiUOwrAz6y1oJli6itF0DKOgJG/wDqFWL6wMS+GS+TdMcbl6w4rH
+2X6wgdWsh1a6OMpOL7kGCmCXG4nBnMhZvfizPlu6Ejg3t0jel5KhHNzIvWR0o51
tbFwnE6k/tdGIOr8Da6rqp4Im42gCULOksBB7CN5nnWxdc1HpGFF8XKSFZz/Ks0T
iqRFxWfnfR7DuCgF0SA9gyQBB/KSgPKtcB8AxyXQQQ9A3mXMJ5XBkgywlagQq4RJ
pbyKowSE6B6M3ZGW26JC1law3ehhl+Qf+6UCAwEAAaOCAl8wggJbMA4GA1UdDwEB
/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQU5ZaIb1Gj7PCxEmRwW41qnGFgTbkwHwYDVR0jBBgwFoAU
FC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzAB
hhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5p
LmxlbmNyLm9yZy8wLgYDVR0RBCcwJYINKi5kYi5kb3VidC5ka4IKKi5kb3VidC5k
a4IIZG91YnQuZGswTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEw
KDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgor
BgEEAdZ5AgQCBIH2BIHzAPEAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpX
o1LrUgAAAYUp6dW2AAAEAwBHMEUCIG3GMsv+wCRZwEkPG3EXEEkG30Pwy1Lpxr4Y
68xpiL6mAiEAipRyOrN6JuhdUaQsJnZGh8oZirOxHcvXfnuR4y8Xs9MAdwDoPtDa
PvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYUp6dd+AAAEAwBIMEYCIQCn
V71UZBH3iyl6G7v/I9gckXnUV8h4SKuvPAUBmA5TIQIhAK6wdS7n2icFRbwfT2g6
yJUN4shZ1XkJ1ENrXiRA81AcMA0GCSqGSIb3DQEBCwUAA4IBAQB9FPNgasay4qPw
nKl5bMPJvDGoHsNmIxvPmYfQyUQFWQDIXc1Y97YdDmJDLsZLqJMKkvMfAoVpJFbV
YZ1XRfVeMmu8QfCe4eqkdElNVfOl/O1448iVgRAjtYag3OsSZsz2jgJ83+Gd0MY+
lvGg5tkMwgOfap4dZse6LkgpukvJOA2Mr20AI3glWlWn9sNkZA3p9lv+EJPte81z
xpGIazYvaubTWqD1lVg9uf3cR5dI388x7s2ew8VsaBJjPNMqTgz9XxzZ9/GgdHVM
ozpWzgYagNWUx64/LCbCRvukWY1/2BX7wTHMWA1WUgCFDMnDgTIg3saUYnwY/gfd
VO/roKBO
-----END CERTIFICATE-----
subject=CN = website.dk

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5082 bytes and written 367 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    TLS session ticket:
    0000 - ae 6a 03 3e 45 3d 2e 2b-d5 b5 3e f2 a7 4f 9b ed   .j.>E=.+..>..O..
    0010 - 8c a3 44 92 18 2d 76 4a-3c 62 c7 85 26 ec 4a 51   ..D..-vJ<b..&.JQ
    0020 - 5b c4 f1 83 d1 51 7b 1b-47 99 ce 9a fb 65 6a 88   [....Q{.G....ej.
    0030 - 65 79 a0 f4 ae a4 5f e3-9d 9e cb 8f c3 ae 10 7d   ey...._........}
    0040 - a2 32 bb 2b 00 55 3d 14-95 a4 77 e5 ec 04 7f 0b   .2.+.U=...w.....
    0050 - ca 70 04 21 d8 bf e1 00-ea 93 1f 72 3f 28 aa 31   .p.!.......r?(.1
    0060 - 0b 22 05 40 a9 2f 1b 42-f9 ba 99 15 5b 04 f9 f9   .".@./.B....[...
    0070 - f0                                                .

    Start Time: 1676056156
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

How do I resolve this?

You seem to do different things: you always need to use the domain name, not only the IP. Otherwise Traefik does not see a domain and can’t find a matching cert and can’t route according to a domain.

PS: I think you can add a domain indicator to openssl s_client when using an IP, if you really need to.

Yes, I tested with the IP just to see if that would work.

wget works from other computers but fails from within my docker containers.

Ping also works from all systems

Just to clarify: you are running the same wget https://sp.website.dk and get different results from inside and outside?

That's really strange, especially if ping shows the same IP.

Maybe the wget GNU-TLS library in your container does not like LetsEncrypt?