Acme: error: 400 Cant obtain TLS Certificate

Balduro · November 24, 2019, 3:32pm

Hi,
i am setting up a litle single node cluster using k3s.
I disabled the traefik deployment of k3s and installed v2.0
Pretty much like in https://docs.traefik.io/user-guides/crd-acme/
Main differences:
k3s runs native and not inside docker and the ports to traefik are not exposed by ClusterIP and port forwarding. They got a loadbalancer Service.

I can reach both, the http route to whoami and the https route.
But https only has the Traefik default certificate. The ACME challenge fails with:

Unable to obtain ACME certificate for domains "mydomain.de": unable to generate a certificate for the domains [mydomain.de]: acme: Error -> One or more domains had a problem:
[mydomain.de] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url:
" providerName=default.acme routerName=default-ingressroutetls-0a7f92153022684cd3cb rule="Host(`mydomain.de`) && PathPrefix(`/whoami`)"

What could be the reason for this?

My Services:

apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: default

spec:
  type: LoadBalancer
  ports:
    - protocol: TCP
      name: web
      port: 80
      targetPort: web
    - protocol: TCP
      name: websecure
      port: 443
      targetPort: websecure
  selector:
    app: traefik

---
apiVersion: v1
kind: Service
metadata:
  name: traefik-dashboard
  namespace: default

spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      name: traefik
      port: 80
      targetPort: traefik
  selector:
    app: traefik

My Deployment:

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: traefik-ingress-controller

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.0
          readinessProbe:
            httpGet:
              path: /ping
              port: 8080
            failureThreshold: 1
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            httpGet:
              path: /ping
              port: 8080
            failureThreshold: 3
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          args:
            - --log.level=DEBUG
            - --accesslog
            - --entrypoints.web.Address=:8000
            - --entrypoints.websecure.Address=:4443
            - --providers.kubernetescrd
            - --certificatesresolvers.default.acme.tlschallenge
            - --certificatesresolvers.default.acme.email=myemail@gmail.com
            - --certificatesresolvers.default.acme.storage=acme.json
            - --ping=true
            - --api.dashboard=true
            - --api.insecure=true
            # Please note that this is the staging Let's Encrypt server.
            # Once you get things working, you should remove that whole line altogether.
            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
          ports:
            - name: web
              containerPort: 8000
            - name: websecure
              containerPort: 4443
            - name: traefik
              containerPort: 8080

The HTTPS Route:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`mydomain.de`) && PathPrefix(`/whoami`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default
    options: {}

Some more logs:

time="2019-11-24T15:04:01Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-11-24T15:04:02Z" level=debug msg="No secret name provided" providerName=kubernetescrd
time="2019-11-24T15:04:02Z" level=debug msg="Configuration received from provider kubernetescrd: {\"http\":{\"routers\":{\"default-ingressroutetls-0a7f92153022684cd3cb\":{\"entryPoints\":[\"websecure\"],\"service\":\"default-ingressroutetls-0a7f92153022684cd3cb\",\"rule\":\"Host(`mydomain.de`) \\u0026\\u0026 PathPrefix(`/whoami`)\",\"tls\":{\"certResolver\":\"default\"}}},\"services\":{\"default-ingressroutetls-0a7f92153022684cd3cb\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.42.0.119:80\"},{\"url\":\"http://10.42.0.121:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"tls\":{}}" providerName=kubernetescrd
time="2019-11-24T15:04:02Z" level=debug msg="Creating middleware" routerName=default-ingressroutetls-0a7f92153022684cd3cb@kubernetescrd serviceName=default-ingressroutetls-0a7f92153022684cd3cb middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure
time="2019-11-24T15:04:02Z" level=debug msg="Creating load-balancer" serviceName=default-ingressroutetls-0a7f92153022684cd3cb entryPointName=websecure routerName=default-ingressroutetls-0a7f92153022684cd3cb@kubernetescrd
time="2019-11-24T15:04:02Z" level=debug msg="Creating server 0 http://10.42.0.119:80" routerName=default-ingressroutetls-0a7f92153022684cd3cb@kubernetescrd serviceName=default-ingressroutetls-0a7f92153022684cd3cb entryPointName=websecure serverName=0
time="2019-11-24T15:04:02Z" level=debug msg="Creating server 1 http://10.42.0.121:80" serviceName=default-ingressroutetls-0a7f92153022684cd3cb entryPointName=websecure routerName=default-ingressroutetls-0a7f92153022684cd3cb@kubernetescrd serverName=1
time="2019-11-24T15:04:02Z" level=debug msg="Added outgoing tracing middleware default-ingressroutetls-0a7f92153022684cd3cb" routerName=default-ingressroutetls-0a7f92153022684cd3cb@kubernetescrd middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
time="2019-11-24T15:04:02Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
time="2019-11-24T15:04:02Z" level=debug msg="No default certificate, generating one"
time="2019-11-24T15:04:03Z" level=debug msg="Try to challenge certificate for domain [mydomain.de] found in HostSNI rule" routerName=default-ingressroutetls-0a7f92153022684cd3cb rule="Host(`mydomain.de`) && PathPrefix(`/whoami`)" providerName=default.acme
time="2019-11-24T15:04:03Z" level=debug msg="Looking for provided certificate(s) to validate [\"mydomain.de\"]..." routerName=default-ingressroutetls-0a7f92153022684cd3cb rule="Host(`mydomain.de`) && PathPrefix(`/whoami`)" providerName=default.acme
time="2019-11-24T15:04:03Z" level=debug msg="Domains [\"mydomain.de\"] need ACME certificates generation for domains \"mydomain.de\"." providerName=default.acme routerName=default-ingressroutetls-0a7f92153022684cd3cb rule="Host(`mydomain.de`) && PathPrefix(`/whoami`)"
time="2019-11-24T15:04:03Z" level=debug msg="Loading ACME certificates [mydomain.de]..." rule="Host(`mydomain.de`) && PathPrefix(`/whoami`)" providerName=default.acme routerName=default-ingressroutetls-0a7f92153022684cd3cb
time="2019-11-24T15:04:03Z" level=debug msg="legolog: [INFO] [mydomain.de] acme: Obtaining bundled SAN certificate"
time="2019-11-24T15:04:03Z" level=debug msg="legolog: [INFO] [mydomain.de] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/23043755"
time="2019-11-24T15:04:03Z" level=debug msg="legolog: [INFO] [mydomain.de] acme: use tls-alpn-01 solver"
time="2019-11-24T15:04:03Z" level=debug msg="legolog: [INFO] [mydomain.de] acme: Trying to solve TLS-ALPN-01"
time="2019-11-24T15:04:03Z" level=debug msg="TLS Challenge Present temp certificate for mydomain.de" providerName=acme
time="2019-11-24T15:04:03Z" level=debug msg="No secret name provided" providerName=kubernetescrd
time="2019-11-24T15:04:03Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-11-24T15:04:05Z" level=debug msg="No secret name provided" providerName=kubernetescrd
time="2019-11-24T15:04:05Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-11-24T15:04:07Z" level=debug msg="No secret name provided" providerName=kubernetescrd
time="2019-11-24T15:04:07Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-11-24T15:04:08Z" level=debug msg="TLS Challenge CleanUp temp certificate for mydomain.de" providerName=acme
time="2019-11-24T15:04:08Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/23043755"
time="2019-11-24T15:04:08Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.de\": unable to generate a certificate for the domains [mydomain.de]: acme: Error -> One or more domains had a problem:\n[mydomain.de] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: \n" providerName=default.acme routerName=default-ingressroutetls-0a7f92153022684cd3cb rule="Host(`mydomain.de`) && PathPrefix(`/whoami`)"
time="2019-11-24T15:04:09Z" level=debug msg="No secret name provided" providerName=kubernetescrd
time="2019-11-24T15:04:09Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd

Balduro · December 1, 2019, 4:40pm

Can i provide any additional usefull information?
Has anyone an idea where to search for the reason for this?

Every Idea would be welcome.