I've got Traefik setup as a Docker container, and have been running it just fine for the longest time. I was looking at logs today because I was notified that one of my certs has expired, and I see the following in the container logs:
time="2024-03-04T02:13:33Z" level=error msg="Error renewing certificate from LE: {sub1.domain.com []}" providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="error: one or more domains had a problem:\n[sub1.domain.com] [sub1.domain.com] acme: error presenting token: cloudflare: could not find zone for domain \"sub1.domain.com\" (_acme-challenge.sub1.domain.com.): unexpected response code 'SERVFAIL' for _acme-challenge.sub1.domain.com.\n"
I've looked at all the similar topics, and tried many things, but none seem to apply in this situation. The part that makes this weird, is that I have about a dozen other certs that Traefik issued for subdomains of domain.com (Obviously not the real domain name). As a test case, I deleted a couple of them from the acme.json, and it had no issue issuing new ones for those subdomains, just for this one particular it won't renew. Any thoughts?
Here are the pertinent bits from Docker:
version: "3.3"
services:
traefik:
image: "traefik:v2.11"
container_name: "traefik"
restart: unless-stopped
command:
- "--log.level=INFO"
- "--accesslog=true"
- "--accesslog.filepath=./access.log"
- "--accesslog.bufferingsize=100"
- "--serverstransport.insecureskipverify=true"
- "--providers.docker=true"
- "--providers.file.filename=/config.yml"
- "--providers.file.watch=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
#- "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.cloudflare.acme.email=<REDACTED>"
- "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- "--certificatesresolvers.le.acme.tlschallenge=true"
- "--certificatesresolvers.le.acme.email=<REDACTED>"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
#- "--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--entrypoints.websecure.http.tls=true" # websecure entrypoint is always tls
- "--entrypoints.web.http.redirections.entryPoint.to=websecure" # global http to https redirect to entrypoint websecure
- "--entrypoints.web.http.redirections.entryPoint.scheme=https" # global http to https redirect schema rewrite
- "--entrypoints.websecure.http.tls.certresolver=cloudflare" # websecure entrypoint (https) should use CF resolver by default
- "--entrypoints.websecure.http3" # <== ADD
- "--experimental.http3=true" # <== ADD
environment:
- CF_API_EMAIL=<REDACTED>
- CF_DNS_API_TOKEN=<REDACTED>
Here are the pertinent bits from the config where this subdomain is pulled from:
http:
routers:
sub1:
service: sub1
entrypoints: "websecure"
rule: "Host(`sub1.domain.com`)"
middlewares:
- "secureHeaders"
tls:
certResolver: cloudflare
services:
sub1:
loadBalancer:
servers:
- url: "http://192.168.2:80"