ACME/lego certificate request never happen

fra · September 19, 2022, 8:29am

Hello, a little bit lost here.
I tried to configure a new traefik docker proxy with certificate resolvers (latest, 2.8.5) .. but seems that nothing is happening:

I used zerossl, but the same is happening with letsencryp

CONF

 [certificatesResolvers]

    [certificatesResolvers.zerossl]

      [certificatesResolvers.zerossl.acme]
      email = [
        "me@me.com"
      ]
      storage = "/ssl/acme.json"
      caServer= "https://acme.zerossl.com/v2/DV90"

        [certificatesResolvers.zerossl.acme.dnsChallenge]
        provider = "godaddy"
        resolvers = [
          "9.9.9.9:53",
          "8.8.8.8:53"
        ]
   [certificatesResolvers.zerossl.acme.eab]
     kid="XXXXXXX"
     hmacEncoded="YYYYYYYYYYY"

 labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.me`)"
        - "traefik.http.routers.traefik.tls=true"
        - "traefik.http.routers.traefik.tls.certresolver=zerossl"
        - "traefik.http.routers.traefik.tls.domains[0].main=$MY_DOMAIN"
        - "traefik.http.routers.traefik.tls.domains[0].sans=traefik.$MY_DOMAIN"
        - "traefik.http.routers.traefik.service=api@internal"

LOGS

traefik    | {"level":"warning","msg":"Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year.","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-09-19T07:58:32Z"}
traefik    | {"entryPointName":"traefik","level":"debug","msg":"Starting TCP Server","time":"2022-09-19T07:58:32Z"}
traefik    | {"entryPointName":"http","level":"debug","msg":"Starting TCP Server","time":"2022-09-19T07:58:32Z"}
traefik    | {"entryPointName":"https","level":"debug","msg":"Starting TCP Server","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"info","msg":"Starting provider *file.Provider","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"debug","msg":"*file.Provider provider configuration: {\"directory\":\"/files\",\"watch\":true}","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"debug","msg":"*traefik.Provider provider configuration: {}","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"debug","msg":"*acme.ChallengeTLSALPN provider configuration: {}","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"debug","msg":"No default certificate, generating one","time":"2022-09-19T07:58:32Z","tlsStoreName":"default"}
traefik    | {"level":"info","msg":"Starting provider *acme.Provider","time":"2022-09-19T07:58:32Z"}
traefik    | {"level":"debug","msg":"*acme.Provider provider configuration: {\"email\":\"║24║me@me.com\",\"caServer\":\"https://acme.zerossl.com/v2/DV90\",\"storage\":\"/ssl/acme.json\",\"keyType\":\"RSA4096\",\"eab\":{\"kid\":\"xxxx\",\"hmacEncoded\":\"xxxx\"},\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"godaddy\"},\"ResolverName\":\"zerossl\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}","time":"2022-09-19T07:58:32Z"}
traefik    | {"ACME CA":"https://acme.zerossl.com/v2/DV90","level":"debug","msg":"Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"","providerName":"zerossl.acme","time":"2022-09-19T07:58:32Z"}
traefik    | {"ACME CA":"https://acme.zerossl.com/v2/DV90","level":"info","msg":"Testing certificate renew...","providerName":"zerossl.acme","time":"2022-09-19T07:58:32Z"}

as you can see, I have only: Attempt to renew certificates and Testing certificate renew...

acme.json is created and empty
pretty sure the API key are exported as variable
tested credentials with a docker lego image works both for letsencrypt and zerossl: can generate a cert and pretty fast too ,.

Maybe something not working at network level but I can resolve CA URL, so I am a bit lost here with no error.

I would like to think the problem is between the chair and the table, but I am not currenly see it

thanks

F.

ldez · September 19, 2022, 8:47am

Hello,

the email is not an array but a string

[certificatesResolvers]

[certificatesResolvers.zerossl]

[certificatesResolvers.zerossl.acme]
  email = "me@me.com"
  storage = "/ssl/acme.json"
  caServer = "https://acme.zerossl.com/v2/DV90"

[certificatesResolvers.zerossl.acme.dnsChallenge]
  provider = "godaddy"
  resolvers = [
    "9.9.9.9:53",
    "8.8.8.8:53"
  ]

[certificatesResolvers.zerossl.acme.eab]
  kid = "XXXXXXX"
  hmacEncoded = "YYYYYYYYYYY"

fra · September 19, 2022, 8:53am

thanks a lot , I did change it but seems not changing the behaviour:

traefik | {"ACME CA":"https://acme.zerossl.com/v2/DV90","level":"debug","msg":"Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s"","providerName":"zerossl.acme","time":"2022-09-19T08:48:30Z"}
traefik | {"ACME CA":"https://acme.zerossl.com/v2/DV90","level":"info","msg":"Testing certificate renew...","providerName":"zerossl.acme","time":"2022-09-19T08:48:30Z"}

is there anything I can "trigger" inside the container?
I would try to install traefik as standalone and not via docker and see if any difference...

ldez · September 19, 2022, 8:55am

No, it's automatic

the logs about the renew are just because at the start we check if there is something to renew.
It's not related to your problem.

ldez · September 19, 2022, 8:57am

I think your problem is with your static configuration.
can you provide your full static configuration?

fra · September 19, 2022, 9:22am

[global]
  checkNewVersion = true
  sendAnonymousUsage = false
[entryPoints]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.http]
      [entryPoints.http.http.redirections]
        [entryPoints.http.http.redirections.entryPoint]
          to = "https"
          scheme = "https"
  [entryPoints.https]
    address = ":443"
[log]
  level = "DEBUG"
  #filePath = "/logs/traefik.log"
  format = "json"
[accessLog]
  #filePath = "/logs/access.log"
  format = "json"
[api]
  insecure = false
  dashboard = true
[ping]
  entryPoint = "traefik"
[providers]
  [providers.file]
    directory = "/files"
    watch = true
  #[providers.docker]
############
#
############################
 [certificatesResolvers]
    [certificatesResolvers.zerossl]
      [certificatesResolvers.zerossl.acme]
        email = "me@me.com"
        storage = "/ssl/acme.json"
        caServer= "https://acme.zerossl.com/v2/DV90"
        [certificatesResolvers.zerossl.acme.dnsChallenge]
          provider = "godaddy"
          resolvers = [
            "9.9.9.9:53",
            "8.8.8.8:53"
          ]
        [certificatesResolvers.zerossl.acme.eab]
         kid="BsG7eKvW5QaWQ"
       hmacEncoded="MZf61cpePTZMkE3vpSl8IbrbUqCd2fqLGKZqVuXL5XRgKjoID3BEIPVMd54Z_gkoA"
########################
#
#########################
 [tls]
    [tls.options]
      [tls.options.https]
      sniStrict = true
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
      ]
        [tls.options.websecure.mintls13]
        minVersion = "VersionTLS13"

ldez · September 19, 2022, 9:34am

there are several problems:

the Docker provider must enable
the tls section must be moved into the dynamic configuration

[global]
  checkNewVersion = true
  sendAnonymousUsage = false

[entryPoints.http]
  address = ":80"
  [entryPoints.http.http.redirections.entryPoint]
    to = "https"
    scheme = "https"

[entryPoints.https]
  address = ":443"

[log]
  level = "DEBUG"
  format = "json"

[accessLog]
  format = "json"

[api]
  insecure = false
  dashboard = true

[ping]
  entryPoint = "traefik"

[providers]

[providers.file]
  directory = "/files"
  watch = true

[providers.docker]
  exposedByDefault = true

[certificatesResolvers.zerossl.acme]
  email = "me@me.com"
  storage = "/ssl/acme.json"
  caServer = "https://acme.zerossl.com/v2/DV90"

  [certificatesResolvers.zerossl.acme.dnsChallenge]
    provider = "godaddy"
    resolvers = [
      "9.9.9.9:53",
      "8.8.8.8:53"
    ]
  
  [certificatesResolvers.zerossl.acme.eab]
    kid = "BsG7eKvW5QaWQ"
    hmacEncoded = "MZf61cpePTZMkE3vpSl8IbrbUqCd2fqLGKZqVuXL5XRgKjoID3BEIPVMd54Z_gkoA"

fra · September 19, 2022, 10:02am

Thanks a lot. I stopped docker provider - running with non-privileged users - so I need to use a sockproxy - removed in case was the culprit... but I think it is the tls stuff that blocked (copy from an old installation)

Thanks again for the courtesy and the rapidity

system · September 22, 2022, 10:03am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with LetsEncrypt certificate generation Traefik v2 (latest) letsencrypt-acme	1	1353	September 15, 2021
Traefik + Docker + Let's Encrypt Traefik v2 (latest) docker , letsencrypt-acme	4	551	April 6, 2021
No ACME certification creation Traefik v2 (latest) docker , letsencrypt-acme	2	1688	September 18, 2019
Acme.json stays empty Traefik v2 (latest) letsencrypt-acme	2	6788	January 20, 2020
Cannot get ACME client ACME challenge not specified Traefik v2 (latest) letsencrypt-acme	5	5055	October 21, 2020

ACME/lego certificate request never happen

Related Topics