ACME provider generates empty acme.json

Traefik Traefik v2
1

I have the following configuration defined in my helm values file:

deployment:
  initContainers:
    - name: volume-permissions
      image: busybox:latest
      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
      securityContext:
        runAsNonRoot: true
        runAsGroup: 65532
        runAsUser: 65532
      volumeMounts:
        - name: data
          mountPath: /data
additionalArguments:
  - --log.level=DEBUG
  - --metrics.prometheus=true
  - --metrics.prometheus.entryPoint=metrics
  - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
  - --providers.kubernetescrd.ingressclass=traefik-internal
  - --entryPoints.otel-grpc.address=:4317
  - --entryPoints.otel-http.address=:4318
  - --certificatesresolvers.le.acme.email=richardsonb@olympiafinancial.com
  - --certificatesresolvers.le.acme.storage=/data/acme.json
  - --certificatesresolvers.le.acme.dnschallenge.provider=dnsmadeeasy
  - --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0
ports:
  web:
    redirectTo:
      port: websecure
service:
  spec:
    loadBalancerIP: a.b.c.d
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "9100"
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  nodeSelector:
    agentpool: traefik
env:
- name: POD_NAME
  valueFrom:
    fieldRef:
      fieldPath: metadata.name
- name: POD_NAMESPACE
  valueFrom:
    fieldRef:
      fieldPath: metadata.namespace
- name: DNSMADEEASY_API_KEY
  valueFrom:
    secretKeyRef:
      name: dnsmadeeasy-api
      key: apikey
- name: DNSMADEEASY_API_SECRET
  valueFrom:
    secretKeyRef:
      name: dnsmadeeasy-api
      key: apisecret

The ingressroute is defined as follows:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard-internal
  namespace: traefik
  annotations:
    kubernetes.io/ingress.class: traefik-internal
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`qa-traefik-int-arm64.olympiafinancial.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    certResolver: le
    domains:
      - main: "*.olympiafinancial.com"
        sans:
          - qa-traefik-int-arm64.olympiafinancial.com

But all I see in the logs are the following:

time="2023-11-28T20:40:08Z" level=info msg="Testing certificate renew..." providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
...
time="2023-11-28T20:40:09Z" level=debug msg="Looking for provided certificate(s) to validate [\"*.olympiafinancial.com\" \"qa-traefik-int-arm64.olympiafinancial.com\"]..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2023-11-28T20:40:09Z" level=debug msg="No ACME certificate generation required for domains [\"*.olympiafinancial.com\" \"qa-traefik-int-arm64.olympiafinancial.com\"]." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme

When I login to the container, I indeed see an acme.json file in /data, but it is empty. I would expect that it should fetch the certificate for *.olympiafinancial.com and store it in acme.json. If I delete the empty acme.json (which I can), it gets recreated empty when I restart the deployment. I've verified that the environment variables DNSMADEEASY_API_KEY and DNSMADEEASY_API_SECRET are set correctly. What am I missing?

2

It seems there were some stale ingressroutes that still referred to a different version of the wildcard certificate for the domain. After deleting the ingress routes, ACME began to function as expected.

3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.