Can get staging cert but not production cert

cpbpilot · July 16, 2024, 12:30am

I'm having a rough go at this. I can successfully get traefik to get a staging cert using the following config. Next I stop the container, delete the acme.json, touch acme.json, chmod 600 acme.json, docker compose force recreate. When the new container comes up it falls to receive a cert. I've been under the impression if staging works then production should and that the difference was that staging had a higher rate limit. But for some reason it does not work for me. Also bellow is two log files one from the container when using the staging address and one from the container when using the production address

traefik.yml

# write contanit logs to a log file
log:
  filePath: "var/log/traefik/log-file.log"
  format: common
  level: DEBUG
#  maxBackups: 10 

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: myemail@gmail.com
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        delayBeforeCheck: 3s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        #resolvers:
        #  - "1.1.1.1:53"
        #  - "1.0.0.1:53"

LOG FROM STAGING CONTAINER

2024-07-15T23:57:47Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["mmci.work" "*.mmci.work"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-07-15T23:57:47Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:897 > Domains need ACME certificates generation for domains "mmci.work,*.mmci.work". ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["mmci.work","*.mmci.work"] providerName=cloudflare.acme
2024-07-15T23:57:47Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:619 > Loading ACME certificates [mmci.work *.mmci.work]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-07-15T23:57:49Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:251 > Building ACME client... providerName=cloudflare.acme
2024-07-15T23:57:49Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:257 > https://acme-staging-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-07-15T23:57:49Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:371 > Register... providerName=cloudflare.acme
2024-07-15T23:57:49Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] acme: Registering account for myemail@gmail.com lib=lego
2024-07-15T23:57:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:293 > Using DNS Challenge provider: cloudflare providerName=cloudflare.acme
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work, *.mmci.work] acme: Obtaining bundled SAN certificate lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13177501423 lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/13177501433 lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: use dns-01 solver lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Could not find solver for: tls-alpn-01 lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Could not find solver for: http-01 lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: use dns-01 solver lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Preparing to solve DNS-01 lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] cloudflare: new record for mmci.work, ID 0b8ef0fde73a9764446a7072af75302a lib=lego
2024-07-15T23:57:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Preparing to solve DNS-01 lib=lego
2024-07-15T23:57:51Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] cloudflare: new record for mmci.work, ID 0e47ce00f29e7e69d5c30ce1c651c2b3 lib=lego
2024-07-15T23:57:51Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Trying to solve DNS-01 lib=lego
2024-07-15T23:57:51Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53] lib=lego
2024-07-15T23:57:53Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
2024-07-15T23:57:53Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:305 > Delaying 3000000000 rather than validating DNS propagation now. providerName=cloudflare.acme
2024-07-15T23:58:10Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] The server validated our request lib=lego
2024-07-15T23:58:10Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Trying to solve DNS-01 lib=lego
2024-07-15T23:58:10Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53] lib=lego
2024-07-15T23:58:12Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
2024-07-15T23:58:12Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:305 > Delaying 3000000000 rather than validating DNS propagation now. providerName=cloudflare.acme
2024-07-15T23:58:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] The server validated our request lib=lego
2024-07-15T23:58:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Cleaning DNS-01 challenge lib=lego
2024-07-15T23:58:28Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Cleaning DNS-01 challenge lib=lego
2024-07-15T23:58:28Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work, *.mmci.work] acme: Validations succeeded; requesting certificates lib=lego
2024-07-15T23:58:30Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Wait for certificate [timeout: 30s, interval: 500ms] lib=lego
2024-07-15T23:58:31Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] Server responded with a certificate. lib=lego
2024-07-15T23:58:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:643 > Certificates obtained for domains [mmci.work *.mmci.work] ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-07-15T23:58:31Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=cloudflare.acme
2024-07-15T23:58:31Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131 > Adding certificate for domain(s) *.mmci.work,mmci.work

LOG FROM CONTAINER WHEN USING PROD

2024-07-16T00:02:21Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["mmci.work" "*.mmci.work"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-07-16T00:02:21Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:897 > Domains need ACME certificates generation for domains "mmci.work,*.mmci.work". ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mmci.work","*.mmci.work"] providerName=cloudflare.acme
2024-07-16T00:02:21Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:619 > Loading ACME certificates [mmci.work *.mmci.work]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-07-16T00:02:26Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:251 > Building ACME client... providerName=cloudflare.acme
2024-07-16T00:02:26Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:257 > https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-07-16T00:02:27Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:371 > Register... providerName=cloudflare.acme
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] acme: Registering account for myemail@gmail.com lib=lego
2024-07-16T00:02:27Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:293 > Using DNS Challenge provider: cloudflare providerName=cloudflare.acme
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work, *.mmci.work] acme: Obtaining bundled SAN certificate lib=lego
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/377522346447 lib=lego
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/377522346457 lib=lego
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: use dns-01 solver lib=lego
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Could not find solver for: tls-alpn-01 lib=lego
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Could not find solver for: http-01 lib=lego
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: use dns-01 solver lib=lego
2024-07-16T00:02:27Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Preparing to solve DNS-01 lib=lego
2024-07-16T00:02:29Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] cloudflare: new record for mmci.work, ID 266a74ee67d5642d01f0b1b4df594042 lib=lego
2024-07-16T00:02:29Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Preparing to solve DNS-01 lib=lego
2024-07-16T00:02:29Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] cloudflare: new record for mmci.work, ID 7bcad347d26434e10948ff9c9a3577e1 lib=lego
2024-07-16T00:02:29Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Trying to solve DNS-01 lib=lego
2024-07-16T00:02:29Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53] lib=lego
2024-07-16T00:02:31Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
2024-07-16T00:02:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:305 > Delaying 3000000000 rather than validating DNS propagation now. providerName=cloudflare.acme
2024-07-16T00:02:37Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Trying to solve DNS-01 lib=lego
2024-07-16T00:02:37Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53] lib=lego
2024-07-16T00:02:39Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] lib=lego
2024-07-16T00:02:39Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:305 > Delaying 3000000000 rather than validating DNS propagation now. providerName=cloudflare.acme
2024-07-16T00:02:46Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] The server validated our request lib=lego
2024-07-16T00:02:46Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [*.mmci.work] acme: Cleaning DNS-01 challenge lib=lego
2024-07-16T00:02:46Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [mmci.work] acme: Cleaning DNS-01 challenge lib=lego
2024-07-16T00:02:47Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/377522346447 lib=lego
2024-07-16T00:02:47Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/377522346457 lib=lego
2024-07-16T00:02:47Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:469 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [mmci.work *.mmci.work]: error: one or more domains had a problem:\n[*.mmci.work] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mmci.work - check that a DNS record exists for this domain\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mmci.work","*.mmci.work"] providerName=cloudflare.acme routerName=traefik-secure@docker rule=Host(`traefik.mmci.work`)

cpbpilot · July 16, 2024, 1:28am

Well I guess I solved it myself......In acts of desperation I just increased the delaybeforecheck from 3 seconds to 30 seconds and all of a sudden it worked and got a cert. Sooooo thanks for all the help lol

bluepuma77 · July 16, 2024, 6:13am

You expected a solution by the volunteer community delivered to you within an hour?

You can up your game and get a Traefik Enterprise subscription and see if they are that fast.

Thanks for sharing your solution!

Topic		Replies	Views
Unable to reset certs from staging to production Traefik v2 docker	1	892	May 8, 2023
Issue requesting SSL using ACME Traefik v3 (latest) docker , letsencrypt-acme	0	59	September 18, 2024
No ACME certification creation Traefik v2 docker , letsencrypt-acme	2	1780	September 18, 2019
Certificate creatio error Traefik v3 (latest) letsencrypt-acme	0	28	September 8, 2024
Stuck with Staging X1 Certificate Traefik v2 docker , letsencrypt-acme	2	1262	January 27, 2022

Can get staging cert but not production cert

Related topics