Cannot create/renew ACME certificate: "Cannot get ACME client get directory"

peperunas · October 19, 2019, 9:27am

Hello everyone.

One of my domain's ACME certificates expired and I noticed I wasn't able to connect to my service anymore.

I took a look at the logs and it seems that this is the culprit:

cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp 172.65.32.248:443: i/o timeout"

I want to note that I haven't changed my configuration.

This is my traefik.toml:

logLevel= "DEBUG"
# defaultEntryPoints must be at the top because it should not be in any table below
defaultEntryPoints = ["http", "https"]

[web]
# Port for the status page
address = ":8080"

# Entrypoints, http and https
[entryPoints]

# http should be redirected to https
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"

# https is the default
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]

# Enable ACME (Let's Encrypt): automatic SSL
[acme]
# caServer = "https://acme-staging.api.letsencrypt.org/directory"
email = "test@example.com"
storage = "/etc/traefik/acme/acme.json" # or "traefik/acme/account" if using KV store
entryPoint = "https"
OnHostRule = true
onDemand = false

[acme.httpChallenge]
entryPoint = "http"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.com"
watch = true
exposedbydefault = false

I have also tried to use tlsChallenge to no avail. It seems that traefik's container is not able to connect to the internet for some reason.

Thank you very much!

dduportal · October 20, 2019, 3:19pm

Hi @peperunas, as you guessed, Traefik container is not able to reach the internet. This problem is related to your infrastructure, not to Traefik, as the error message i/o timeout comes from your kernel (Traefik asked to kernel to establish a connection, and the kernel answered i/O timeout).

You need to provide more elements, as trying to analysis partial configuration is not really doable
What is the "container" system you are using? On which kind of machine? With which OS? etc.
What does your network look like? Is there a proxy or a network firewall?

Some clues:

Try to restart the Docker Engine, which will reset any iptables rules (assuming you are using Docker on Linux)
Try to restart your whole machine
Try to disable (temporarly) the firewall of your machine to verify that it fixes the issue

Hope it helps

peperunas · October 28, 2019, 10:50am

I had to reset all the docker networks to solve this problem. I noticed that every container on my system wasn't connected to the internet. I have no idea what could have caused this!

Thank you for your support!

hils · January 26, 2023, 3:19am

Hi @peperunas do you mind to explain what's exact step by step you did to solve this issue

system · January 29, 2023, 3:19am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sudden ACME error Traefik v1 docker , letsencrypt-acme	2	1386	October 2, 2019
Unable to obtain ACME certificate for domains/cannot get ACME client get directory at 'acme-v02.api.letsencrypt.org/directory': Get \"acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on {ip}: server misbehaving" Traefik v2 docker , letsencrypt-acme	8	617	March 23, 2024
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4774	July 18, 2019
Dockers Unable to obtain ACME certificate for domains Traefik v2 docker	2	2277	December 4, 2020
Cannot get ACME client ACME challenge not specified Traefik v2 letsencrypt-acme	5	5727	October 21, 2020

Cannot create/renew ACME certificate: "Cannot get ACME client get directory"

Related topics