Cannot get ACME client get directory - dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: server misbehaving

Hey there,

I might be to dumb to configure traefik.

I get the following error:

time="2024-01-03T13:43:10Z" level=error msg="Unable to obtain ACME certificate for domains \"pyload.dyn.example.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: server misbehaving" routerName=pyload@docker providerName=letsencrypt.acme rule="Host(`pyload.dyn.example.com`)"

I guess this is the key here: 127.0.0.11:53: server misbehaving

My setup looks like this:
I am running traefik on a RasPi behind a Fritzbox as router and with a pi-hole on the RasPi as well.
My goal is it to run multiple services on the RasPi and use traefik as reverse proxy with SSL.
But so far I am not lucky at all.
This is my config:

docker-compose.yml of traefik:

version: "2.1"
services:
  traefik:
    container_name: traefik
    image: traefik:v2.2
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/etc/traefik/traefik.yml
      - ./config/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.dyn.example.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
    extra_hosts:
      - host.docker.internal:172.17.0.1

The traefik.yml

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

api:
  dashboard: true
  insecure: true

providers:
  docker:
    exposedByDefault: false
    network: pi_default

certificatesResolvers:
  letsencrypt:
    acme:
      email: mail@example.com
      storage: acme.json
      httpChallenge:
        entryPoint: web

docker-compose.yml of pyload:

version: "2.1"
services:
  pyload-ng:
    image: lscr.io/linuxserver/pyload-ng:latest
    container_name: pyload-ng
    network_mode: 'host'
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    volumes:
      - ./config:/config
      - /media/terrastore/downloads:/downloads
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pyload.rule=Host(`pyload.dyn.example.com`)"
      - "traefik.http.routers.pyload.entrypoints=websecure"
      - "traefik.http.routers.pyload.tls=true"
      - "traefik.http.routers.pyload.tls.certresolver=letsencrypt"
      - "traefik.http.services.pyload.loadbalancer.server.port=8000"

Any idea what I did wrong here?

Port 53 is DNS so the DNS resolution is probably not working inside Traefik container.

Why do you use a multi-year old Traefik version?

Do you know what you are doing with this?

extra_hosts:
      - host.docker.internal:172.17.0.1

well I just copied that from a website without checking the version. my bad.

In my other Docker Containers I did not specify a network. so I used network_mode: 'host'
In order to do so, I needed this extra_hosts line to make everything work. At least that's what I thought of.

What might be the cause of the DNS resolution error? Is this really inside of Traefik or might this have something to do with pi-hole?

Maybe check and compare to this simple Traefik example.

I just did and got the same error:

traefik-traefik-1  | 2024-01-03T17:58:29Z ERR Unable to obtain ACME certificate for domains error="cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: server misbehaving" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.dyn.example.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.dyn.example.com`)

I added a DNS Server to the docker-compose of traefik manually.
Now the error has changed:

traefik-traefik-1  | 2024-01-03T18:22:17Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.dyn.example.com]: error: one or more domains had a problem:\n[traefik.dyn.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 2a02:810b:0:9:40c7: Error getting validation data\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.dyn.example.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.dyn.example.com`)

Does traefik.dyn.example.com point to the IP of your node with the Traefik instance?

Yes, I have a wildcard for *.dyn.example.com

This is the nslookup

nslookup traefik.dyn.example.com
Server:		10.10.1.27
Address:	10.10.1.27#53

Non-authoritative answer:
traefik.dyn.example.com 	canonical name = xxx.myfritz.net.
Name:	xxx.myfritz.net
Address: 77.xx.xx.xx
Name:	xxx.myfritz.net
Address: 2a02:xxxx:x:x:xxxx:xxxx:xxxx:xxxx

The Ports 80, 443 and 8080 get directed to the RasPi

What do you mean by you "have a wildcard" for *.dyn.example.com? Was it created by Traefik LetsEncrypt and can now be found in acme.json?

sorry, I was not talking about wildcard certificates. I should have been more clear on that.
I mean, that I have a wildcard dns a record for the domain.
So all subdomains of dyn.example.com will be redirected to my router and with that to my RasPi.

Try the simple Traefik example on your Pi.

I already did that, yesterday with the same results.

This is my current docker-compose.yml

services:
  traefik:
    image: traefik:v3.0
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
      #- /var/log:/var/log
    command:
      - --api.dashboard=true
      - --log.level=INFO
      #- --log.filepath=/var/log/traefik.log
      - --accesslog=true
      #- --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=mail@example.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.dyn.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

    dns:
      - 8.8.8.8
      - 1.1.1.1

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.dyn.example.com`) || Host(`www.whoami.dyn.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

      - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
      - traefik.http.routers.mywhoami.middlewares=mywwwredirect

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt

And this is the error I get:

traefik-traefik-1  | 2024-01-03T18:22:17Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.dyn.example.com]: error: one or more domains had a problem:\n[traefik.dyn.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 2a02:810b:0:9:40c7: Error getting validation data\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.dyn.example.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.dyn.example.com`)

Seems Traefik LetsEncrypt is trying to validate the token itself via an IPv6 address first.

Does traefik.dyn.example.com have an IPv6 address and is it pointing to Fritzbox/Traefik?

Have you tried to access https://traefik.dyn.example.com with your browser?

ok, so I just found out that I might have to reconfigure the portforwarding of the fritzbox, in order to direct traffic on port 80 and 443 to the RasPi.

I just did some changes on the fritzbox as well as on the DNS record of the domain.
I will update as soon as I have results

Alright, I am able to get access to traefik and whoami through the domains.
However it only works with the traefik certificate and not with letsencrypt.

I am still getting the following error:

traefik-traefik-1  | 2024-01-04T18:38:12Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.dyn.example.com]: error: one or more domains had a problem:\n[traefik.dyn.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 2a02:8106:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: Error getting validation data\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.dyn.example.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.dyn.example.com`)

Traefik is resolving the domain to an IPv6 and then trying to connect to verify, that doesn’t work.

Alright, I switched from tls-challenge to dns-challenge and now it's working.

You are welcome, always happy to help and spend my time here

Thank you so much
That was really helpful

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.