I'm having some issues getting the acme certificate with Traefik. I hope someone can help me along.
The traefik.log gives me:
time="2024-03-03T17:26:50+01:00" level=error msg="Unable to obtain ACME certificate for domains \"home.mydomain.com,*.home.mydomain.com\"" routerName=traefik-secure@docker providerName=auroradns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="unable to generate a certificate for the domains [home.mydomain.com *.home.mydomain.com]: error: one or more domains had a problem:\n[*.home.mydomain.com] [*.home.mydomain.com] acme: error presenting token: aurora: could not create record: Get \"/zones\": unsupported protocol scheme \"\"\n[home.mydomain.com] [home.mydomain.com] acme: error presenting token: aurora: could not create record: Get \"/zones\": unsupported protocol scheme \"\"\n" rule="Host(`traefik-dashboard.home.mydomain.com`)"
So, in particular the issues seems to be the aurora: could not create record: Get \"/zones\": unsupported protocol scheme \"\" part.
I have the following in my docker-compose file (via Portainix):
The resolvers are set to the aurora name servers that I can find. I also tried with 8.8.8.8:53 and 1.1.1.1:53 as well, but not sure that's the issue.
Just to be clear, an acme.json file does get created, with quite a bit of information and a PrivateKey, but with "Certificates": null.
FWIW, my domain provider already has a LE certificate set up for mydomain.com, but I want to have local certificate(s) for home.mydomian.com and *.home.mydomian.com.
I would really appreciate some help in solving this. Thanks!
Yes, I created an A record to lead back to my home IP address.
The thing is, I can access my home servers using http, so all of that seems to work. I forwarded ports internally as well (port 80 and 443 go to other ports on which Traefik is listening for 'external' connections. That seems to work as well (
It also seems to me, judging by the logging, that the DNS challenge 'passes'. I'm guessing that the next stage is the creation/retrieval of the certificate and that is what seems to fail for some strange reason.
Maybe some more logging information can help things to find out where the issue may be. In the traefik logging I see the following (timestamps removed for readability):
level=debug msg="Looking for provided certificate(s) to validate [\"home.mydomain.com\"]..." providerName=auroradns.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" time="2024-03-20T11:14:24+01:00" level=debug msg="Domains [\"home.mydomain.com\"] need ACME certificates generation for domains \"home.mydomain.com\"." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=auroradns.acme
level=debug msg="Loading ACME certificates [home.mydomain.com]..." providerName=auroradns.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
level=debug msg="Building ACME client..." providerName=auroradns.acme
level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=auroradns.acme
level=debug msg="Using DNS Challenge provider: auroradns" providerName=auroradns.acme
level=debug msg="legolog: [INFO] [home.mydomain.com] acme: Obtaining bundled SAN certificate"
level=debug msg="legolog: [INFO] [home.mydomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11720824594"
level=debug msg="legolog: [INFO] [home.mydomain.com] acme: Could not find solver for: tls-alpn-01"
level=debug msg="legolog: [INFO] [home.mydomain.com] acme: Could not find solver for: http-01"
level=debug msg="legolog: [INFO] [home.mydomain.com] acme: use dns-01 solver"
level=debug msg="legolog: [INFO] [home.mydomain.com] acme: Preparing to solve DNS-01"
level=debug msg="legolog: [INFO] [home.mydomain.com] acme: Cleaning DNS-01 challenge"
level=debug msg="legolog: [WARN] [home.mydomain.com] acme: cleaning up failed: aurora: unknown recordID for \"_acme-challenge.home.mydomain.com.\" "
level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<redacted>"
level=error msg="Unable to obtain ACME certificate for domains \"home.mydomain.com\"" routerName=traefik-secure@docker rule="Host(`traefik-dashboard.home.mydomain.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=auroradns.acme error="unable to generate a certificate for the domains [home.mydomain.com]: error: one or more domains had a problem:\n[home.mydomain.com] [home.mydomain.com] acme: error presenting token: aurora: could not create record: Get \"/zones\": unsupported protocol scheme \"\"\n"
So, in my noob opinion, it seems that the DNS challenge has succeeded (even though there's a warning about failing to clean up), but that getting the certificate is failing, due to an 'unsupported protocol scheme """.
What I'd like to know is whether this is an 'error' in the AuroraDNS handling, am I doing something stupid (quite possible, but I'd love to learn what that is), or is there maybe an issue with Traefik, or the AuroraDNS driver, or ...???
In a related question: has anyone managed to use Traefik with AuroraDNS to get a Let's Encrypt certificate?
I've been trying to solve this for weeks but I'm getting nowhere fast (even with the help of my provider).
If by 'created' you mean that there's a DNS record pointing to it, then I can assure you that it has been created and is working. I have been able to access it with via HTTP and can confirm that digging the address returns an A-record to my IP.
But can try the command line method. I'll report back on that experiment...
Just tried a manual certificate creation and I managed to get a result:
[INFO] [home.mydomain.com] acme: Obtaining bundled SAN certificate
[INFO] [home.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<redacted>
[INFO] [home.mydomain.com] acme: Could not find solver for: tls-alpn-01
[INFO] [home.mydomain.com] acme: Could not find solver for: http-01
[INFO] [home.mydomain.com] acme: use dns-01 solver
[INFO] [home.mydomain.com] acme: Preparing to solve DNS-01
[INFO] [home.mydomain.com] acme: Trying to solve DNS-01
[INFO] [home.mydomain.com] acme: Checking DNS record propagation using [<redacted>]
[INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
[INFO] [home.mydomain.com] The server validated our request
[INFO] [home.mydomain.com] acme: Cleaning DNS-01 challenge
[INFO] [home.mydomain.com] acme: Validations succeeded; requesting certificates
[INFO] [home.mydomain.com] Server responded with a certificate.
That and a bunch of files in the .lego/certificates folder (.crt, .issuer.crt, .json., and .key files).
So, is Traefik then 'at fault' ???
BTW, I had to resort to using ArchLinux instead of Ubunto, since apparently there's a 'bug' in the Debian package where number of dns resolvers (among which auroradns) have gone missing... And the package is out of date. Something along those lines...
Any ideas where I would go from here???
HOLD ON...
Think I fixed it... I was stupid enough (I think) to add in the AURORA_ENDPOINT environment variable in the traefik 'environment' config pointing towards the API endpoint. I think the issue was that I was missing the protocol from there (so missing the https:// from the URL)... Adding that (or even removing the AURORA_ENDPOINT altogether from the environment looks promising...)