Can't get certificates through DNS-01

thegergo02 · January 15, 2022, 10:05am

Hi!

I'm trying to get a wildcard certificate for my domain (example.com) with no luck so far.

docker-compose.yml:

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.5
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - ./config/traefik.yml:/etc/traefik/traefik.yml
    - ./acme/acme.json:/etc/traefik/acme.json
    environment:
      - NJALLA_TOKEN=[token]
    labels:
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.tls.domains[0].main=example.com"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.example.com"
      - "traefik.http.routers.traefik.service=api@internal"
  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=pubsec"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"

config/traefik.yml:

api:
  insecure: true

log:
  level: DEBUG

providers:
  docker: {}

certificatesResolvers:
  le:
    acme:
      email: [email]
      storage: /etc/traefik/acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: njalla
        resolvers:
          - "8.8.8.8:53"
          - "1.1.1.1:53"

entryPoints:
  pub:
    address: ":80"

  pubsec:
    address: ":443"

relevant logs:

reverse-proxy_1  | time="2022-01-15T10:00:23Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
reverse-proxy_1  | time="2022-01-15T10:00:25Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Cleaning DNS-01 challenge"
reverse-proxy_1  | time="2022-01-15T10:00:26Z" level=debug msg="legolog: [INFO] [example.com] acme: Cleaning DNS-01 challenge"
reverse-proxy_1  | time="2022-01-15T10:00:26Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/[redacted]"
reverse-proxy_1  | time="2022-01-15T10:00:27Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/[redacted]"
reverse-proxy_1  | time="2022-01-15T10:00:27Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]: error: one or more domains had a problem:\n[*.example.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up TXT for _acme-challenge.example.com - the domain's nameservers may be malfunctioning\n[example.com] time limit exceeded: last error: NS 1-you.njalla.no. did not return the expected TXT record [fqdn: _acme-challenge.example.com., value: [redacted]]: [redacted]\n" providerName=le.acme

Before cleaning I can see the created TXT records, so I'm not sure what's the problem.

ldez · January 15, 2022, 4:40pm

Hello,

You have to know that Let's Encrypt performs DNS validations on 2 DNS servers.

During secondary validation, the DNS called by LE seems to have a problem (SERVFAIL).

So maybe you have to wait a bit and try again later.

thegergo02 · January 15, 2022, 6:29pm

Sometimes even the first check fails too but I guess I'll try again tomorrow. (It wasn't working like 12h ago too though.)

thegergo02 · January 15, 2022, 6:52pm

I solved the issue! Solution

system · January 18, 2022, 6:52pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue certificate using dns-01 challenge with Traefik Traefik v2 (latest) letsencrypt-acme	4	335	June 7, 2023
Unable to obtain ACME certificate for wildcard domains Traefik v2 (latest) letsencrypt-acme	20	7873	May 3, 2020
Wildcard certificate with letsencrypt - Waiting for DNS record propagation Traefik v2 (latest) docker , letsencrypt-acme	1	2089	January 2, 2020
Traefik can retrieve a wildcard certificate for the primary domain, but not a subdomain Traefik v2 (latest) docker , letsencrypt-acme	4	8408	March 29, 2023
Unable to get wildcard certificate provider TransIP Traefik v1 docker , letsencrypt-acme	0	806	September 9, 2019

Can't get certificates through DNS-01

Related Topics