Can't renew certificate due to 403 on directory/file .well-known

Traefik Traefik v1
, ,
1

I'm using Traefik 1.7 on a production server, a server upgrade has been made from Debian 8 to 10 (not 100% sure but it's not relevant) recently and now auto renewal of certificate isn't working anymore.

This error happens now :

time="2023-12-05T10:25:05Z" level=error msg="Error renewing certificate from LE: {foo.com [www.foo.com foo.fr bar.fr]}, acme: Error -> One or more domains had a problem:\n[www.bar.fr] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - 51.91.60.00: Invalid response from http://www.dumont-securite.fr/.well-known/acme-challenge/X6lNGblGRuvEE41QoDRavdv0zchdWT_frVxQEbbxbUA: 403\n[www.foo.fr] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - 51.91.60.00: Invalid response from http://www.smsp.fr/.well-known/acme-challenge/2kDxVE_fjlzTtUE-O_IC9ae7EFtOzCjgZhfIYmOLDVc: 403\n"

Traefik TOML configuration :

checkNewVersion = false
InsecureSkipVerify = false

defaultEntryPoints = ["https","http"]

[log]
  level = "DEBUG"

[accessLog]
logLevel = "INFO"

[traefikLog]
  filePath = "/var/log/traefik.log"

[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.https]
    address = ":443"
   [entryPoints.https.tls]

[retry]
  attempts = 3

[docker]
  endpoint = "unix:///var/run/docker.sock"
  watch = true
  exposedbydefault = false

[api]
  entryPoint = "traefik"
  dashboard = true

# You will not need it if you use your custom certs
# This is used when you want to let traefik generate automatically your cert
[acme]
  email = "team@foo.fr"
  storage = "/acme.json"
  entryPoint = "https"
  onHostRule = true
  onDemand = false
  [acme.httpChallenge]
    entryPoint = "http"

And a part of the docker configuration :

version: '3'
services:
 varnish:
    image: varnish:6
    container_name: varnish
    volumes:
      - "./docker/varnish/default.vcl:/etc/varnish/default.vcl"
    tmpfs:
      - /var/lib/varnish:exec
    environment:
      - VARNISH_SIZE=2G
    command: "-p default_keep=300"
    depends_on:
      - "web"
    links:
      - "web"
    labels:
      - traefik.enable=true
      - traefik.frontend.headers.SSLRedirect=true
      - traefik.port=80
      - traefik.frontend.rule=Host:foo.com,www.foo.com,bar.fr

networks:
  default:
    external:
      name: reverseproxy

The project always worked for certificate renewal until this point. I don't find any information about .well-known, is it supposed to be in my application server (symfony public directory ?) or located near traefik ? Any help is welcome.

2

Hello,

Traefik v1 has been EOL for around 3 years, and it doesn't receive any security fixes, I recommend migrating to Traefik v2.

3

I'm fine with migrating, it's not normal to be so late but I have to convince my client.

And upgrading it while it's not working does not seem optimal to me

4

While at it, Debian 10 is EOL mid 2024, maybe upgrade that, too :slight_smile: