I build traefik for openwrt and installed package on main router
I set up some services, but when enabled https (with dns challenge, cloudflare) I get:
2024-09-08T23:36:18Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:469 > Unable to obtain ACME certificate for domains error="cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["REDACTED","*.REDACTED"] providerName=staging.acme routerName=ds224@file rule=Host(`REDACTED`)
Config for staging resolvers:
certificatesResolvers:
staging:
acme:
email: mariusz@fidano.pl
storage: /etc/traefik/letsencrypt/staging.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
serversTransport:
insecureSkipVerify: true
Traefik works as a system service, not in docker.
However if I run curl -Iv https://acme-staging-v02.api.letsencrypt.org/directory
the I get 200:
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
> GET /directory HTTP/2
> Host: acme-staging-v02.api.letsencrypt.org
> User-Agent: curl/8.7.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200
< server: nginx
< date: Sun, 08 Sep 2024 23:46:59 GMT
< content-type: application/json
< content-length: 820
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
Any ideas?