Certificate won't renew

Traefik Traefik v3 (latest)
1

Hello,
I have an issue with my Traefik.

It works for a couple of months, but now it is unable to renew any of my certificate.

Here my config

compose.yml

services:
  traefik:
    env_file:
      - ./.env
    environment:
      - TZ=Europe/Paris
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
      - CF_ZONE_API_TOKEN=${CF_ZONE_API_TOKEN}
      - LEGO_CA_CERTIFICATES=/etc/ssl/my_ca.crt
      - LEGO_CA_SERVER_NAME=${LEGO_CA_SERVER_NAME}
    command:
      - --accesslog.fields.names.StartUTC=drop
    build:
      context: .
      dockerfile_inline: |
        FROM traefik:3.1.4
        RUN apk --no-cache add openssh-client
    hostname: ${HOST_NAME}
    container_name: ${CONTAINER_NAME}
    image: ${TRAEFIK_IMAGE}
    ports:
      - 80:80
      - 443:443
      - 9443:9443
      - 8080:8080
    restart: always
    volumes:
      - /home/docker/traefik/ssh:/root/.ssh:ro
      - /home/docker/traefik/etc/traefik.yml:/etc/traefik/traefik.yml
      - /home/docker/traefik/etc/conf.d:/etc/traefik/conf.d
      - /home/docker/traefik/etc/ssl/root_ca.crt:/etc/ssl/my_ca.crt:ro
      - /home/docker/traefik/etc/acme/acme.json:/etc/traefik/acme/acme.json
      - /home/docker/traefik/etc/acme/stepca.json:/etc/traefik/acme/stepca.json
      - /home/docker/traefik/log:/log
    labels:
      - wud.tag.include=^\d+\.\d+\.\d+$$
      - wud.tag.transform=^(\d+\.\d+\.\d+)(?:-.*)*$$ => $$1

traefik.yml

################################################################
#
# Configuration sample for Traefik v2.
#
# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
#
################################################################

################################################################
# Global configuration
################################################################
global:
  checkNewVersion: true
  sendAnonymousUsage: false

################################################################
# EntryPoints configuration
################################################################

# EntryPoints definition
#
# Optional
#
entryPoints:
  web:
    address: :80
#    http:
#      redirections:
#        entrypoint:
#          to: websecure
#          scheme: https

  websecure:
    address: :443

  management:
    address: :9443

  syncrelay:
    address: :8080

################################################################
# Traefik logs configuration
################################################################

# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
log:
  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
  level: WARN

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath: /log/traefik.log

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  format: common

################################################################
# Access logs configuration
################################################################

# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
accessLog:
  # Sets the file path for the access log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath: /log/access.txt

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  format: common

################################################################
# API and dashboard configuration
################################################################

# Enable API and dashboard
#
# Optional
#
api:
  # Enable the API in insecure mode
  #
  # Optional
  # Default: false
  #
  insecure: false

  # Enabled Dashboard
  #
  # Optional
  # Default: true
  #
  dashboard: true

################################################################
# Ping configuration
################################################################

# Enable ping
#ping:
  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
#  entryPoint: traefik

################################################################
# Docker configuration backend
################################################################

providers:
  # Enable Docker configuration backend
  docker:
    # Docker server endpoint. Can be a tcp or a unix socket endpoint.
    #
    # Required
    # Default: "unix:///var/run/docker.sock"
    #
#    endpoint: unix:///var/run/docker.sock
    endpoint: ssh://remote-docker@192.168.1.41:666

    # Default host rule.
    #
    # Optional
    # Default: "Host(`{{ normalize .Name }}`)"
    #
    defaultRule: Host(`192.168.1.41`)

    # Expose containers by default in traefik
    #
    # Optional
    # Default: true
    #
    exposedByDefault: false
  file:
    directory: /etc/traefik/conf.d
    watch: true

################################################################
# Let's Encrypt configuration
################################################################
certificatesResolvers:
  letsencrypt:
    acme:
      # Staging
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      # Production
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: redacted
      storage: /etc/traefik/acme/acme.json
#      httpChallenge:
#        entryPoint: web
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"
  localca:
    acme:
      caServer: "https://ca.intranet.myfirstdomain.fr:9010/acme/acme/directory"
      email: "redacted"
      storage: /etc/traefik/acme/stepca.json
      certificatesDuration: 168
      tlsChallenge: true
      httpChallenge:
        entrypoint: web

One of my site that the certificate won't renew

http:
  routers:
    gotify:
      rule: Host(`gotify.mydomain.win`)
      entryPoints:
        - websecure
      middlewares:
        - default@file
      tls:
        certResolver: letsencrypt
        options: modern@file
      service: gotify

  services:
    gotify:
      loadbalancer:
        servers:
          - url: "http://192.168.1.41:5858"

I trie to remove the certificate in the acme.json file and restart Traefik.
In the log I have these errors:

2024-10-02T19:54:27+02:00 ERR Unable to obtain ACME certificate for domains error="cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": tls: failed to verify certificate: x509: certificate is valid for acme-v02-1.api.letsencrypt.org, acme-v02-2.api.letsencrypt.org, acme-v02-3.api.letsencrypt.org, acme-v02-4.api.letsencrypt.org, acme-v02-5.api.letsencrypt.org, acme-v02.api.letsencrypt.org, not ca.intranet.myfirstdomain.fr" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["gotify.mydomain.win"] providerName=letsencrypt.acme routerName=gotify@file rule=Host(`gotify.mydomain.win`)
2024-10-02T19:54:29+02:00 ERR Unable to obtain ACME certificate for domains error="cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": tls: failed to verify certificate: x509: certificate is valid for acme-v02-1.api.letsencrypt.org, acme-v02-2.api.letsencrypt.org, acme-v02-3.api.letsencrypt.org, acme-v02-4.api.letsencrypt.org, acme-v02-5.api.letsencrypt.org, acme-v02.api.letsencrypt.org, not ca.intranet.myfirstdomain.fr" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["gotify.mydomain.win"] providerName=letsencrypt.acme routerName=gotify@file rule=Host(`gotify.mydomain.win`)

I also trie to completely remove step-ca configuration, but nothing works.

Do you have any clue on what I'm missing to solve my issue? My certificate is about to expire

2

I think I solved my problem by removing these lines in my compose.yml

      - LEGO_CA_CERTIFICATES=/etc/ssl/my_ca.crt
      - LEGO_CA_SERVER_NAME=${LEGO_CA_SERVER_NAME}

And, as I have env: in my compose.yml, I removed the same line in my .env file.

The certificates has been generated just after I access the site.

I added these lines after followed a tutorial to add step-ca to my config. As I was unable to find any information about these two environment var, I was thinking this was good. But not. I understand with the log in DEBUG, and look at the code in the github repo, in file pkg/provider/acme/provider.go line 394.

3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.