Certs generated but getting TLS error with docker traefik letsencrypt dnschallenge

i am following this doc DNS Challenge - Traefik to setup docker traefik using the dns acme challenge for letsencrypt

i am able to have the certs generated by each service that request it dynamically and in the logs it shows

time="2021-08-09T21:21:27Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="Domains [\"redis.example.com\"] need ACME certificates generation for domains \"redis.example.com\"." rule="Host(`redis.example.com`)" routerName=redis@docker providerName=myresolver.acme
time="2021-08-09T21:21:27Z" level=debug msg="Loading ACME certificates [redis.example.com]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Obtaining bundled SAN certificate"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/233260818"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: tls-alpn-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: http-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: use dns-01 solver"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Preparing to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] cloudflare: new record for redis.example.com, ID 8da8eadd16f8e99c8b7ce8412f124ad7"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Trying to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2021-08-09T21:21:29Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2021-08-09T21:21:30Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Waiting for DNS record propagation."
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] The server validated our request"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Cleaning DNS-01 challenge"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Validations succeeded; requesting certificates"
time="2021-08-09T21:21:42Z" level=debug msg="legolog: [INFO] [redis.example.com] Server responded with a certificate."
time="2021-08-09T21:21:42Z" level=debug msg="Certificates obtained for domains [redis.example.com]" providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:42Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) adminer.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) redis.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="No default certificate, generating one"

but am still getting TLS error when i visit the services endpoints redis.example.com and adminer.example.com

time="2021-08-09T21:21:44Z" level=debug msg="Adding route for adminer.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=websecure
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [adminer.example.com] found in HostSNI rule" providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [redis.example.com] found in HostSNI rule" routerName=redis@docker rule="Host(`redis.example.com`)" providerName=myresolver.acme
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"redis.example.com\"]." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"adminer.example.com\"]..." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"adminer.example.com\"]." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57716: remote error: tls: unknown certificate"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57718: remote error: tls: unknown certificate"

here is content of ./letsencrypt/acme.json

{
    "myresolver": {
      "Account": {
        "Email": "user@email.com",
        "Registration": {
          "body": {
            "status": "valid",
            "contact": [
              "mailto:user@email.com"
            ]
          },
          "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/22820398"
        },
        "PrivateKey": "MIIJEjdXXXXX==",
        "KeyType": "4096"
      },
      "Certificates": [
        {
          "domain": {
            "main": "adminer.example.com"
          },
          "certificate": "LS0tXXXXX==",
          "key": "LS0tLXXXXX==",
          "Store": "default"
        },
        {
          "domain": {
            "main": "redis.example.com"
          },
          "certificate": "LS0tLXXXX",
          "key": "LS0tLXXXX",
          "Store": "default"
        }
      ]
    }
  }

so what am i missing or need to fix?

here is traefik_docker_compose.yaml file

version: "3.9"

services:
  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=user@email.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    env_file:
      - ./.env.traefik
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - traefik_network

networks:
  traefik_network:
     name: traefik_network

and adminer_docker_compose.yaml file for example

version: '3.9'

services:
   adminer:
     image: adminer:latest
     restart: always
     container_name: adminer
     networks:
       - adminer_network
       - traefik_network
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=traefik_network"
       - "traefik.http.services.adminer.loadbalancer.server.port=8080"
       - "traefik.http.routers.adminer.entrypoints=web"
       - "traefik.http.routers.adminer.rule=Host(`adminer.example.com`)"
       - "traefik.http.routers.adminer.tls.certresolver=myresolver"
   
networks:
    adminer_network:
      name: adminer_network
    traefik_network:
      external:
         name: traefik_network

how do i fix the TLS error?

You're still using the staging servers. Clear/Drop the acme.json and switch to the production LE servers.

the staging servers does not work live at all?
wish i saw or read this somewhere or better yet the error message tell me

succeeded but please switch to prod

will switch now and see what happens

worked by switching away from staging servers, so configuration and setups work fine
thanks @cakiwi

They work so far as in that they will complete certificate issuance and have looser rate limits so users can complete/test configuration without locking themselves out of LE for a week.

But no, they are not trusted.

@cakiwi

what if i want to expose traefik itself so i can view in browser, how do i do that?
pretty much same way it routes of services, will like to route for traefik dashboard

Check the documentation/example:

Dashboard - Traefik.

Very much the same as a regular router except you define the service label to api@internal

Mind helping a bit better? Nothing shows using docker in the documentation
i posted my full traefik_docker_compose.yaml file already

would you be kind enough to just help add what labels i need for lets say traefik.example.com

thanks

I missed the drop-down at the dynamic configuration part...not sure why that is collapsed by default but my fault

thanks

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.