i am following this doc DNS Challenge - Traefik to setup docker traefik using the dns acme challenge for letsencrypt
i am able to have the certs generated by each service that request it dynamically and in the logs it shows
time="2021-08-09T21:21:27Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="Domains [\"redis.example.com\"] need ACME certificates generation for domains \"redis.example.com\"." rule="Host(`redis.example.com`)" routerName=redis@docker providerName=myresolver.acme
time="2021-08-09T21:21:27Z" level=debug msg="Loading ACME certificates [redis.example.com]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Obtaining bundled SAN certificate"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/233260818"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: tls-alpn-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: http-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: use dns-01 solver"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Preparing to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] cloudflare: new record for redis.example.com, ID 8da8eadd16f8e99c8b7ce8412f124ad7"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Trying to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2021-08-09T21:21:29Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2021-08-09T21:21:30Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Waiting for DNS record propagation."
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] The server validated our request"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Cleaning DNS-01 challenge"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Validations succeeded; requesting certificates"
time="2021-08-09T21:21:42Z" level=debug msg="legolog: [INFO] [redis.example.com] Server responded with a certificate."
time="2021-08-09T21:21:42Z" level=debug msg="Certificates obtained for domains [redis.example.com]" providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis@docker
time="2021-08-09T21:21:42Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) adminer.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) redis.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="No default certificate, generating one"
but am still getting TLS error when i visit the services endpoints redis.example.com
and adminer.example.com
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for adminer.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=websecure
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [adminer.example.com] found in HostSNI rule" providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [redis.example.com] found in HostSNI rule" routerName=redis@docker rule="Host(`redis.example.com`)" providerName=myresolver.acme
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"redis.example.com\"]." providerName=myresolver.acme routerName=redis@docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"adminer.example.com\"]..." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"adminer.example.com\"]." providerName=myresolver.acme routerName=adminer@docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57716: remote error: tls: unknown certificate"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57718: remote error: tls: unknown certificate"
here is content of ./letsencrypt/acme.json
{
"myresolver": {
"Account": {
"Email": "user@email.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:user@email.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/22820398"
},
"PrivateKey": "MIIJEjdXXXXX==",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "adminer.example.com"
},
"certificate": "LS0tXXXXX==",
"key": "LS0tLXXXXX==",
"Store": "default"
},
{
"domain": {
"main": "redis.example.com"
},
"certificate": "LS0tLXXXX",
"key": "LS0tLXXXX",
"Store": "default"
}
]
}
}
so what am i missing or need to fix?
here is traefik_docker_compose.yaml
file
version: "3.9"
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=user@email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
env_file:
- ./.env.traefik
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_network
networks:
traefik_network:
name: traefik_network
and adminer_docker_compose.yaml
file for example
version: '3.9'
services:
adminer:
image: adminer:latest
restart: always
container_name: adminer
networks:
- adminer_network
- traefik_network
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.http.services.adminer.loadbalancer.server.port=8080"
- "traefik.http.routers.adminer.entrypoints=web"
- "traefik.http.routers.adminer.rule=Host(`adminer.example.com`)"
- "traefik.http.routers.adminer.tls.certresolver=myresolver"
networks:
adminer_network:
name: adminer_network
traefik_network:
external:
name: traefik_network
how do i fix the TLS error?