DNS-01 challenge not working (No TXT record found)

m3rten · January 22, 2023, 10:43am

Hey,
i'm trying to set up Traefik to create letsencrypt wildcard certificates with DNS-01 challenge. After much testing im stuck with the following problem:

time="2023-01-22T10:18:13Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2023-01-22T10:18:13Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2023-01-22T10:18:14Z" level=debug msg="Using DNS Challenge provider: cloudflare" providerName=le.acme
time="2023-01-22T10:18:14Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: Obtaining bundled SAN certificate"
time="2023-01-22T10:18:14Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5050920663"
time="2023-01-22T10:18:14Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: Could not find solver for: tls-alpn-01"
time="2023-01-22T10:18:14Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: Could not find solver for: http-01"
time="2023-01-22T10:18:14Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: use dns-01 solver"
time="2023-01-22T10:18:14Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: Preparing to solve DNS-01"
time="2023-01-22T10:18:16Z" level=debug msg="legolog: [INFO] cloudflare: new record for whoami.mydomain.com, ID e9be0d82175d10510d86ddff7c3b11df"
time="2023-01-22T10:18:16Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: Trying to solve DNS-01"
time="2023-01-22T10:18:17Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53]"
time="2023-01-22T10:18:27Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 20m0s, interval: 10s]"
time="2023-01-22T10:18:30Z" level=debug msg="legolog: [INFO] [whoami.mydomain.com] acme: Cleaning DNS-01 challenge"
time="2023-01-22T10:18:32Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5050920663"
time="2023-01-22T10:18:32Z" level=error msg="Unable to obtain ACME certificate for domains \"whoami.mydomain.com\": unable to generate a certificate for the domains [whoami.mydomain.com]: error: one or more domains had a problem:\n[whoami.mydomain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT record found at _acme-challenge.whoami.mydomain.com\n" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=whoami@docker rule="Host(`whoami.mydomain.com`)" providerName=le.acme

I can verify that the DNS-Records are being created on the provider side. The log suggests that the challenge is deleted before a certificate is obtained. I tried with cloudflare and digitalocean as DNS provider, the behaviour is the same.
My current docker-compose.yml:

version: '3.7'

networks:
  web:
    external: true

services:
  traefik:
    image: traefik:2.9
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      - web
    environment:
      - CLOUDFLARE_DNS_API_TOKEN=REDACTED
      - CLOUDFLARE_POLLING_INTERVAL=10
      - CLOUDFLARE_PROPAGATION_TIMEOUT=1200
    command:
      - --log.level=DEBUG
      - --api=true

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=le
      # - --entrypoints.websecure.http.tls.domains[0].main=mydomain.com
      # - --entrypoints.websecure.http.tls.domains[0].sans=*.mydomain.com

      - --providers.docker.exposedByDefault=false

      - --certificatesresolvers.le.acme.dnschallenge=true
      - --certificatesResolvers.le.acme.email=REDACTED
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      - --certificatesResolvers.le.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
  whoami:
    networks:
      - web
    image: traefik/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.tls.certresolver=le
      - traefik.http.services.whoami.loadbalancer.server.port=80

m3rten · January 22, 2023, 6:37pm

It seems to be a problem specific to the domain i used. Perhaps some misconfiguration in the DNS i couldn't figure out yet.
I tested with a few other domains and the certificate generation works fine now

Topic		Replies	Views
ACME not working/ starting Traefik v2 docker	3	2687	March 26, 2021
DNS-01 challenge fails Traefik v3 (latest) docker , letsencrypt-acme	11	1032	December 16, 2023
DNS challenge failing Traefik v2 docker , letsencrypt-acme	4	6333	June 2, 2021
dnsChallenge sporadically failing: TXT record invalid Traefik v2 letsencrypt-acme	16	5644	July 2, 2021
ACME Freemyip.com DNS-01 challenge Traefik v2 docker , letsencrypt-acme	0	730	December 22, 2020

DNS-01 challenge not working (No TXT record found)

Related topics