DNSchallenge (namecheap )stuck waiting for propagation, propagation looks fine

Pulling my hair out trying to get dnschallenge working with namecheap. Anyone see what the issue is here?

TXT record is being created as expected. nslookup shows propagation from within container but traefik log just repeats "Waiting for propagation" every 15 seconds.

Substituted traefik.example.com for actual FQDN I have been testing below.

Checking propagation

# docker-compose exec traefik nslookup -q=TXT _acme-challenge.traefik.example.com
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:
_acme-challenge.traefik.example.com text = "9...4"

traefik.log

time="2020-07-26T05:45:58Z" level=debug msg="Using DNS Challenge provider: namecheap" providerName=letsresolve.acme
time="2020-07-26T05:45:59Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Obtaining bundled SAN certificate"
time="2020-07-26T05:45:59Z" level=debug msg="legolog: [INFO] [traefik.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82861153"                                                                                                                                        time="2020-07-26T05:45:59Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Could not find solver for: tls-alpn-01"
time="2020-07-26T05:45:59Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Could not find solver for: http-01"
time="2020-07-26T05:45:59Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: use dns-01 solver"
time="2020-07-26T05:45:59Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Preparing to solve DNS-01"
time="2020-07-26T05:46:01Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Trying to solve DNS-01"
time="2020-07-26T05:46:01Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2020-07-26T05:46:16Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]"
time="2020-07-26T05:46:17Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Waiting for DNS record propagation."
time="2020-07-26T05:46:32Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Waiting for DNS record propagation."
time="2020-07-26T05:46:47Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Waiting for DNS record propagation."
time="2020-07-26T05:47:02Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Waiting for DNS record propagation."
time="2020-07-26T05:47:17Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Waiting for DNS record propagation."
time="2020-07-26T05:47:32Z" level=debug msg="legolog: [INFO] [traefik.example.com] acme: Waiting for DNS record propagation."

traefik.yaml

certificatesResolvers:
  letsresolve:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: namecheap
        delayBeforeCheck: 0

Docker compose labels.

      - "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.traefik.entrypoints=secure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=letsresolve"

As expected, failed with a timeout. What makes no sense to me is the reference to j.gtld-servers.net, the domain I am using does not contain a j.

time="2020-07-26T06:46:27Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82861153 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"000...MjY\", url: "
time="2020-07-26T06:46:28Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82861153"
time="2020-07-26T06:46:28Z" level=error msg="Unable to obtain ACME certificate for domains \"traefik.example.com\": unable to generate a certificate for the domains [traefik.example.com]: error: one or more domains had a problem:\n[traefik.example.com] time limit exceeded: last error: NS j.gtld-servers.net. did not return the expected TXT record [fqdn: _acme-challenge.traefik.example.com., value: 9...4]: \n" providerName=letsresolve.acme routerName=traefik@docker rule="Host(`traefik.example.com`)"

Discovered the cause of the issue and how to fix it within Traefik. Due to my DNS setup I need to pass --dns.disable-cp to get lego to generate certificates but couldn't see how to achieve this with Traefik.

Needed to set "disablePropagationCheck: true" under DNS Challenge. This wasn't clear to me from reading https://docs.traefik.io/v2.2/https/acme/#certificate-resolvers

Where did you configure disablePropagationCheck: true, I cannot find it described as an option in the documentation?

Ah, I found it mentioned here https://doc.traefik.io/traefik/v2.2/reference/static-configuration/file/ and indeed setting this seems to solve the waiting problem for namecheap. So as a command I have set:

--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

I don't know about --dns.disable-cp. That didn't seem to affect me.

Hello,

The use of disablePropagationCheck is a bad idea: if you don't wait for the propagation, you have a high risk of failure of the challenge.

It is best to configure the resolvers: https://doc.traefik.io/traefik/v2.3/https/acme/#resolvers

Alright, that sounds reasonable although it worked flawlessly for me this time around. (Also with the LE staging servers.)

What do you recommend I set the resolvers to? The Google ones as in the example or the Namecheap ones (dns1.registrar-servers.com and dns2.registrar-servers.com for the BasicDNS plan)?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.