dnsChallenge not working?

TimVNL · March 19, 2025, 10:55am

Hello,

I am trying traefik for the last couple of days but a can't get the dnsChallenge validation to work I tried with cloudflare and porkbun with no luck

The logs keeps saying:

{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:232","message":"Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\""}
{"level":"info","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:884","message":"Testing certificate renew..."}
{"level":"debug","providerName":"production.acme","config":{"http":{},"tcp":{},"udp":{},"tls":{}},"time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"dockge@docker","rule":"Host(`panel.gs.cloudfabrik.eu`)","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:470","message":"Trying to challenge certificate for domain [panel.gs.cloudfabrik.eu] found in HostSNI rule"}
{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"dockge@docker","rule":"Host(`panel.gs.cloudfabrik.eu`)","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940","message":"Looking for provided certificate(s) to validate [\"panel.gs.cloudfabrik.eu\"]..."}
{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"dockge@docker","rule":"Host(`panel.gs.cloudfabrik.eu`)","domains":["panel.gs.cloudfabrik.eu"],"time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:986","message":"Domains need ACME certificates generation for domains \"panel.gs.cloudfabrik.eu\"."}
{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"dockge@docker","rule":"Host(`panel.gs.cloudfabrik.eu`)","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:706","message":"Loading ACME certificates [panel.gs.cloudfabrik.eu]..."}
{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940","message":"Looking for provided certificate(s) to validate [\"gs.cloudfabrik.eu\" \"*.gs.cloudfabrik.eu\"]..."}
{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","domains":["gs.cloudfabrik.eu","*.gs.cloudfabrik.eu"],"time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:986","message":"Domains need ACME certificates generation for domains \"gs.cloudfabrik.eu,*.gs.cloudfabrik.eu\"."}
{"level":"debug","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:706","message":"Loading ACME certificates [gs.cloudfabrik.eu *.gs.cloudfabrik.eu]..."}
{"level":"debug","providerName":"production.acme","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:270","message":"Building ACME client..."}
{"level":"debug","providerName":"production.acme","time":"2025-03-19T11:44:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:276","message":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"dockge@docker","rule":"Host(`panel.gs.cloudfabrik.eu`)","error":"cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: i/o timeout","domains":["panel.gs.cloudfabrik.eu"],"time":"2025-03-19T11:44:57+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:482","message":"Unable to obtain ACME certificate for domains"}
{"level":"debug","providerName":"production.acme","time":"2025-03-19T11:44:57+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:270","message":"Building ACME client..."}
{"level":"debug","providerName":"production.acme","time":"2025-03-19T11:44:57+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:276","message":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","providerName":"production.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"production.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"traefik-secure@docker","rule":"Host(`dashboard.gs.cloudfabrik.eu`)","error":"cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp 172.65.32.248:443: i/o timeout","domains":["gs.cloudfabrik.eu","*.gs.cloudfabrik.eu"],"time":"2025-03-19T11:45:27+01:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553","message":"Unable to obtain ACME certificate for domains"}

I have no idea what todo anymore I already tried the following:

Disable the firewall
change from cloudflare to porkbun
checked achme.json has the correct rights (600, but file says empty)

Can someone help me shed some light on this below are me compose and traefik.yml

compose

Show

services:
  traefik:
    image: traefik:v3.3
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - TZ=Europe/Amsterdam
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
      - PORKBUN_SECRET_API_KEY=${PORKBUN_SECRET_API_KEY} 
      - PORKBUN_API_KEY=${PORKBUN_API_KEY}
    networks:
      - proxynet
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data:/etc/traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=http
      - traefik.http.routers.traefik.rule=Host(`dashboard.gs.cloudfabrik.eu`)
      - traefik.http.routers.traefik-secure.entrypoints=https
      - traefik.http.routers.traefik-secure.rule=Host(`dashboard.gs.cloudfabrik.eu`)
      - traefik.http.routers.traefik-secure.tls=true
      - traefik.http.routers.traefik-secure.tls.certresolver=production
      - traefik.http.routers.traefik-secure.tls.domains[0].main=gs.cloudfabrik.eu
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.gs.cloudfabrik.eu
      - traefik.http.routers.traefik-secure.service=api@internal
networks:
  proxynet:
    external: true

** traefik.yml **

Show

global:
  checkNewVersion: false

# -- (Optional) Change Log Level and Format here...
#     - loglevels [DEBUG, INFO, WARNING, ERROR, CRITICAL]
#     - format [common, json, logfmt]
log:
  level: DEBUG
  format: json
  filePath: /etc/traefik/log/traefik.log

# -- (Optional) Enable Accesslog and change Format here...
#     - format [common, json, logfmt]
accesslog:
  format: json
  filePath: /etc/traefik/log/access.log

serversTransport:
  insecureSkipVerify: true

# -- (Optional) Enable API and Dashboard here, don't do in production
api:
  dashboard: true
  insecure: true

# -- Change EntryPoints here...
entryPoints:
  http:
    address: :80
    # -- (Optional) Redirect all HTTP to HTTPS
    # http:
    #   redirections:
    #     entryPoint:
    #       to: websecure
    #       scheme: https
  https:
    address: :443

# -- Configure your CertificateResolver here...
certificatesResolvers:
  staging:
    acme:
      email: redacted 
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
  production:
    acme:
      email: redacted 
      storage: /etc/traefik/certs/acme-prod.json
      dnsChallenge:
        provider: porkbun
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
#  generic:
#    acme:
#      email: redacted 
#      storage: /etc/traefik/certs/acme-generic.json
      # tlsChallenge: {}
#      httpChallenge:
#        entryPoint: http

# Docker configuration backend
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxynet

bluepuma77 · March 19, 2025, 7:38pm

dnsChallenge only works with the DNS provider hosting the domain DNS. Is that the case? Did you move your domain?

Did you create the gs sub-domain in DNS?

Are you within a corporate network? Are you running PiHole or similar DNS services?

TimVNL · March 19, 2025, 8:28pm

The domain is using cloudflare it's has cloudflare's nameservers and has the gs and *.ga subdomain pointing to the VPS
no pihole or other dns ad blocker is active

GooseChaser · March 21, 2025, 2:52am

Did you create an api token for the domain at cloudflare? https://dash.cloudflare.com/profile/api-tokens
Also the name of your label in the compose file specifies "production" for certresolver=production, not 'staging'.
When you try production you will also need to add a caServer: caServer: https://acme-v02.api.letsencrypt.org/directory for the production cert URL under your production certificatesResolver
Also it is good practice to bind mount your acme.json file to a volume (in your compose) so it does not need to be specified each time you start your container.
Don't forget you will also need to chmod 600 acme.json the permission

bluepuma77 · March 21, 2025, 6:05am

It is not necessary to specify a caServer for LetsEncrypt production, all my examples work without.

bluepuma77 · March 21, 2025, 6:42am

Are you within a corporate network? Any potential firewalls blocking?

Out of curiosity: If the domain is with CloudFlare, why did you test with PorkBun?

TimVNL · March 21, 2025, 2:27pm

I switch the nameservers to porkbun before testing it

TimVNL · March 21, 2025, 2:29pm

I rebuild the whole machine yesterday and did the traefik config in traefik.toml and now it is working fine

No idea why, trying basicauth now with docker secrets no luck yet

Topic		Replies	Views
DNS-01 challenge fails Traefik v3 (latest) docker , letsencrypt-acme	12	1664	March 5, 2025
DNSchallenge (namecheap )stuck waiting for propagation, propagation looks fine Traefik v2 docker , letsencrypt-acme	7	5705	September 28, 2020
ACME not working/ starting Traefik v2 docker	3	2950	March 26, 2021
DNS challenge failing Traefik v2 docker , letsencrypt-acme	4	6603	June 2, 2021
Letsencrypt-acme dns challenge with provider duckdns Traefik v2 letsencrypt-acme	2	3989	April 3, 2021

dnsChallenge not working?

Related topics