Dnschallenge provider vultr.com not working

dR3b · April 29, 2023, 6:10pm

What did you do?

I wanted to create a DNS ACME certificate via Vultr.com.

What did you see instead?

traefik-app  | time="2023-04-29T15:14:35Z" level=error msg="Unable to obtain ACME certificate for domains \"www.XXXYYY.zzz\": unable to generate a certificate for the domains [www.XXXYYY.zzz]: error: one or more domains had a problem:\n[www.XXXYYY.zzz] time limit exceeded: last error: NS ns2.vultr.com. returned NXDOMAIN for _acme-challenge.www.XXXYYY.zzz.\n" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=whoami@docker rule="Host(`www.XXXYYY.zzz`)" providerName=vultr.acme

What version of Traefik are you using?

Version:      2.10.1
Codename:     saintmarcelin
Go version:   go1.20.3
Built:        2023-04-27T14:52:35Z
OS/Arch:      linux/amd64

What is your environment & configuration?

version: "3.9"

networks:
  traefik:
    external: false

services:
  traefik:
    container_name: traefik-app
    image: traefik:latest
    restart: always
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.vultr.acme.dnschallenge=true"
      - "--certificatesresolvers.vultr.acme.dnschallenge.provider=vultr"
      - "--certificatesresolvers.vultr.acme.dnschallenge.resolvers=173.199.96.96,173.199.96.97" # <- VULTR DNS
      - "--certificatesresolvers.vultr.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.vultr.acme.email=noc@XXXYYY.zzz"
      - "--certificatesresolvers.vultr.acme.storage=/letsencrypt/acme.json"
      - "--log.level=info"
    environment:
      VULTR_API_KEY: "MY-KEY-IS-OK"
    volumes:
      - ./letsencrypt/acme.json:/letsencrypt/acme.json"
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - traefik
    ports:
      - "443:443"

  whoami:
    container_name: whoami-app
    image: traefik/whoami
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`www.XXXYYY.zzz`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=vultr"

Wrong! Traefik creates a DNS entry at Vultr.com. I can see the entry with curl:

dig -t txt _acme-challenge.www.XXXYYY.zzz. @173.199.96.97

;; ANSWER SECTION:
_acme-challenge.www.XXXYYY.zzz.	120 IN	TXT	"1Wkjy8a39A2mrVcN1ytKSsWiCjpde6vdKIOfd5nyOwM"

Does anyone have any idea?

bluepuma77 · April 30, 2023, 6:50am

If you declare all your domains with Host() or HostSNI(), you can simply use httpChallenge or tlsChallenge for validation. You only need dnsChallenge for wildcard certs.

When dnsChallenge is not working, try setting delayBeforeCheck, there is also an issue about CNAMEs (docs).

dR3b · May 1, 2023, 9:46am

Thanks for your valuable input.

I know that I need dnsChallenge only for wildcard certs. I use it for other Domains too (with Lego, without problems). I thought it would be such a uniform solution to use it with Traefik too.

If I set delayBeforeCheck or LEGO_DISABLE_CNAME_SUPPORT=true nothing changed. Again I can see the DNS record but nothing happens...

I think it's a bug: dnschallenge provider vultr.com not working · Issue #9878 · traefik/traefik · GitHub

Thanks

ldez · May 1, 2023, 11:17am

Hello,

last error: NS ns2.vultr.com. returned NXDOMAIN for _acme-challenge.www.XXXYYY.zzz.

this error is a DNS error, it's not an API or Let's Encrypt error, then it's not a bug but a network issue.

First I recommend not using your provider DNS as resolvers because the goal of the resolvers is to check the propagation over the global DNS network. lego checks that before calling LE to avoid failure related to DNS record propagation.

So you have to check your local network (firewall, local DNS, ...), use "generic" DNS (ex 1.1.1.1), and check if you have CNAME.

dR3b · May 1, 2023, 11:51am

Thanks for your input!

this error is a DNS error, it's not an API or Let's Encrypt error, then it's not a bug but a network issue.

Ok but why can I read the TXT record with "dig" without problems(first post)? I have no CNAME active.

ldez · May 1, 2023, 2:45pm

Ok but why can I read the TXT record with "dig" without problems(first post)? I have no CNAME active.

There are several possibilities and all are related to your network.

You can try to disable the propagation check --certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck and you will see that it works.

But disabling the check is not a good idea, the real problem is on your network.

Don't use NS IP as resolvers.

Topic		Replies	Views
"Unable to obtain ACME certificate for domains..." Traefik v2 (latest) docker	4	1146	January 27, 2023
Certificate problem Traefik v2 (latest) docker	0	368	December 2, 2021
Unable to obtain ACME certificate for domains:last error: NS ns25.domaincontrol.com. returned NXDOMAIN for _acme-challenge.DOMAIN_NAME Traefik v2 (latest) docker-swarm	0	1046	March 30, 2020
Cannot obtain ACME certificate Traefik v2 (latest) docker , letsencrypt-acme , middleware	3	676	March 11, 2021
Unable to generate a certificate for the domains Traefik v2 (latest) docker	8	443	April 1, 2024

Dnschallenge provider vultr.com not working

What did you do?

What did you see instead?

What version of Traefik are you using?

What is your environment & configuration?

Related Topics