Dnschallenge stuck waiting for propagation

Traefik Traefik v2
,
1

Second day I can't figure out what's wrong. It's just stuck with "Waiting for DNS record propagation", although I can resolve TXT DNS records.

time="2021-05-03T12:29:29+03:00" level=debug msg="No default certificate, generating one"
time="2021-05-03T12:29:29+03:00" level=debug msg="No default certificate, generating one"
time="2021-05-03T12:29:29+03:00" level=debug msg="Adding route for heimdall.lo.domain.com with TLS options default" entryPointName=https
time="2021-05-03T12:29:29+03:00" level=debug msg="Adding route for pihole.lo.domain.com with TLS options default" entryPointName=https
time="2021-05-03T12:29:29+03:00" level=debug msg="Adding route for proxmox.lo.domain.com with TLS options default" entryPointName=https
time="2021-05-03T12:29:29+03:00" level=debug msg="Adding route for traefik.lo.domain.com with TLS options default" entryPointName=https
time="2021-05-03T12:29:29+03:00" level=debug msg="Adding route for rancher.lo.domain.com with TLS options default" entryPointName=https
time="2021-05-03T12:29:29+03:00" level=debug msg="Looking for provided certificate(s) to validate [\"lo.domain.com\" \"*.lo.domain.com\"]..." providerName=namecheaper.acme
time="2021-05-03T12:29:29+03:00" level=debug msg="Domains [\"lo.domain.com\" \"*.lo.domain.com\"] need ACME certificates generation for domains \"lo.domain.com,*.lo.domain.com\"." providerName=namecheaper.acme
time="2021-05-03T12:29:29+03:00" level=debug msg="Loading ACME certificates [lo.domain.com *.lo.domain.com]..." providerName=namecheaper.acme
time="2021-05-03T12:29:34+03:00" level=debug msg="Building ACME client..." providerName=namecheaper.acme
time="2021-05-03T12:29:34+03:00" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=namecheaper.acme
time="2021-05-03T12:29:35+03:00" level=info msg=Register... providerName=namecheaper.acme
time="2021-05-03T12:29:35+03:00" level=debug msg="legolog: [INFO] acme: Registering account for domainmaster@gmail.com"
time="2021-05-03T12:29:35+03:00" level=debug msg="Using DNS Challenge provider: namecheap" providerName=namecheaper.acme
time="2021-05-03T12:29:36+03:00" level=debug msg="legolog: [INFO] [lo.domain.com, *.lo.domain.com] acme: Obtaining bundled SAN certificate"
time="2021-05-03T12:29:37+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/12811576768"
time="2021-05-03T12:29:37+03:00" level=debug msg="legolog: [INFO] [lo.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/12811576769"
time="2021-05-03T12:29:37+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] acme: use dns-01 solver"
time="2021-05-03T12:29:37+03:00" level=debug msg="legolog: [INFO] [lo.domain.com] acme: Could not find solver for: tls-alpn-01"
time="2021-05-03T12:29:37+03:00" level=debug msg="legolog: [INFO] [lo.domain.com] acme: Could not find solver for: http-01"
time="2021-05-03T12:29:37+03:00" level=debug msg="legolog: [INFO] [lo.domain.com] acme: use dns-01 solver"
time="2021-05-03T12:29:37+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] acme: Preparing to solve DNS-01"
time="2021-05-03T12:29:39+03:00" level=debug msg="legolog: [INFO] [lo.domain.com] acme: Preparing to solve DNS-01"
time="2021-05-03T12:29:40+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] acme: Trying to solve DNS-01"
time="2021-05-03T12:29:40+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] acme: Checking DNS record propagation using [8.8.8.8:53]"
time="2021-05-03T12:29:55+03:00" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 1h0m0s, interval: 15s]"
time="2021-05-03T12:30:00+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] acme: Waiting for DNS record propagation."
time="2021-05-03T12:30:20+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] acme: Waiting for DNS record propagation."
time="2021-05-03T12:30:41+03:00" level=debug msg="legolog: [INFO] [*.lo.domain.com] acme: Waiting for DNS record propagation."

Waiting for DNS record propagation lasts forever, though I can dig TXT DNS records:

dig TXT _acme-challenge.lo.domain.com @8.8.8.8

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.lo.domain.com. IN    TXT

;; ANSWER SECTION:
_acme-challenge.lo.domain.com. 119 IN TXT     "Bdo0nCCcelvpEXr1G5zWxrXIKmBEzvQgjo-16_6FVWk"
_acme-challenge.lo.domain.com. 119 IN TXT     "YafsPVor_m_EpkW8z6CCcM1FcraaFR6HbuaTgF4YTXk"

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 03 09:49:53 UTC 2021
;; MSG SIZE  rcvd: 172

And everytime I restart container I purge those records and it makes new, so it seems correct.

docker-composer.yml:

version: '3'

services:
  traefik:
    image: traefik:v2.4
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - NAMECHEAP_API_USER=<USER_HERE>
      - NAMECHEAP_API_KEY=<KEY_HERE>
      - TZ=Europe/Moscow
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/config.yml:/config.yml:ro
      - ./data/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.lo.domain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=pp:$$apr1$$aA0HwDiS$$LH0rOYpTdCEGBdGg85VYQ0"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.lo.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=namecheaper"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=lo.domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.lo.domain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

traefik.yml

log:
  level: DEBUG
api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml

certificatesResolvers:
  namecheaper:
    acme:
      email: domainmaster@gmail.com
      storage: acme.json
      dnsChallenge:
        provider: namecheap
        resolvers:
          - "8.8.8.8:53"
#          - "156.154.133.200:53"
#          - "156.154.132.200:53"
        delayBeforeCheck: 5

Tryed different resolvers and delayBeforeCheck - no change.

2

Hello @immelrikt

Would there be a firewall/router between traefik and the dns servers? If there were a transparent caching dns server in the path that could possibly explain it.

There has been some success reported using the disablepropagationcheck option. But the strong advice is to get the propagation checks working to avoid failure.

1 Like
3

Thanks, cakiwi!

It's caching DNS problem indeed.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.