Error on letsencrypt certificate renewal

hi,
my website has been running fine on https for almost 3 months but i just found out that the certificate is about to expire and traefik is not able to renew it.

the docker logs show this error:

time="2023-09-24T15:48:59Z" level=error msg="Error renewing certificate from LE: {app.pintable.it []}, error: one or more domains had a problem:\n[app.pintable.it] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 79.11.135.62: Fetching http://app.pintable.it/.well-known/acme-challenge/8jpbQOhaOQ8j0t1-c5tOjXmKrPY0a6VK9mhyy_CmpUw: Error getting validation data, url: \n" providerName=letsencrypt.acme

traefik container was set up using cookiecutter-django template. this is my docker compose configuration:

  traefik:
    build:
      context: .
      dockerfile: ./compose/production/traefik/Dockerfile
    image: pintable_production_traefik
    depends_on:
      - django
    volumes:
      - production_traefik:/etc/traefik/acme
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"

and this is traefik configuration file:

log:
  level: INFO

entryPoints:
  web:
    # http
    address: ":80"
    http:
      # https://docs.traefik.io/routing/entrypoints/#entrypoint
      redirections:
        entryPoint:
          to: web-secure

  web-secure:
    # https
    address: ":443"

certificatesResolvers:
  letsencrypt:
    # https://docs.traefik.io/master/https/acme/#lets-encrypt
    acme:
      email: "masavini@gmail.com"
      storage: /etc/traefik/acme/acme.json
      # https://docs.traefik.io/master/https/acme/#httpchallenge
      httpChallenge:
        entryPoint: web

http:
  routers:
    web-secure-router:
      rule: "Host(`app.pintable.it`)"
      entryPoints:
        - web-secure
      middlewares:
        - csrf
      service: django
      tls:
        # https://docs.traefik.io/master/routing/routers/#certresolver
        certResolver: letsencrypt

    web-media-router:
      rule: "Host(`app.pintable.it`) && PathPrefix(`/media/`)"
      entryPoints:
        - web-secure
      middlewares:
        - csrf
      service: django-media
      tls:
        certResolver: letsencrypt

  middlewares:
    csrf:
      # https://docs.traefik.io/master/middlewares/headers/#hostsproxyheaders
      # https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
      headers:
        hostsProxyHeaders: ["X-CSRFToken"]

  services:
    django:
      loadBalancer:
        servers:
          - url: http://django:5000

    django-media:
      loadBalancer:
        servers:
          - url: http://nginx:80

providers:
  # https://docs.traefik.io/master/providers/file/
  file:
    filename: /etc/traefik/traefik.yml
    watch: true

can you please help me addressing this issue?
thanks

You are building the Traefik image yourself? Can you share ./compose/production/traefik/Dockerfile?

sure, here you are:

FROM traefik:v2.2.11
RUN mkdir -p /etc/traefik/acme \
  && touch /etc/traefik/acme/acme.json \
  && chmod 600 /etc/traefik/acme/acme.json
COPY ./compose/production/traefik/traefik.yml /etc/traefik

That looks like really bad practice, Traefik 2.2 is from 2020. Many bugs and probably some security vulnerabilities fixed since then.

Why not just mount the TLS file into the container from official Traefik image on runtime?

hi,
i just used cookiecutter-django to set up the whole project...

Sorry, but using Traefik 2.2 from 2020, which was also retired in 2020, is no good practice.

Also Traefik uses static config and dynamic config, which usually goes into separate files.

Maybe get some inspiration by checking the simple Traefik example. Traefik will do Configuration Discovery via labels, so all your services/containers just need labels, like whoami in example.

my BAD!!
a few weeks ago i had to replace the router and i forgot to forward port 80...
opened the port, restarted the container and the certificate was properly renewed.
thanks for your help, anyway!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.