Forcing Traefik Docker Container to use IPv6 when host is IPv6 only for Let's Encrypt

cb3inco · September 3, 2024, 5:39pm

I am running a fairly new VPS server that is IPv6 only. I've created a self defined bridge network in Docker that has IPv6 enabled.

Traefik is getting a IPv4 and IPv6 address, however when I try to do a DNS challenge against Cloudfalre to get a Let's Encrypt certificate, it's failing and I believe it's because the IPv4 on the traefik container is being used for DNS lookup of the TXT record when it should be using IPv6. I've tried adding IPv6 resolvers in my config, but it seems to just ignore these.

I'm running Traefik v3.1.2

Here is my docker compose file

services:
  traefik:
    image: traefik
    security_opt:
      - no-new-privileges:true
    container_name: traefik
    environment:
      - CF_API_EMAIL=$CF_API_EMAIL
      - CF_API_KEY=$CF_API_KEY
    command:
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.http.address=:80"
      - "--entryPoints.http.forwardedHeaders.insecure"
      - "--entryPoints.http.proxyProtocol.insecure"
      - "--entryPoints.https.address=:443"
      - "--entrypoints.https.forwardedHeaders.insecure"
      - "--entryPoints.https.proxyProtocol.insecure"
      - "--entrypoints.http.http.redirections.entryPoint.to=https"
      - "--entrypoints.http.http.redirections.entryPoint.scheme=https"
      - "--certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory" # LetsEncrypt Staging Server - uncomment when testing
      - "--certificatesResolvers.dns-cloudflare.acme.storage=/acme.json"
      - "--certificatesResolvers.dns-cloudflare.acme.email=$CF_API_EMAIL"
      - "--certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare"
      - "--certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=2606:4700:4700::1111:53,2606:4700:4700::1001:53"
#      - "--certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=100"
      - "--accessLog=true"
      - "--accesslog.filePath=/traefik_access.log"
      - "--accesslog.bufferingsize=100"
      - "--log.filePath=/traefik.log"
      - "--log.level=DEBUG"
      - "--api=true"
      - "--api.dashboard=true"
      - "--serverstransport.insecureskipverify=true"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./logs/traefik.log:/traefik.log"
      - "./logs/traefik_access.log:/traefik_access.log"
      - "./data/acme.json:/acme.json"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`domainname.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.entrypoints=https"
      - "traefik.http.routers.dashboard.tls.certresolver=dns-cloudflare"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=traefik-auth"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$aaa$$bbbbbb$$cccccccccccccc."
    restart: unless-stopped
    networks:
      - traefik
networks:
  traefik:
    external: true

Is what I want to do, even possible?

bluepuma77 · September 8, 2024, 10:28am

What does Traefik debug log tell you?

cb3inco · September 9, 2024, 9:15am

I implemented a work around using http challenge - but a sample of the logs at the time was:

2024-08-31T18:36:08Z ERR Unable to obtain ACME certificate for domains error="cannot get ACME client get directory at 'https:// acme-staging-v02.api.letsencrypt. org/directory': Get "https:// acme-staging-v02.api.letsencrypt. org/directory": dial tcp 172.65.46.172:443: connect: network is unreachable" ACME CA=https:// acme-staging-v02.api.letsencrypt. org/directory acmeCA=https:// acme-staging-v02.api.letsencrypt. org/directory domains=...

It actually appears to be an issue with Lego - there is a pull request to fix this, but it's not been implemented for whatever reasons. If I'm understanding the PR, this would fix the issue. So unless Traefik finds another library to use this will be broken until the Leogo maintainers fix it.

See: Add -4 and -6 flags by jsumners · Pull Request #1802 · go-acme/lego · GitHub and Add -4 and -6 flags by jsumners · Pull Request #1984 · go-acme/lego · GitHub

vimme · November 12, 2024, 11:42pm

Could you explain the work around that you use? I'm exactly in the same situation

Topic		Replies	Views
Wrong certificate on IPv4 connection Traefik v3 (latest) docker , letsencrypt-acme	1	76	May 9, 2024
Setting up HTTPS with Lets Encrypt on Traefik and getting errors Traefik v2 docker , letsencrypt-acme	0	2200	March 13, 2020
Problems with Let's Encypt Certificate Generation Traefik v2 letsencrypt-acme	0	455	November 14, 2021
Problem with Lets Encrypt. ACME Fails Traefik v2 docker , letsencrypt-acme	3	3287	March 11, 2022
Let's Encrypt failed with 'Unable to obtain ACME certificate for domains ... acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url' Traefik v2 docker , letsencrypt-acme	1	4321	October 29, 2020

Forcing Traefik Docker Container to use IPv6 when host is IPv6 only for Let's Encrypt

Related topics