[GANDI] acme: error presenting token: unable to create TXT record for domain

Eagleman7 · October 2, 2019, 1:38pm

I am trying to generate a certificate for an internal server using DNS records (TXT). However it fails and I am unable to see more specifics, this is with debug logging enabled:

time="2019-10-02T13:17:21Z" level=debug msg="No default certificate, generating one"
time="2019-10-02T13:17:21Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2019-10-02T13:17:21Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2019-10-02T13:17:21Z" level=debug msg="Start TCP Server" entryPointName=web
time="2019-10-02T13:17:21Z" level=debug msg="Start TCP Server" entryPointName=web-secure
time="2019-10-02T13:17:21Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2019-10-02T13:17:21Z" level=info msg="Starting provider *acme.Provider {\"email\":\"postmaster@example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"gandiv5\",\"delayBeforeCheck\":900000000000},\"ResolverName\":\"corp\",\"store\":{},\"ChallengeStore\":{}}"
time="2019-10-02T13:17:21Z" level=info msg="Testing certificate renew..." providerName=corp.acme
time="2019-10-02T13:17:21Z" level=debug msg="Configuration received from provider corp.acme: {\"http\":{},\"tls\":{}}" providerName=corp.acme
time="2019-10-02T13:17:21Z" level=debug msg="No default certificate, generating one"
time="2019-10-02T13:17:21Z" level=debug msg="Provider connection established with docker 19.03.2 (API 1.40)" providerName=docker
time="2019-10-02T13:17:21Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-9e0f99de3f78d9d8762c548d511fd992101bc28e8980cfee1d4e1076807c3b19
time="2019-10-02T13:17:21Z" level=debug msg="Filtering disabled container" container=portainer-9d93a8141f7a5a5716bddf4697f0ee53fe7769e309a2aa70e5956304c133dbb2 providerName=docker
time="2019-10-02T13:17:21Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"pi-hole\":{\"service\":\"pi-hole\",\"rule\":\"Host(`pi-hole.docker-core.corp.example.com`)\",\"tls\":{\"certResolver\":\"corp\"}}},\"services\":{\"pi-hole\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.17.0.4:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
time="2019-10-02T13:17:22Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web web-secure traefik]" routerName=pi-hole@docker
time="2019-10-02T13:17:22Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=pipelining middlewareType=Pipelining routerName=pi-hole@docker serviceName=pi-hole
time="2019-10-02T13:17:22Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=pi-hole@docker serviceName=pi-hole
time="2019-10-02T13:17:22Z" level=debug msg="Creating server 0 http://172.17.0.4:80" serviceName=pi-hole entryPointName=web serverName=0 routerName=pi-hole@docker
time="2019-10-02T13:17:22Z" level=debug msg="Added outgoing tracing middleware pi-hole" middlewareType=TracingForwarder routerName=pi-hole@docker entryPointName=web middlewareName=tracing
time="2019-10-02T13:17:22Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2019-10-02T13:17:22Z" level=debug msg="Creating middleware" entryPointName=web-secure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2019-10-02T13:17:22Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2019-10-02T13:17:22Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web web-secure traefik]" routerName=pi-hole@docker
time="2019-10-02T13:17:22Z" level=debug msg="No default certificate, generating one"
time="2019-10-02T13:17:22Z" level=debug msg="Try to challenge certificate for domain [pi-hole.docker-core.corp.example.com] founded in HostSNI rule" providerName=corp.acme routerName=pi-hole rule="Host(`pi-hole.docker-core.corp.example.com`)"
time="2019-10-02T13:17:22Z" level=debug msg="Looking for provided certificate(s) to validate [\"pi-hole.docker-core.corp.example.com\"]..." providerName=corp.acme routerName=pi-hole rule="Host(`pi-hole.docker-core.corp.example.com`)"
time="2019-10-02T13:17:22Z" level=debug msg="Domains [\"pi-hole.docker-core.corp.example.com\"] need ACME certificates generation for domains \"pi-hole.docker-core.corp.example.com\"." providerName=corp.acme routerName=pi-hole rule="Host(`pi-hole.docker-core.corp.example.com`)"
time="2019-10-02T13:17:22Z" level=debug msg="Loading ACME certificates [pi-hole.docker-core.corp.example.com]..." providerName=corp.acme routerName=pi-hole rule="Host(`pi-hole.docker-core.corp.example.com`)"
time="2019-10-02T13:17:22Z" level=debug msg="Building ACME client..." providerName=corp.acme
time="2019-10-02T13:17:22Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=corp.acme
time="2019-10-02T13:17:23Z" level=debug msg="Using DNS Challenge provider: gandiv5" providerName=corp.acme
time="2019-10-02T13:17:23Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Obtaining bundled SAN certificate"
time="2019-10-02T13:17:23Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12019173"
time="2019-10-02T13:17:23Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Could not find solver for: tls-alpn-01"
time="2019-10-02T13:17:23Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Could not find solver for: http-01"
time="2019-10-02T13:17:23Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: use dns-01 solver"
time="2019-10-02T13:17:23Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Preparing to solve DNS-01"
time="2019-10-02T13:17:24Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Cleaning DNS-01 challenge"
time="2019-10-02T13:17:25Z" level=error msg="Unable to obtain ACME certificate for domains \"pi-hole.docker-core.corp.example.com\": unable to generate a certificate for the domains [pi-hole.docker-core.corp.example.com]: acme: Error -> One or more domains had a problem:\n[pi-hole.docker-core.corp.example.com] [pi-hole.docker-core.corp.example.com] acme: error presenting token: unable to create TXT record for domain corp.example.com and name _acme-challenge.pi-hole.docker-core: 404 [Not Found] request failed: The resource could not be found.\n" rule="Host(`pi-hole.docker-core.corp.example.com`)" providerName=corp.acme routerName=pi-hole

What can I do to figure out why it failed?

Eagleman7 · October 2, 2019, 1:40pm

This is my traefik v2 config:

# traefik.yml

# Docker configuration backend
providers:
  docker:
    exposedByDefault: false

api:
  insecure: true

log:
  level: DEBUG

entryPoints:
  web:
    address: ":80"

  web-secure:
    address: ":443"

certificatesResolvers:
  corp:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      email: postmaster@example.com
      storage: acme.json
      dnsChallenge:
        provider: gandiv5
        delayBeforeCheck: 900

And these are the labels used on my container:

    -l "traefik.enable=true" \
    -l 'traefik.http.routers.pi-hole.rule=Host(`pi-hole.docker-core.corp.example.com`)' \
    -l "traefik.http.services.pi-hole.loadbalancer.server.port=80" \
    -l "traefik.http.routers.pi-hole.tls.certresolver=corp" \

zespri · October 2, 2019, 6:51pm

Top two most likely reasons:

Your are using wrong credentials
Gandi is having (temporary) issues on their side

Eagleman7 · October 2, 2019, 7:14pm

I tried using wrong credentials by adding a character to my api key, it then said I was using wrong credentials.

The config looks fine?

zespri · October 2, 2019, 7:37pm

Right. Next guess: you are trying to create TXT record for a domain you do not manage via Gandi.

Eagleman7 · October 2, 2019, 7:42pm

It seems I had to add the following for it to work:

        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

time="2019-10-02T19:24:31Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Checking DNS record propagation using [1.1.1.1:53 8.8.8.8:53]"
time="2019-10-02T19:24:31Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 20m0s, interval: 20s]"
time="2019-10-02T19:24:31Z" level=debug msg="Delaying 900000000000 rather than validating DNS propagation now."
time="2019-10-02T19:39:36Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] The server validated our request"
time="2019-10-02T19:39:36Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Cleaning DNS-01 challenge"
time="2019-10-02T19:39:36Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] acme: Validations succeeded; requesting certificates"
time="2019-10-02T19:39:38Z" level=debug msg="legolog: [INFO] [pi-hole.docker-core.corp.example.com] Server responded with a certificate."
time="2019-10-02T19:39:38Z" level=debug msg="Certificates obtained for domains [pi-hole.docker-core.corp.example.com]" rule="Host(`pi-hole.docker-core.corp.example.com`)" providerName=corp.acme routerName=pi-hole
time="2019-10-02T19:39:38Z" level=debug msg="Configuration received from provider corp.acme: {\"http\":{},\"tls\":{}}" providerName=corp.acme
time="2019-10-02T19:39:38Z" level=debug msg="Adding certificate for domain(s) pi-hole.docker-core.corp.example.com"

zespri · October 2, 2019, 8:01pm

Oh cool, I hit similar one before.

In my corp network we have our own dns servers. When a domain is available both externally and internally the records on external and internal dns servers are different (for obvious reasons). In this case unless I specify to docker (not traefik itself, but traefik delegates it to docker) to use 8.8.8.8 for dns, it tries to check internal dns and that's not working very well for using dns challenge with acme.

From docker-compose:

  ...
  traefik:
    image: "traefik:v2.0.0"
    container_name: "traefik"
    dns: 8.8.8.8
   ...

Eagleman7 · October 2, 2019, 8:02pm

Makes sense! Thanks for the help.

Topic		Replies	Views
Problems generating certs "cloudflare: failed to create TXT record: Record already exists. (81057)" Traefik v2 letsencrypt-acme	3	2099	May 25, 2023
SSL cert not served through ACME-DNS Traefik v2 letsencrypt-acme	1	664	March 24, 2022
DNS provider time out when trying to read TXT record (with and without delay) Traefik v1 letsencrypt-acme	8	3232	April 24, 2023
Unable to obtain ACME certificate for domains error unable to generate a certificate for the domains Traefik v3 (latest) docker , letsencrypt-acme	4	84	May 6, 2024
DNS-01 challenge not working (No TXT record found) Traefik v2 letsencrypt-acme	1	392	January 22, 2023

[GANDI] acme: error presenting token: unable to create TXT record for domain

Related Topics