(How) Is Let's Encrypt staging server for Traefik 2.3 supposed to work?

I'm banging my head on this one.

I've changed my Traefik-container configuration to state:

and no matter what I do, when I look at the request response, I get this for every single request sent, e.g. https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/... from Traefik when it comes to Let's Encypt;

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}

When I'm using the production environment for Let's Encrypt, e.g. https://acme-v02.api.letsencrypt.org/acme/authz-v3/... I get a lot more reasonable responses;

{
  "identifier": {
    "type": "dns",
    "value": "..."
  },
  "status": "invalid",
  "expires": "2021-01-01T15:14:49Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Error getting validation data",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/95734053/7Fd-tw",
      "token": "vChh-BKWSH5SZXiAFmwu7u39GATwGo1X2OIiz8vTs",
      "validationRecord": [
        {
          "hostname": "...",
          "port": "443",
          "addressesResolved": [
            "..."
          ],
          "addressUsed": "..."
        }
      ]
    }
  ]
}

I'm currently rate limited on the production server for Let's Encrypt, so I have to wait a week to get another shot at this, and I thought that I could at least do some trial and error with the staging servers until then, but that doesn't seem to be working at all.

Anyone else having these issues and/or know what can be done to deal with a similar situation?

Hello,

The Let's Encrypt staging works, I'm not able to reproduce your problem.

For more help, I recommend providing the full debug log, configuration, and a minimalistic repeatable example.

I'm seeing the same error in traefik 2.3.6. I've tried both Digital Ocean and Cloudflare, but still getting 405s from LetsEncrypt (staging and prod). LE recently switched over to using POST instead of GET, is traefik's acme client out of date?

The debug log:

time="2021-01-07T22:27:54Z" level=error msg="Unable to obtain ACME certificate for domains "REDACTED": unable to generate a certificate for the domains [REDACTED]: error: one or more domains had a problem:\n[REDACTED] time limit exceeded: last error: NS ns2.digitalocean.com. returned REFUSED for _acme-challenge..\n" routerName=default-guacamole-ingress-7836a6719db43703c666@kubernetescrd rule="Host(REDACTED)" providerName=letsencrypt.acme

Error from LE:

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}

Traefik is running with the following args/env:

  • args:
    - --global.checknewversion
    - --global.sendanonymoususage
    - --entryPoints.traefik.address=:9000/tcp
    - --entryPoints.web.address=:8000/tcp
    - --entryPoints.websecure.address=:8443/tcp
    - --api.dashboard=true
    - --ping=true
    - --providers.kubernetescrd
    - --providers.kubernetesingress
    - --certificatesresolvers.letsencrypt.acme.email=REDACTED
    - --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
    - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    - --certificatesResolvers.letsencrypt.acme.dnschallenge=true
    - --certificatesResolvers.letsencrypt.acme.dnschallenge.provider=digitalocean
    - --api.insecure=true
    - --accesslog=true
    - --log.level=DEBUG
    env:
    - name: DO_AUTH_TOKEN
    valueFrom:
    secretKeyRef:
    key: dns-token
    name: digitalocean

Testing with the following ingress:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test-ingress
spec:
entryPoints:
- websecure
routes:

  • match: Host(REDACTED)
    kind: Rule
    services:
    • name: test
      port: 8080
      tls:
      certResolver: letsencrypt