Umek
December 13, 2022, 4:26pm
1
Hi,https://acme-v02.api.letsencrypt.org/directory " providerName=production.acme
I'm running 2.9.6. in a docker. Worked fine, seems to be broken a little while, encountered the issue now because my certificates are no longer valid.
Google wasn't my friend on this one, any ideas/pointers?
The last person complaining today about non-working certs found out, that their domains had expired.
Share you config (static, dynamic, docker-compose.yml).
Umek
December 13, 2022, 4:51pm
3
Just checked, my domain is valid until 22.09.2023, so this is not an issue.
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
http:
middlewares:
secHeaders:
headers:
stsPreload: true
stsSeconds: 31536000
forceSTSHeader: true
referrerPolicy: "same-origin"
frameDeny: true
contentTypeNosniff: true
browserXssFilter: true
accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
accessControlMaxAge: 100
customFrameOptionsValue: "SAMEORIGIN"
customRequestHeaders:
X-Forwarded-Proto: ["https", "wss"]
admin-auth:
basicAuth:
users:
- "me:mypw"
traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: false
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
http:
tls:
certResolver: production
middlewares:
- secHeaders@file
log:
level: WARNING
api:
dashboard: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
file:
filename: "./dynamic_conf.yml"
certificatesResolvers:
staging:
acme:
email: me@mail.com
storage: acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
# httpChallenge:
# entryPoint: web
dnsChallenge:
provider: inwx
production:
acme:
email: me@mail.com
storage: acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
# httpChallenge:
# entryPoint: web
dnsChallenge:
provider: inwx
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik_proxy
ports:
- "80:80"
- "443:443"
environment:
- INWX_USERNAME=${INWX_USERNAME}
- INWX_PASSWORD=${INWX_PASSWORD}
- INWX_PROPAGATION_TIMEOUT=1200 # INWX loves to time out...
- TIMEZONE=Europe/Berlin
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/dynamic_conf.yml:/dynamic_conf.yml
labels:
- "providers.file.filename=/dynamic_conf.yml"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.my.domain`)"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik-secure.middlewares=admin-auth@file"
networks:
traefik_proxy:
external: true
And I wanted to state again, this setup worked for almost a year, somehow in the last 90 days(cert lifetime) something broke (no config changes done).
Maybe an easy workaround: switch to tlschallenge . That is independent of the DNS provider, saves a lot of hassle. The only case you need the dnschallenge is when you want wildcard certificates. But if every service has one or multiple hosts in the rule, then you don't need it.