Hi all,
I've been using traefik w/ Let'sEncrypt for a few years now. Followed a quite standard setup.
I have a few subdomains managed by it. All is well.
Until I decided to add a new webservice that I wish to reach from outside through traefik.
No idea why, but the acme.json file doesn't get a new cert for this new domain. I checked everywhere in traefik to see if I coudl find something, a message.
I checked traefik.log as well but I am not super familiar to some of the information in it.
What I did read was this:
he reads a configuration, he adds certificates for the others subdomains, then says
msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
which I assume is for that new subdomain, then creates middlewares, for all subdomains.
then there is this passage which seems important:
"SSLRedirect is deprecated, please use entrypoint redirection instead." middlewareName=middlewares-secure-headers@file middlewareType=Headers entryPointName=websecure routerName=newsubdomain@docker
Don't really know what to do with that.
Then loads of stuff that I am lost in.
Then adding routes to all subdomains.
msg="Looking for provided certificate(s) to validate [\"newsubdomain.mydomain.com\"]..." providerName=letsEncrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=newsubdomain@docker rule="Host(`newsubdomain.mydomain.com`)"
msg="Domains [\"newsubdomain.mydomain.org\"] need ACME certificates generation for domains \"newsubdomain.mydomain.com\"." ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=newsubdomain@docker rule="Host(`newsubdomain.mydomain.com`)" providerName=letsEncrypt.acme
I tried again the next day and this is what I got
time="2023-01-08T10:21:30Z" level=debug msg="legolog: [INFO] [newsudomain.mydomain.com] acme: Obtaining bundled SAN certificate"
time="2023-01-08T10:21:30Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"A5FETQ54jlKCoydxM9DtkwxPyuIJMpf-iJFev1Ie7igmkKg\""
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193505530477"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.mydomain.com] acme: Could not find solver for: tls-alpn-01"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.mydomain.com] acme: use http-01 solver"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.mydomain.com] acme: Trying to solve HTTP-01"
time="2023-01-08T10:21:42Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193505530477"
time="2023-01-08T10:21:43Z" level=error msg="Unable to obtain ACME certificate for domains \"newsudomain.mydomain.com\": unable to generate a certificate for the domains [newsudomain.mydomain.com]: error: one or more domains had a problem:\n[newsudomain.mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 91.86.42.119: Fetching http://newsudomain.mydomain.com/.well-known/acme-challenge/0OCOc5O36M6uSw8n8NV4BMWAuaOm2AtLGH95lNNmDEQ: Timeout during connect (likely firewall problem)\n" rule="Host(`newsudomain.mydomain.com`)" routerName=newsudomain@docker providerName=letsEncrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
I have no idea what to do with all this information and how to resolve the situation.
here is my traefik.yml:
global:
checkNewVersion: false
sendAnonymousUsage: false
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsEncrypt
domains:
- main: "wbdev.org"
sans:
- "*.wbdev.org"
certificatesResolvers:
letsEncrypt:
acme:
#caServer: "https://acme-v02.api.letsencrypt.org/directory"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
email: myemail@myemail.com
storage: /acme.json
#keyType: EC384
httpChallenge:
entryPoint: web
providers:
docker:
endpoint: tcp://socket-proxy:2375
exposedByDefault: false
file:
directory: /rules
watch: true
#file:
# directory: /etc/traefik/dynamic/
api:
#insecure: true
dashboard: true
log:
filePath: /etc/traefik/traefik.log
format: common #json
level: DEBUG
accessLog:
filePath: /etc/traefik/access.log
format: json
filters:
statusCodes:
- "200"
- "300-302"
retryAttempts: true
minDuration: "10ms"
Thanks for any help and pointers.
Cheers.
WB