Let's Encrypt certificate on gandiv5 with Personal Access Token (PAT)

ramor · February 6, 2024, 9:56pm

Hi
I'm on Traefik version 2.10.7 on windows, trying to get let's encrypt working with gandi live DNS (gandi v5 REST API, last version)
I've been struggling with this for almost a week, and I think I found the issue

Following Lego instructions (Gandi Live DNS (v5) :: Let’s Encrypt client and ACME library written in Go.) and gandi's, the usage of API Key is now deprecated and should be replaced with PAT

Environment Variable Name Description
GANDIV5_API_KEY API key (Deprecated)
GANDIV5_PERSONAL_ACCESS_TOKEN Personal Access Token

When I try to use the PAT environment variable I got the error
"some credentials information are missing: GANDIV5_API_KEY"

When I use a PAT key with this variable, I got this error
"unable to generate a certificate for the domains [app.example.com]: error: one or more domains had a problem
acme: error presenting token: unable to get TXT records for domain example.com and name _acme-challenge.xray: 403: request failed: Access was denied to this resource"

So I think that acme client implementation in Traefik is not taking profit of the new PAT usage
(I could get a certificate with a certbot client and the PAT key, so PAT access is good)

Thanks for your help

ramor · February 6, 2024, 10:00pm

Sorry, forgot to mention that this is for dnsChallenge (intrenal only application)

This is my trafic.yml

EntryPoints configuration

entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"

traefik:
address: ":8080"

TLS cert providers

certificatesResolvers:
c-letsencrypt:
acme:
certificatesDuration: 24 # in hours
dnsChallenge:
provider: gandiv5
delayBeforeCheck: 10
resolvers:
- "ns-237-a.gandi.net"
- "ns-170-b.gandi.net"

providers (router configuration in dynamic file)

providers:
file:
directory: "D:/Tools/Traefik"
watch: true

whatever I can get in the dynamic file doesn't change anything
only thing that works is API key with deprecated environment variable

bluepuma77 · February 6, 2024, 10:03pm

It seems the LetsEncrypt library Traefik uses has not been updated yet (doc).

You would need to wait for the library to be updated and then Traefik to be updated.

For now you can use your created TLS certs via custom TLS in Traefik dynamic config file (doc).

ramor · February 7, 2024, 12:29am

Yes, this what I was thinking
Thanks

bluepuma77 · February 7, 2024, 8:00am

It seems it has been fixed in Lego 2.15, which still needs to be released (link, link).

Current Traefik is using 2.14, according to release notes (link).

Topic		Replies	Views
[GANDI] acme: error presenting token: unable to create TXT record for domain Traefik v2 (latest) letsencrypt-acme	7	3280	October 2, 2019
Unable to obtain ACME certificate for domains - credentials are missing Traefik v2 (latest) docker , letsencrypt-acme	6	156	March 24, 2024
Let's Encrypt HTTP Challenge is failing for reasons I don't understand Traefik v2 (latest) letsencrypt-acme	1	478	September 4, 2019
K3s traefik and let's encrypt: Cannot get certificates up and running Traefik v2 (latest) letsencrypt-acme	0	748	May 23, 2020
LetsEncrypt ACME error connection refused Traefik v2 (latest) letsencrypt-acme	9	10465	July 14, 2021

Let's Encrypt certificate on gandiv5 with Personal Access Token (PAT)

EntryPoints configuration

TLS cert providers

providers (router configuration in dynamic file)

Related Topics