Let's Encrypt certificates not renewing

Traefik Traefik v3 (latest)
,
1

Hi
I'm running traefik v3.1.6 on my unraid server and just got an email from letsencrypt saying the certificate for my domain is expiring in 19 days. When I checked the traefik logs, I saw that the ACME certificate renewal had failed with the following error:

Error renewing certificate from LE: {domain.com [.domain.com]} error="error: one or more domains had a problem:\n[.domain.com] propagation: time limit exceeded: last error: NS miki.ns.cloudflare.com. returned REFUSED for _acme-challenge.domain.com.\n[domain.com] propagation: time limit exceeded: last error: NS miki.ns.cloudflare.com. returned REFUSED for _acme-challenge.domain.com.\n" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme

My YAML file: serversTransport: insecureSkipVerify: trueglobal: checkNewVersion: tru - Pastebin.com
DEBUG log: 2024-10-19T03:05:26.045582962Z 2024-10-19T14:05:26+11:00 INF T - Pastebin.com

Can someone help me work out why the certificate isn't renewing?

2

Share your full Traefik static and dynamic config, and docker-compose.yml if used. Or the CLI command.

Please not in Pastebin. Just use 3 backticks before and after code/config here.

3

No problems
Static:

serversTransport:
  insecureSkipVerify: true
 
global:
  checkNewVersion: true
  sendAnonymousUsage: false
 
entryPoints:
  # Not used in apps, but redirect everything from HTTP to HTTPS
  http:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 172.18.0.0/16
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
 
  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    forwardedHeaders:
      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIps
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: letsencrypt
        domains:
          - main: domain.com
            sans:
              - '*.domain.com'
      middlewares:
        #- securityHeaders@file
        - my-crowdsec-bouncer-traefik-plugin@file
        - my-cloudflarewarp@file
        - my-plugin-log4shell@file
        #- my-traefik-themepark@file
        - my-geoblock@file
providers:
  providersThrottleDuration: 2s
 
  # File provider for connecting things that are outside of docker / defining middleware
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true
 
  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: custom    # Add Your Docker Network Name Here
    # Default host rule to containername.domain.example
    defaultRule: "Host(`{{ lower (trimPrefix `/` .Name )}}.domain.com`)"    # Replace with your domain
    #swarmModeRefreshSeconds: 15s
    exposedByDefault: false
    endpoint: "tcp://dockersocket:2375" # Uncomment if you are using docker socket proxy
 
# Enable traefik ui
api:
  dashboard: true
  insecure: true
 
# Log level INFO|DEBUG|ERROR
log:
  level: DEBUG
 
# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
  letsencrypt:
    acme:
      email: email@email.com
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
accessLog:
  filePath: "/var/log/crowdsec/traefik.log"
  bufferingSize: 50
experimental:
  plugins:
    crowdsec-bouncer-traefik-plugin:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.3.4"
    traefik-themepark:
      moduleName: "github.com/packruler/traefik-themepark"
      version: "v1.3.0"
    plugin-log4shell:
      moduleName: "github.com/traefik/plugin-log4shell"
      version: "v0.1.2"
    geoblock:
      moduleName: "github.com/PascalMinder/geoblock"
      version: "v0.2.8"
    cloudflarewarp:
      moduleName: "github.com/BetterCorp/cloudflarewarp"
      version: "v1.3.3"
    rewrite-headers:
      moduleName: "github.com/XciD/traefik-plugin-rewrite-headers"
      version: "v0.0.4"

Dynamic:


  ## EXTERNAL ROUTING - Only use if you want to proxy something manually ##
  routers:
    # Homeassistant routing - Remove if not used
    homeassistant:
      entryPoints:
        - https
      rule: 'Host(`homeassistant.domain.com`)'
      service: homeassistant
      tls:  
        certResolver: letsencrypt  
        domains:  
          - main: "homeassistant.domain.com"  
      #middlewares:
        #- "auth" 
  ## SERVICES ##
  services:
    # Homeassistant service - Remove if not used
    homeassistant:
      loadBalancer:
        servers:
          - url: http://192.168.1.2:8123/
        passHostHeader: true
  ## MIDDLEWARES ##
  middlewares:
    my-geoblock:
      plugin:
        geoblock:
          allowLocalRequests: "true"
          allowUnknownCountries: "false"
          api: https://get.geojs.io/v1/ip/country/{ip}
          apiTimeoutMs: "750"
          cacheSize: "15"
          countries:
              - AU 
              - GB 
              - US
          forceMonthlyUpdate: "true"
          logAllowedRequests: "false"
          logApiRequests: "true"
          logLocalRequests: "false"
          silentStartUp: "true"
          unknownCountryApiResponse: nil
          allowedIPAddresses:
            - 192.168.1.0/24
          httpStatusCodeDeniedRequest: 404     
    my-plugin-log4shell:
      plugin:
        plugin-log4shell:
          errorCode: "200"
    my-crowdsec-bouncer-traefik-plugin:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          CrowdsecLapiKey: *****************************
          Enabled: true
          CrowdsecAppsecEnabled: true
          CrowdsecAppsecHost: "crowdsec:7422"
          CrowdsecMode: stream
          banHTMLFilePath: /etc/traefik/ban.html
          HTTPTimeoutSeconds: 20
    my-traefik-themepark:
      plugin:
        traefik-themepark:
          app: sonarr
          theme: hotpink
    my-cloudflarewarp:
      plugin:
        cloudflarewarp:
          disableDefault: "false"
          trustip:
            - 2400:cb00::/32
            - 192.168.1.0/24
    my-rewrite-headers:
        plugin:
            rewrite-headers:
               rewrites:
                    - header: "Location"
                      regex: "http://SERVERIP:9000/application/o/authorize/"
                      replacement: "https://auth.domain.com/application/o/authorize/"
                    - header: "Location"
                      regex: "http://SERVER-IP:9000/application/o/nextcloud/end-session/"
                      replacement: "https://auth.domain.com/application/o/nextcloud/end-session/"
                    - header: "location"
                      regex: "http://SERVER-IP:9000/application/o/authorize/"
                      replacement: "https://auth.domain.com/application/o/authorize/"
                    - header: "location"
                      regex: "http://SERVER-IP:9000/application/o/nextcloud/end-session/"
                      replacement: "https://auth.domain.com/application/o/nextcloud/end-session/"                    
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true
    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange:
          - 127.0.0.1/32 # localhost
          - 192.168.1.1/24 # LAN Subnet
    auth:
      forwardauth:
        address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version    
    # Authelia guard
    #auth:
      #forwardauth:
        #address: http://authelia:9091/api/authz/forward-auth # replace auth with your authelia container name
        #trustForwardHeader: true
        #authResponseHeaders:
          #- Remote-User
          #- Remote-Groups
          #- Remote-Name
          #- Remote-Email

    # Authelia basic auth guard
    #auth-basic:
      #forwardauth:
        #address: http://authelia:9091/api/authz/forward-auth # replace auth with your authelia container name
        #trustForwardHeader: true
        #authResponseHeaders:
          #- Remote-User
          #- Remote-Groups
          #- Remote-Name
          #- Remote-Email

    # Security headers
    securityHeaders:
      headers:
        customFrameOptionsValue: "SAMEORIGIN"
        customResponseHeaders:
          Permissions-Policy: "geolocation=(self), microphone=(), camera=(), fullscreen=*"
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        #contentSecurityPolicy: frame-ancestors *domain.com; form-action *domain.com; upgrade-insecure-requests;
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
    ### Let's give them a new name so it won't conflict with others
    nextcloud-middlewares-secure-headers:
      headers:
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        accessControlMaxAge: 100
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
    ### We will modify this value for Nextcloud to remove the X-Frame-Options error:
        customFrameOptionsValue: "SAMEORIGIN" #CSP takes care of this but may be needed for organizr.
        contentTypeNosniff: true
        browserXssFilter: true
#       sslForceHost: true # add sslHost to all of the services
#       sslHost: "example.com"
        referrerPolicy: "same-origin"
        customResponseHeaders:
    ### Change this to none to remove the Robots error:
          X-Robots-Tag: "noindex,nofollow"        

### This section redirects requests for Nextcloud calendar and contacts service discovery
### source: https://docs.nextcloud.com/server/21/admin_manual/issues/general_troubleshooting.html#service-discovery
    nextcloud-redirect:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://${1}/remote.php/dav/"

    chain-nextcloud:
      chain:
        middlewares:
          - nextcloud-middlewares-secure-headers
          - nextcloud-redirect
# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
4

I don't use docker-compose or CLI, but rather an unraid template

5

Maybe try to remove Google's 8.8.8.8 and only use Cloudflare's 1.1.1.1

6

Tried this and got the same error. Setting 'disablePropagationCheck=true' and 'delayBeforeCheck=60' fixes the problem. Does doing so cause any issues? TIA