Let's Encrypt failed with 'Unable to obtain ACME certificate for domains ... acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url'

Traefik Traefik v2 (latest)
,
1

Hello Forum,

I have a problem with the Let's Encrypt configuration and can't find the error.

I read the help for the TLS and HTTP configuration and either I'm too stupid to understand it or it's the technique that doesn't work, I don't know.
(By the way, the DNS configuration is not an alternative, as I see it, there are only paid providers here).

To the technology, which now has nothing directly to do with the traefik:

  • I found a DYN DNS provider that will make my device, which has an IPv6 address, accessible.
  • I'm using a FritzBox and have released the ports 80 and 443 for my device. This means that Let's Encrypt and Traefik should be able to communicate with each other using the standard HTTP and HTTPS ports. (By the way, they can for sure since my application is accessible via HTTP/HTTPS. Only Let's Encrypt fails)
  • The following docker-compose.yml is complete as it is. The setup is extra reduced for a post in the forum, but the occurring error is the same as I get in my setup. So in plain text, I'm actually trying to connect a GOGS and a NextCloud to the outside. The two WHOAMI containers are enough to clarify my problem.
  • In addition, I made the whole example anonymous, of course. I hope that no logical errors have crept in.

I will begin with the error message:

$docker-compose logs

Attaching to whoami1, reverse-proxy, whoami2
whoami1             | Starting up on port 80
whoami2           | Starting up on port 80
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="Configuration loaded from flags."
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"exposedByDefault\":true,\"swarmModeRefreshSeconds\":15000000000}"
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="Starting provider *acme.Provider {\"email\":\"test@example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"tlsChallenge\":{},\"ResolverName\":\"mytlsresolver\",\"store\":{},\"ChallengeStore\":{}}"
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="Testing certificate renew..." providerName=mytlsresolver.acme
reverse-proxy    | time="2020-06-05T21:10:22Z" level=info msg="Starting provider *traefik.Provider {}"
reverse-proxy    | time="2020-06-05T21:10:23Z" level=info msg="Skipping same configuration" providerName=docker
reverse-proxy    | time="2020-06-05T21:11:03Z" level=info msg=Register... providerName=mytlsresolver.acme
reverse-proxy    | time="2020-06-05T21:11:09Z" level=error msg="Unable to obtain ACME certificate for domains \"whoami1.example.com\": unable to generate a certificate for the domains [whoami1.example.com]: error: one or more domains had a problem:\n[whoami1.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url: \n" providerName=mytlsresolver.acme routerName=whoami1@docker rule="Host(`whoami1.example.com`)"
reverse-proxy    | time="2020-06-05T21:11:14Z" level=error msg="Unable to obtain ACME certificate for domains \"whoami2.example.com\": unable to generate a certificate for the domains [whoami2.example.com]: error: one or more domains had a problem:\n[whoami2.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url: \n" providerName=mytlsresolver.acme routerName=whoami2@docker rule="Host(`whoami2.example.com`)"

$cat docker-compose.yml
version: '3.8'

services:
  reverse-proxy:
    container_name: "reverse-proxy"
    image:           traefik:v2.2
    restart:         unless-stopped
    labels:
         #           global redirect to https
         -           "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
         -           "traefik.http.routers.http-catchall.entrypoints=web"
         -           "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
         #           middleware redirect
         -           "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    command:
         -           "--log.level=INFO"
         -           "--api.insecure=true"
         -           "--certificatesresolvers.mytlsresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
         -           "--certificatesresolvers.mytlsresolver.acme.email=test@example.com"
         -           "--certificatesresolvers.mytlsresolver.acme.storage=/letsencrypt/acme.json"
         -           "--certificatesresolvers.mytlsresolver.acme.tlschallenge=true"
         -           "--entrypoints.web.address=:80"
         -           "--entrypoints.websecure.address=:443"
         ##-         "--providers.docker.exposedbydefault=false"
         -           "--providers.docker=true"
    ports:
         -             "80:80"
         -            "443:443"
         -           "8080:8080"
    volumes:
         -                  "./letsencrypt:/letsencrypt"
         -           "/var/run/docker.sock:/var/run/docker.sock"

  whoami1:
    container_name:  "whoami1"
    image:           containous/whoami
    restart:         unless-stopped
    labels:
         -           "traefik.enable=true"
         -           "traefik.http.routers.whoami1.entrypoints=websecure"
         -           "traefik.http.routers.whoami1.rule=Host(`whoami1.example.com`)"
         -           "traefik.http.routers.whoami1.tls.certresolver=mytlsresolver"
         -           "traefik.http.routers.whoami1.tls=true"
         -           "traefik.http.services.whoami1.loadbalancer.server.port=80"
    ports:
         -           "881:80"

  whoami2:
    image:           containous/whoami
    container_name:  "whoami2"
    restart:         unless-stopped
    labels:
         -           "traefik.enable=true"
         -           "traefik.http.routers.whoami2.entrypoints=websecure"
         -           "traefik.http.routers.whoami2.rule=Host(`whoami2.example.com`)"
         -           "traefik.http.routers.whoami2.tls.certresolver=mytlsresolver"
         -           "traefik.http.routers.whoami2.tls=true"
         -           "traefik.http.services.whoami2.loadbalancer.server.port=80"
    ports:
         -           "882:80"

$cat acme.json
{
  "mytlsresolver": {
    "Account": {
      "Email": "test@example.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:test@example.com"
          ]
        },
        "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/14039070"
      },
      "PrivateKey": "XXXXXXXXXXXXXxXXxXXxxXXXX3XxXxXXxXXXxXxxxXXxxXXXxx1xx/xXxXxX+8xxXxxxXxXXXx4xXxxxxxXXx5xx1x1X2xxXxXxXxxxxxXxXxx9XxxxxxXXXxXx0xX0xX5XXX4XXxxXxxXxXx9xxxx/6X6xXxxXxX1xXx0xXx5xXXxxxXXX1X2xXXXX5X1xX2XXXx3XXX2XXxXXXXxXxXXxXXxxxXXxx3XxxXxxxXXXxXx81XXxx6xXXx8xxX1XXxX38XxxXxx7xxXX9XXxXxXXxxX0XxxXx7xXXXXx22XXXxXx3xX7xXxX8xX3xXXxxX1xX543/7xxxx6XXXxXxXX5xXxXXxxX3xXXXxXxXXXXXx2XXx9XXx8xxX84xxx9xxX/XxXXXXXXxx3XxxxXXx6XxxxXXXx7xX1Xx3X5xXXXxxXXxX4XXXx+x0x2x3x402XxX7xxXxxxXX88XXXXX/2Xxx6+xx582xXXX6xX7xXX95XX8XXxX9XXx9XXXx/xxxXxxxxxxxXxXx98xXx0xxXXX1+xxxXx6XXxXX1X7XXXxxx4Xx+xXXxXxxxxXxx5xX5XX36XxXxXxXXXXxXXXXXX6/xxx174xXX33xxX1XXxxXxxxxXXXX1XXxXXX1xx76xXxXX7XxxXXXxX3xx/XxXxxxxX8XX2xX+xXXxxxXxXxXxx8XXxXxx16xX8XXxXXXXXXXxXxXXXX0XX5x/X6XXxXXXxxXXXxxxX9xx2xXXxxx7xXXx9Xxxx7xxxXXXXxXX0x+Xx2XxxxXXxxxxXXXX1XXxXxxX5XxX3x78Xx9+X9xxxxX6Xx/xxx7xxXXxxxx/XXxXXXXXxXXxx4xXXxxxx30x+XxxxXXX8xXxX5XxXXxxXXXxxx/x+XX2XXx45XXxx/7XXX8x3XXX538XXxxxX0xx40XXxxxx68xxx8xxxx2xXxxXXxX+xxxxxXxxxXX5xXxx+xxxXxxx1X1xXxxxxx+XXX5XX8xxxxxXX8xXxxxXX6XxxxXx2Xx62xXxXxxx/6xXxxxxx7/x7x7XxXXxXXxXXxx1XxxXXXx7XxxxXX8XXxXXXxXX9xxXxXXXxxxXX407x8X0XXxxxX7xxxXX985XxxXx6X6XxXxXXxXXXxX4XxXXxXXXxxx6Xx7XxXXxx0x667+XxxxXxxXxxxXxX11XXXXx0xXxX48x4XX8xxXX0x+xX6xx3XxxxxXXxxxX3xX96XxxxxxxxXXXxxXxXX+4XXX9XXxX8X6xXxX5xX80Xxxx/xXXxx4xXxXx45Xx9XX1XxxXX461xx0xXXXXXXx3Xxx1+x6x1XXX23XxXx3Xx2XXxX0XxxxXxxXXXxxxx8XxXx2xxxX0X+XXxxXXxx76xxX8x2xxXxXXXx1xXXXXXXxXXXXXXX6xXXxXxxXXxxxxxxXxxXXXXX5XXxxXXxXXxxXXXX20xX2XXXxxxxXXxXXXXxxxXX4xXXxxxXXxXX6xXxXxxXxX1XxxX9XXXxxxXxxx/XxXxxxX0/X9XxXxXXXXxxxX7/xXxXXXx+xXXx6xxxxxxXXX9xXx2xxxX3x142XxX510X08XxXX4XxXxXxx+XXXXXxxxxxXXXxXXx7x9xXxX0X37XxX0X4xXXXX8X558XxxXxx3XXxxxX/xxXxXXxxX5xXXxxxxxxxXxxX04xX9Xxx0X4/xxXXXXXXX4xXxxxxX74xxX+6Xx5XX8xXxXxxxx5x/xxXx00XXXXXxXXXxXxx2XXXXXXX26Xx1XXXXX5XxX1xxXXxxxx3XxxXxxXXXxxXXx3X2XXXx2X66XXX/xXX1XXXxxXxxxxxxxxxxXX8XxX96XxX4XXxxXX0xx5xxxX3x4xxx+XxXxXxxxxx3x68xxxxX825X/XXx42xXXXX7xxxx00XXXx6X/xxxXxXX7Xx7X/31XXXXXxXxxx5xx4+XXXxXX+XX96xXX2xXxxX7xXXx0XxxxxxXx6xXx+XxxXXXXxx03xXx4XXxX7xX7XX83Xx0xxXxXXxXXX9xxXxx88x4xxXXXX3Xxx2XX2xxX74XX5X+9xxxxXxXxXXxXXxxXx2x7XXXXxXXxxXx64xX/XXxX0x9xXXXXXXXxxX6X0xxxXXXXXX7xXXxxX7xxxxXxxX/1/+XXXxXxXx0xx1xxXXXXxx9XXxXx9xxxxxXX8x4xXXXxXxXxxXX68xXXXX8XX/x9xXx0XxXxX95xxxXxXxxxxxxXxxXx3xXxXX9X5xXXXxXxxX/x9x2Xxxx/xx/XxxXXxXXx/xxx9X1xX+xxxXxXXXXxx8xx/0x5XXx+9x95+XxxxxXXx6XX4x9xXXxx7XXX+xXxxXxxXxxxXxX8xXXxxX/X7XxxxxXxXX3x9XXXXxX5XxxxxXxX9xxXXx09X3x3XxXXxXXxxxXXXxX+4XxX0XxxxXXxXXXXXxxX3xXXXXxxXX7xXXXxXXXXXx0xxxXXXXXXXxXX8xXx6Xx8xxXXxxxXX9x21x+xXXX1Xxx33xXXXx1x6xXX3xxXxx6xxxXXX8x7/XxXXxxx08xXXX6xXXXxX2XxXxXxXxXxXXx9X1Xx3xxXXxx+/XXxX8X6Xxx4XX36xxxxxxxxxXXXx4X452XXxXX7xX+XX8XxxXXxXX+x4Xx/xxxXxX/4XXxxxxx3XxxXxXX1xx/Xxx1XXxXXxX+XxxXxXXx1X0xXXXxXXxxxXxxXXxXXxXx9XxXxX8XXXxX4xXXXXXxxxxXXxxxX293xX5Xxxxx9xx+xXXX9xx387xx8XXXxXXXxxXxxxxX02xxx4x7xxXX7xxXxXXXXxXXX1xxXX+XXxX3xxXXxXXxxXx89XxxXx2xx+XxXxXXXXxxXXxX3XxX1xxxXXxXxxXxX+0x0xXX6XXxXXxXxxXXX3X7XXXxXXxXXXx8x6xX36x5xxXxxXXxxxxXxxXxxxXXxXX+xXXxxxXXXXXxxX9XXxXx4XXX48X1XxXxxxXXX0xXxXXxxX+X7xXxxXX77xxxxXX3XXxxxXxxxxX7XxX7XxxX2XxxXxxx94XxxXxxXxxxXXXxXxX77xXX7x7xxxxx0x0xXxxxX9x6xxx/8xxX1X/xXXXxxXX9xxXxXxX8xxXxXX+X8xxXx7xxXXxXXxXxxXX4XX+7X/xXxXXxxx=",
      "KeyType": "4096"
    },
    "Certificates": null
  }
}

Would be great if someone could help me, because I have no idea what's going wrong and I haven't read the internet about the error and haven't found anything that would help.

With kind regards
Andreas

2

Just passing by, trying to help. It a bit strange for me to try to understand an issue with let's encrypt when the DNS name is anonymized. It's normal to have example.com not resolved :slight_smile:

As it's a fritzbox and a dyndns is used, I guess the IP of the box is dynamic. Is it possible to know how often it changes?

If the issue is with let's encrypt, I would focus the debugging part on the DNS, IP, and perhaps the redirections made. I never tried this but... I assume the check of let's encrypt is un-encrypted. So I would sniff on the interface to see if let's encrypt reaches the traefik. If yes, how is responding traefik and if not, then it's a DNS (and its cache) and/or IP issue.

Hope it helps. I have nearly the same setup and it's working fine.