Let's Encrypt HTTP Challenge is failing for reasons I don't understand

a-musing-moose · August 28, 2019, 6:03am

Greetings All,

I have been experimenting with Version 2 (rc-1) and I have been getting some weird issues when trying to make the Let's Encrypt part do it's thing. It is running on a Docker Swarm (single host at present, Note: the names have been changed to protect the innocent).

I'd appreciate any insights people may have.

The error in question is:

Unable to obtain ACME certificate for domains "api.some.domain.space": unable to generate a certificate for the domains [api.some.domain.space]: acme: Error -> One or more domains had a problem:\n[api.some.domain.space] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.some.domain.space/.well-known/acme-challenge/D36Bp10PohIHEgD6SkpMeL1K_JiniuNHmVNHVNGakYw: Timeout after connect (your server may be slow or overloaded), url: \n" providerName=ebiac.acme routerName=backend rule="Host(`api.some.domain.space`)

The domain(s) in question have pointed at the machine with Traefik on it. The docker-compose file used to spin everything up is:

version: '3'

services:
  reverse-proxy:
    image: traefik:v2.0
    command:
      - "--api.dashboard=true"
      - "--log.level=debug"
      - "--global.sendAnonymousUsage=false"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesResolvers.ebiac.acme.email=someone@somewhere.io"
      - "--certificatesResolvers.ebiac.acme.storage=/opt/acme.json"
      - "--certificatesResolvers.ebiac.acme.httpChallenge.entryPoint=web"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/acme.json:/opt/acme.json
    deploy:
      replicas: 1
  docs:
    image: "location/of/image/docs:${TAG}"
    deploy:
      replicas: 1
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.docs_auth.basicauth.users=a_user:$$apr1$$Qh87YAzE$$UwoZ9yziQae5AewR5H6CO0"
        - "traefik.http.routers.docs.tls=true"
        - "traefik.http.routers.docs.tls.certResolver=ebiac"
        - "traefik.http.routers.docs.rule=Host(`docs.${DOMAIN}`)"
        - "traefik.http.routers.docs.entrypoints=websecure"
        - "traefik.http.services.docs.loadbalancer.server.port=80"
        - "traefik.http.routers.docs.middlewares=docs_auth@docker"
  backend:
    image: "location/of/image/backend:${TAG}"
    environment:
      - DATABASE_URL
      - EMAIL_URL
      - SECRET_KEY
      - ALLOWED_HOSTS
    deploy:
      replicas: 2
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.backend.tls=true"
        - "traefik.http.routers.backend.tls.certResolver=ebiac"
        - "traefik.http.routers.backend.rule=Host(`api.${DOMAIN}`)"
        - "traefik.http.routers.backend.entrypoints=websecure"
        - "traefik.http.services.backend.loadbalancer.server.port=8000"
        - "traefik.http.routers.backend.service=backend"

        # - "traefik.http.routers.https-redirect.rule=HostRegexp(`{and:.*}`)"
        # - "traefik.http.routers.https-redirect.middlewares=https-redirect"
        # - "traefik.http.middlewares.https-redirect.redirectScheme.scheme=https"
        # - "traefik.http.services.dummy.loadBalancer.server.port=80"
        # - "traefik.http.routers.https-redirect.service=dummy"
  frontend:
    image: "location/of/image/frontend:${TAG}"
    deploy:
      replicas: 2
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.frontend_auth.basicauth.users=a_user:$$apr1$$Qh87YAzE$$UwoZ9yziQae5AewR5H6CO0"
        - "traefik.http.routers.frontend.tls=true"
        - "traefik.http.routers.frontend.tls.certResolver=ebiac"
        - "traefik.http.routers.frontend.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.frontend.entrypoints=websecure"
        - "traefik.http.services.frontend.loadbalancer.server.port=80"
        - "traefik.http.routers.frontend.middlewares=frontend_auth@docker"

The server in question is barely registering any load, so it is not slow in itself.

Also - I'd really like to get HTTP -> HTTPS redirecting working for all configured domains (without interferring with let's encrypts HTTP challenge). There is a commented out bit in that stack that seemed to work previously but may have horribly broken the http challenge.

Thanks,
Jon

a-musing-moose · September 4, 2019, 2:20am

Is anyone able to help me with the above? I can't seem to resolve the issue and have resorted to adding a non-tls route to each service so I can continue working.

I know the github issues say that I shouldn't put general support questions in there but I am having no luck resolving and as far as I can tell my config is correct. Which make me think it might be a bug?

Topic		Replies	Views
ACME error 400 with TLS challenge but not with HTTP challenge in Docker Swarm Traefik v2 (latest) letsencrypt-acme	0	1105	May 11, 2020
Certificate problem Traefik v2 (latest) docker	0	361	December 2, 2021
Cannot get ACME client ACME challenge not specified Traefik v2 (latest) letsencrypt-acme	5	5009	October 21, 2020
Unable to generate Let's Encrypt certificates Traefik v2 (latest) docker , letsencrypt-acme	8	13101	February 4, 2021
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4617	July 18, 2019

Let's Encrypt HTTP Challenge is failing for reasons I don't understand

Related Topics