Lets Encrypt Renewing Some Certs but not all

n0rd1c · February 23, 2021, 5:35am

I have Traefik setup in a docker containter along with other services. I used the following guide:https://www.smarthomebeginner.com/traefik-2-docker-tutorial/#Install_Docker_and_Docker_Compose. I have updated to Picodon from 2.2.1 to see if that fixed the issue but still have no joy.

I have other services not in the docker stack and those services are able to pull their certs just fine somehow.

Dashboard

Traefik File

# Traefik 2 - Reverse Proxy
  traefik:
    container_name: traefik
    image: traefik:picodon
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entryPoints.traefik.address=:8080
      - --entryPoints.smtp.address=:25
      - --api=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
#      - --certificatesResolvers.dns-namecheap.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-namecheap.acme.storage=/acme.json
      - --certificatesResolvers.dns-namecheap.acme.dnsChallenge.provider=namecheap
      - --certificatesResolvers.dns-namecheap.acme.dnsChallenge.resolvers=198.54.117.10:53,198.54.117.11:53
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - $DOCKERDIR/traefik2/rules:/rules
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json
      - $DOCKERDIR/traefik2/traefik.log:/traefik.log
      - $DOCKERDIR/shared:/shared
    environment:
      - NAMECHEAP_API_USER=$NAMECHEAP_API_USER
      - NAMECHEAP_API_KEY=$NAMECHEAP_API_KEY
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
#      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-namecheap" # Comment out this line after first run of traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolalloworiginlist=https://$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.traefik-headers.headers.addvaryheader=true"
      - "traefik.http.middlewares.traefik-headers.headers.allowedhosts=traefik.$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.hostsproxyheaders=X-Forwarded-Host"
      - "traefik.http.middlewares.traefik-headers.headers.sslredirect=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslhost=traefik.$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.sslforcehost=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.traefik-headers.headers.stsseconds=63072000"
      - "traefik.http.middlewares.traefik-headers.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.traefik-headers.headers.stspreload=true"
      - "traefik.http.middlewares.traefik-headers.headers.forcestsheader=true"
      - "traefik.http.middlewares.traefik-headers.headers.framedeny=true"
#      - "traefik.http.middlewares.traefik-headers.headers.customframeoptionsvalue=SAMEORIGIN" # This option overrides FrameDeny
      - "traefik.http.middlewares.traefik-headers.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.traefik-headers.headers.browserxssfilter=true"
#      - "traefik.http.middlewares.traefik-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; base-uri 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.referrerpolicy=same-origin"
      - "traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex,"

Cert that was generated by service not in docker container stack

{
  "dns-namecheap": {
    "Account": {
      "Email": "",
      "Registration": {
        "body": {
          "status": "valid"
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/113634266"
      },
      "PrivateKey": "privatekeystuff",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "plex.n0rd1c.net"
        },
        "certificate": "cert",
        "key": "keystuff",
        "Store": "default"
      },

Also seeing this error in the log file but not since upgrading to 2.3.7:

2021-02-23T03:28:57.695322291Z time="2021-02-23T03:28:57Z" level=debug msg="http: TLS handshake error from 192.168.2.1:60276: local error: tls: bad record MAC

Let me know if more log files or anything else is required.

n0rd1c · February 23, 2021, 5:40am

I get this when I go to traefik.n0rd1c.net

but this when i go to another service not in teh docker stack:

robertallbright · February 27, 2021, 9:26pm

Do http verification.

Namecheaps dns takes DAYS to update, not minutes or seconds.
This is normal, and not a bug according to namecheap.

n0rd1c · February 28, 2021, 7:00pm

It's just unusual that all the apps not in the docker stack are getting their LE certs just fine but the ones inside the stack aren't. i am using traefik to get to the ones outside of the stack as well. its like the stack itself is something wrong.

how do i incorporate http verification?

cakiwi · March 3, 2021, 2:13pm

I don't know why commenting this out is even suggested, its counter intuitive as the certs will expire and not be renewed before expiry, but then again I don't use a dns resolver. But if you never ran with this option you won't have certificates.