Letsencrypt-acme dns challenge with provider duckdns

durian · April 3, 2021, 6:01pm

Hi,

I have been trying to get traefik v2.x letsencrypt module to work with duckdns for a few days now. It seems that the letsencrypt acme for duckdns never execute. I have the same configuration working with cloudflare dnschallenge.

Attached are the "docker-compose.yml", ".env" and "traefik debug log during startup"

Thank you for any pointers.

## .env file
PIDD=1000
PGID=999
TZ=America/New_York
USERDIR=/home/ubuntu
DOCKERDIR=/home/ubuntu/docker
SECRETSDIR=/home/ubuntu/docker/secrets
DOMAINNAME=tizen.duckdns.org
DUCKDNS_TOKEN=3370dfdd-2063-4924-80da-65cc454f47a0

### docker-compose.yml

version: '3.7'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    command:
      - --global.checkNewVersion=true  
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entryPoints.traefik.address=:8080
      - --api=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
      - --providers.file.watch=true # Only works on top level files in the rules folder
      - --certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.myresolver.acme.email=user@example.com
      - --certificatesResolvers.myresolver.acme.storage=/acme.json
      - --certificatesResolvers.myresolver.acme.dnsChallenge.provider=duckdns
      - --certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=5 # To delay DNS check and reduce LE hitrate
      - --serverstransport.insecureskipverify=true    
    security_opt:
      - no-new-privileges:true
    networks:
      - t2_proxy
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - $DOCKERDIR/appdata/traefik/rules:/rules       
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/appdata/traefik/acme/acme.json:/acme.json:rw
      - $DOCKERDIR/appdata/traefik/traefik.log:/traefik.log
      - $DOCKERDIR/shared:/shared
    environment:
      - DUCKDNS_TOKEN=xxxx-xxxx-xxx
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.$DOMAINNAME"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=middlewares-basic-auth@file"  
      # Important for Websocket support
      - "traefik.backend.loadbalancer.stickiness=true"     

networks:
  t2_proxy:
    external: 
      name: t2_proxy

### traefik DEBUG logs

2021-04-03T17:44:04.302146488Z time="2021-04-03T17:44:04Z" level=info msg="Configuration loaded from flags."
2021-04-03T17:44:04.302404374Z time="2021-04-03T17:44:04Z" level=info msg="Traefik version 2.4.8 built on 2021-03-23T15:48:39Z"
2021-04-03T17:44:04.304695988Z time="2021-04-03T17:44:04Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{\"tls\":{\"options\":\"tls-opts@file\"}}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.tizen.example.com`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":15000000000},\"file\":{\"directory\":\"/rules\",\"watch\":true}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/traefik.log\",\"format\":\"common\",\"filters\":{\"statusCodes\":[\"400-499\"]},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100},\"certificatesResolvers\":{\"myresolver\":{\"acme\":{\"email\":\"user@example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"duckdns\",\"delayBeforeCheck\":5000000000,\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]}}}},\"pilot\":{\"dashboard\":true}}"
2021-04-03T17:44:04.304929461Z time="2021-04-03T17:44:04Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
2021-04-03T17:44:04.308145104Z time="2021-04-03T17:44:04Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
2021-04-03T17:44:04.308462868Z time="2021-04-03T17:44:04Z" level=debug msg="Start TCP Server" entryPointName=http
2021-04-03T17:44:04.308694067Z time="2021-04-03T17:44:04Z" level=debug msg="Start TCP Server" entryPointName=https
2021-04-03T17:44:04.308842788Z time="2021-04-03T17:44:04Z" level=debug msg="Start TCP Server" entryPointName=traefik
2021-04-03T17:44:04.309146621Z time="2021-04-03T17:44:04Z" level=info msg="Starting provider *file.Provider {\"directory\":\"/rules\",\"watch\":true}"
2021-04-03T17:44:04.311375557Z time="2021-04-03T17:44:04Z" level=info msg="Starting provider *traefik.Provider {}"
2021-04-03T17:44:04.311727481Z time="2021-04-03T17:44:04Z" level=info msg="Starting provider *acme.Provider {\"email\":\"user@example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"duckdns\",\"delayBeforeCheck\":5000000000,\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]},\"ResolverName\":\"myresolver\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
2021-04-03T17:44:04.311898094Z time="2021-04-03T17:44:04Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
2021-04-03T17:44:04.330813094Z time="2021-04-03T17:44:04Z" level=debug msg="Configuration received from provider file: {\"http\":{\"routers\":{\"tnsv\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"middlewares-basic-auth@file\"],\"service\":\"tnsv\",\"rule\":\"Host(`tnsv01.tizen.example.com`)\",\"tls\":{}}},\"services\":{\"tnsv\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.11.87:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"middlewares-basic-auth\":{\"basicAuth\":{\"usersFile\":\"/shared/.htpasswd\",\"realm\":\"Traefik 2 Basic Auth\"}}},\"serversTransports\":{\"foobar\":{\"serverName\":\"internalServiceCertificateSubject\"}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=file
2021-04-03T17:44:04.331374714Z time="2021-04-03T17:44:04Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"models\":{\"https\":{\"tls\":{\"options\":\"tls-opts@file\"}}},\"serversTransports\":{\"default\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"tls\":{}}" providerName=internal
2021-04-03T17:44:04.331644631Z time="2021-04-03T17:44:04Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
2021-04-03T17:44:04.332012786Z time="2021-04-03T17:44:04Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.tizen.example.com`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":15000000000}"
2021-04-03T17:44:04.333971441Z time="2021-04-03T17:44:04Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
2021-04-03T17:44:04.336557234Z time="2021-04-03T17:44:04Z" level=debug msg="Creating middleware" middlewareType=Pipelining entryPointName=https routerName=tnsv@file serviceName=tnsv middlewareName=pipelining
2021-04-03T17:44:04.336813749Z time="2021-04-03T17:44:04Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=tnsv@file serviceName=tnsv
2021-04-03T17:44:04.337055867Z time="2021-04-03T17:44:04Z" level=debug msg="Creating server 0 http://172.20.11.87:80" serviceName=tnsv serverName=0 entryPointName=https routerName=tnsv@file
2021-04-03T17:44:04.337358276Z time="2021-04-03T17:44:04Z" level=debug msg="Added outgoing tracing middleware tnsv" routerName=tnsv@file entryPointName=https middlewareName=tracing middlewareType=TracingForwarder
2021-04-03T17:44:04.337628608Z time="2021-04-03T17:44:04Z" level=debug msg="Creating middleware" entryPointName=https routerName=tnsv@file middlewareName=middlewares-basic-auth@file middlewareType=BasicAuth
2021-04-03T17:44:04.337943451Z time="2021-04-03T17:44:04Z" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=tnsv@file middlewareName=middlewares-basic-auth@file
2021-04-03T17:44:04.338380699Z time="2021-04-03T17:44:04Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2021-04-03T17:44:04.338631043Z time="2021-04-03T17:44:04Z" level=debug msg="No default certificate, generating one"
2021-04-03T17:44:04.377730532Z time="2021-04-03T17:44:04Z" level=debug msg="Provider connection established with docker 20.10.5 (API 1.41)" providerName=docker
2021-04-03T17:44:04.438485837Z time="2021-04-03T17:44:04Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"http-catchall\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"redirect-to-https\"],\"service\":\"traefik-docker\",\"rule\":\"HostRegexp(`{host:.+}`)\"},\"traefik\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"middlewares-basic-auth@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.tizen.example.com`)\",\"tls\":{\"domains\":[{\"main\":\"tizen.example.com\",\"sans\":[\"*.tizen.example.com\"]}]}}},\"services\":{\"traefik-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.90.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"redirect-to-https\":{\"redirectScheme\":{\"scheme\":\"https\"}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
2021-04-03T17:44:04.708424012Z time="2021-04-03T17:44:04Z" level=debug msg="No default certificate, generating one"
2021-04-03T17:44:05.145482090Z time="2021-04-03T17:44:05Z" level=debug msg="Adding route for tnsv01.tizen.example.com with TLS options default" entryPointName=https
2021-04-03T17:44:05.146718342Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" serviceName=tnsv middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=tnsv@file
2021-04-03T17:44:05.146881945Z time="2021-04-03T17:44:05Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=tnsv@file serviceName=tnsv
2021-04-03T17:44:05.147043304Z time="2021-04-03T17:44:05Z" level=debug msg="Creating server 0 http://172.20.11.87:80" serverName=0 serviceName=tnsv entryPointName=https routerName=tnsv@file
2021-04-03T17:44:05.147188532Z time="2021-04-03T17:44:05Z" level=debug msg="Added outgoing tracing middleware tnsv" routerName=tnsv@file middlewareName=tracing middlewareType=TracingForwarder entryPointName=https
2021-04-03T17:44:05.147332822Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" entryPointName=https routerName=tnsv@file middlewareName=middlewares-basic-auth@file middlewareType=BasicAuth
2021-04-03T17:44:05.147522402Z time="2021-04-03T17:44:05Z" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=tnsv@file middlewareName=middlewares-basic-auth@file
2021-04-03T17:44:05.147683870Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2021-04-03T17:44:05.147864158Z time="2021-04-03T17:44:05Z" level=debug msg="No default certificate, generating one"
2021-04-03T17:44:05.544767580Z time="2021-04-03T17:44:05Z" level=debug msg="No default certificate, generating one"
2021-04-03T17:44:05.722566932Z time="2021-04-03T17:44:05Z" level=debug msg="Adding route for tnsv01.tizen.example.com with TLS options default" entryPointName=https
2021-04-03T17:44:05.723725444Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" routerName=http-catchall@docker serviceName=traefik-docker entryPointName=http middlewareName=pipelining middlewareType=Pipelining
2021-04-03T17:44:05.723854873Z time="2021-04-03T17:44:05Z" level=debug msg="Creating load-balancer" entryPointName=http routerName=http-catchall@docker serviceName=traefik-docker
2021-04-03T17:44:05.724001749Z time="2021-04-03T17:44:05Z" level=debug msg="Creating server 0 http://192.168.90.2:80" serviceName=traefik-docker entryPointName=http routerName=http-catchall@docker serverName=0
2021-04-03T17:44:05.724140816Z time="2021-04-03T17:44:05Z" level=debug msg="Added outgoing tracing middleware traefik-docker" routerName=http-catchall@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=http
2021-04-03T17:44:05.724303420Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" routerName=http-catchall@docker entryPointName=http middlewareType=RedirectScheme middlewareName=redirect-to-https@docker
2021-04-03T17:44:05.724426525Z time="2021-04-03T17:44:05Z" level=debug msg="Setting up redirection to https " routerName=http-catchall@docker entryPointName=http middlewareType=RedirectScheme middlewareName=redirect-to-https@docker
2021-04-03T17:44:05.724831168Z time="2021-04-03T17:44:05Z" level=debug msg="Adding tracing to middleware" middlewareName=redirect-to-https@docker entryPointName=http routerName=http-catchall@docker
2021-04-03T17:44:05.725031698Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=http middlewareName=traefik-internal-recovery
2021-04-03T17:44:05.725241137Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" routerName=tnsv@file serviceName=tnsv middlewareName=pipelining middlewareType=Pipelining entryPointName=https
2021-04-03T17:44:05.725362929Z time="2021-04-03T17:44:05Z" level=debug msg="Creating load-balancer" serviceName=tnsv entryPointName=https routerName=tnsv@file
2021-04-03T17:44:05.725493914Z time="2021-04-03T17:44:05Z" level=debug msg="Creating server 0 http://172.20.11.87:80" routerName=tnsv@file serviceName=tnsv entryPointName=https serverName=0
2021-04-03T17:44:05.725625703Z time="2021-04-03T17:44:05Z" level=debug msg="Added outgoing tracing middleware tnsv" middlewareName=tracing middlewareType=TracingForwarder routerName=tnsv@file entryPointName=https
2021-04-03T17:44:05.725760158Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" middlewareName=middlewares-basic-auth@file middlewareType=BasicAuth entryPointName=https routerName=tnsv@file
2021-04-03T17:44:05.725974109Z time="2021-04-03T17:44:05Z" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=tnsv@file middlewareName=middlewares-basic-auth@file
2021-04-03T17:44:05.726128207Z time="2021-04-03T17:44:05Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=https routerName=traefik@docker middlewareName=tracing middlewareType=TracingForwarder
2021-04-03T17:44:05.726258455Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" middlewareType=BasicAuth entryPointName=https routerName=traefik@docker middlewareName=middlewares-basic-auth@file
2021-04-03T17:44:05.726418193Z time="2021-04-03T17:44:05Z" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=traefik@docker middlewareName=middlewares-basic-auth@file
2021-04-03T17:44:05.726562815Z time="2021-04-03T17:44:05Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=https middlewareName=traefik-internal-recovery
2021-04-03T17:44:05.726721012Z time="2021-04-03T17:44:05Z" level=debug msg="No default certificate, generating one"
2021-04-03T17:44:05.913907784Z time="2021-04-03T17:44:05Z" level=debug msg="No default certificate, generating one"
2021-04-03T17:44:06.033058533Z time="2021-04-03T17:44:06Z" level=debug msg="Adding route for tnsv01.tizen.example.com with TLS options default" entryPointName=https
2021-04-03T17:44:06.033235285Z time="2021-04-03T17:44:06Z" level=debug msg="Adding route for traefik.tizen.example.com with TLS options default" entryPointName=https

cakiwi · April 3, 2021, 7:54pm

@durian

If that really is your duckdns token you should go and revoke/rotate/refresh it and check your domain for any changes you weren't expecting.

durian · April 3, 2021, 9:41pm

@cakiwi - Thanks. Token updated

further update. I tried with goaceme/lego and i was able to pull the certificates.

docker run -e DUCKDNS_TOKEN=xxx-xxx -v /home/ubuntu/docker/:/ssl goacme/lego -m user@example.com --dns duckdns -d 'tizen.example.com' --path /ssl -a run

Topic		Replies	Views
Traefik 1.7 Docker installation NOT getting ACME file to work with DuckDns Traefik v1 docker , letsencrypt-acme , traefik-ee	0	1321	March 30, 2020
ACME not working/ starting Traefik v2 docker	3	2748	March 26, 2021
DNS Challenge with LetsEncrypt and DuckDNS - Still "insecure connection" Traefik v2 docker	0	3478	November 17, 2019
Lets encrypt dns challenge via traefik docker compose (problem only on arch) Traefik v2 letsencrypt-acme	6	2999	May 28, 2023
DNS-01 challenge fails Traefik v3 (latest) docker , letsencrypt-acme	11	1149	December 16, 2023

Letsencrypt-acme dns challenge with provider duckdns

Related topics