No ACME certification creation

seanflannery10 · September 18, 2019, 7:21pm

I am trying to migrate my v1 setup to v2 and having issues. The settings seem good but it never requests the cert. I am converting from a working setup that I just retested to ensure it would create a new cert without issue.

I have tried various configurations of this and I am not sure where to go from here. Thanks for any help.

I am using bitwarden container to test using the label

- "traefik.http.routers.pass.rule=Host(`pass.domain.com`)"

Here is my traefik.yml

log:
  level: "DEBUG"

entryPoints:
  web:
    address: ":80"

  web-secure:
    address: ":443"

http:
  routers:
    router0:
        rule: "Host(`domain.com`)"
        entryPoints:
        - "web"
        middlewares:
        - "redirect"

    router1:
      rule: "Host(`domain.com`)"
      entryPoints:
      - "web-secure"
      tls:
        certResolver: "default"
        domains:
        - main: "*.domain.com"
          sans: "domain.com"

  middlewares:
    redirect:
      redirectScheme:
        scheme: "https"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    watch: true

certificatesResolvers:
  default:
    acme:
      email: "email@domain.comn"
      storage: "/etc/traefik/acme/acme.json"
      dnsChallenge:
        provider: "cloudflare"
        delayBeforeCheck: 0

Debug Output

time="2019-09-18T15:04:24-04:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web-secure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"default\":{\"acme\":{\"email\":\"user@domain.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/acme/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"}}}}}"
time="2019-09-18T15:04:24-04:00" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
time="2019-09-18T15:04:24-04:00" level=debug msg="No default certificate, generating one"
time="2019-09-18T15:04:24-04:00" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2019-09-18T15:04:24-04:00" level=debug msg="Start TCP Server" entryPointName=web-secure
time="2019-09-18T15:04:24-04:00" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2019-09-18T15:04:24-04:00" level=info msg="Starting provider *acme.Provider {\"email\":\"user@domain.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/acme/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"default\",\"store\":{},\"ChallengeStore\":{}}"
time="2019-09-18T15:04:24-04:00" level=info msg="Testing certificate renew..." providerName=default.acme
time="2019-09-18T15:04:24-04:00" level=debug msg="Start TCP Server" entryPointName=web
time="2019-09-18T15:04:24-04:00" level=debug msg="Provider connection established with docker 18.09.6 (API 1.39)" providerName=docker
time="2019-09-18T15:04:24-04:00" level=debug msg="Configuration received from provider default.acme: {\"http\":{},\"tls\":{}}" providerName=default.acme
time="2019-09-18T15:04:24-04:00" level=debug msg="No default certificate, generating one"
time="2019-09-18T15:04:24-04:00" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"/organizr\":{\"service\":\"/organizr\",\"rule\":\"Host(`organizr`)\"},\"pass\":{\"service\":\"/bitwarden\",\"rule\":\"Host(`pass.domain.com`)\"}},\"services\":{\"/bitwarden\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.17.0.6:80\"}],\"passHostHeader\":true}},\"/organizr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.17.0.3:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
time="2019-09-18T15:04:24-04:00" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web web-secure]" routerName=pass@docker
time="2019-09-18T15:04:24-04:00" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web web-secure]" routerName=/organizr@docker
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining routerName=pass@docker serviceName=/bitwarden entryPointName=web
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating load-balancer" serviceName=/bitwarden entryPointName=web routerName=pass@docker
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating server 0 http://172.17.0.6:80" entryPointName=web routerName=pass@docker serviceName=/bitwarden serverName=0
time="2019-09-18T15:04:24-04:00" level=debug msg="Added outgoing tracing middleware /bitwarden" entryPointName=web routerName=pass@docker middlewareName=tracing middlewareType=TracingForwarder
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating middleware" routerName=/organizr@docker serviceName=/organizr middlewareType=Pipelining middlewareName=pipelining entryPointName=web
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating load-balancer" entryPointName=web routerName=/organizr@docker serviceName=/organizr
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating server 0 http://172.17.0.3:80" entryPointName=web routerName=/organizr@docker serviceName=/organizr serverName=0
time="2019-09-18T15:04:24-04:00" level=debug msg="Added outgoing tracing middleware /organizr" middlewareName=tracing entryPointName=web routerName=/organizr@docker middlewareType=TracingForwarder
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating middleware" entryPointName=web middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2019-09-18T15:04:24-04:00" level=debug msg="Creating middleware" entryPointName=web-secure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2019-09-18T15:04:24-04:00" level=debug msg="No default certificate, generating one"
time="2019-09-18T15:04:43-04:00" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2019-09-18T15:04:43-04:00" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2019-09-18T15:04:44-04:00" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2019-09-18T15:04:45-04:00" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2019-09-18T15:04:45-04:00" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2019-09-18T15:04:47-04:00" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2019-09-18T15:04:47-04:00" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2019-09-18T15:06:49-04:00" level=debug msg="Serving default certificate for request: \"pass.domain.com\""

ldez · September 18, 2019, 7:34pm

Hello,

In the v2 the dynamic configuration and the static configuration must be defined in 2 different files.

And like in the v1 to use file provider you need to enable it.

# traefik.yml
# static configuration

log:
  level: "DEBUG"

entryPoints:
  web:
    address: ":80"

  web-secure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    watch: true
  file:
    filename: /dyn.yml

certificatesResolvers:
  default:
    acme:
      email: "email@domain.comn"
      storage: "/etc/traefik/acme/acme.json"
      dnsChallenge:
        provider: "cloudflare"

# dyn.yml
# dynamic configuration

http:
  routers:
    router0:
        rule: "Host(`domain.com`)"
        entryPoints:
        - "web"
        middlewares:
        - "redirect"

    router1:
      rule: "Host(`domain.com`)"
      entryPoints:
      - "web-secure"
      tls:
        certResolver: "default"
        domains:
        - main: "*.domain.com"
          sans: "domain.com"

  middlewares:
    redirect:
      redirectScheme:
        scheme: "https"

seanflannery10 · September 18, 2019, 8:55pm

Thanks!

This did resolve my issue and I have it creating certs. The issue is this is creating a cert for each docker container.

I was really hoping to get the wildcard cert working with docker. In my setup from v1 I was able to use 2 tags to enable and specify the domain and it would use the wildcard cert without an issue.

Is there anyway to get v2 to pickup on the dynamic file config and use that in place of labels? As it stands I need to use 4 tags to get separate certs and not have redirect from port 80 to 443. I tried to play around with some various settings but it always seemed to ignore the dynamic file router.

Thanks again!

Topic		Replies	Views
Issue requesting SSL using ACME Traefik v3 (latest) docker , letsencrypt-acme	0	35	September 18, 2024
Acme.json stays empty Traefik v2 letsencrypt-acme	2	7209	January 20, 2020
Traefik won't update certs Traefik v2 docker-swarm	7	3113	March 19, 2020
Cannot obtain ACME certificate Traefik v2 docker , letsencrypt-acme , middleware	3	799	March 11, 2021
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4776	July 18, 2019

No ACME certification creation

Related topics