Hi,
I'm trying to set up Let's Encrypt on a new server. I have this working pretty flawlessly on a different server using dnsChallenge, but that's not an option on this new server. So, I thought I could use either tlsChallenge or httpChallenge. The configuration looks pretty simple, but I can't get it to work. Any help/hints would be appreciated.
traefik.toml:
[global]
checkNewVersion = true
sendAnonymousUsage = false
[log]
level = "DEBUG"
[accessLog]
[serversTransport]
insecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.health]
address = ":8080"
[entryPoints.traefik]
address = ":8443"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
watch = true
[providers.file]
filename = "servers.toml"
[api]
dashboard = true
[ping]
entryPoint = "health"
[certificatesResolvers.letsEncrypt.acme]
email = "hostmaster@example.com"
storage = "acme.json"
[certificatesResolvers.letsEncrypt.acme.tlsChallenge]
[certificatesResolvers.letsEncrypt.acme.httpChallenge]
entryPoint = "http"
And here's what a typical container looks like in docker compose :
version: '3.6'
services:
www-example-com:
image: nginxinc/nginx-unprivileged:alpine
container_name: www-example-com
restart: always
volumes:
- /srv/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
- /srv/nginx/www.example.com/html:/usr/share/nginx/html:ro
labels:
traefik.docker.network: "web"
traefik.enable: true
traefik.http.services.www-example-com-https.loadbalancer.server.port: 8080
traefik.http.services.www-example-com-https.loadbalancer.server.scheme: "http"
traefik.http.routers.www-example-com.entrypoints: "http,https"
traefik.http.routers.www-example-com.rule: "Host(`example.com`,`www.example.com`)"
traefik.http.routers.www-example-com.middlewares: "terry@file,httpsredirect@file"
traefik.http.routers.www-example-com-https.entrypoints: "http,https"
traefik.http.routers.www-example-com-https.rule: "Host(`example.com`,`www.example.com`)"
traefik.http.routers.www-example-com-https.service: "www-example-com-https"
traefik.http.routers.www-example-com-https.middlewares: "terry@file"
traefik.http.routers.www-example-com-https.tls.certresolver: "letsEncrypt"
networks:
web:
aliases:
- www-example-com
networks:
web:
If I have tlsChallenge only enabled, I get this error:
time="2019-10-10T21:53:05Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,www.example.com\": unable to generate a certificate for the domains [example.com www.example.com]: acme: Error -> One or more domains had a problem:\n[example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge, url: \n[www.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge, url: \n" providerName=letsEncrypt.acme routerName=www-example-com-https rule="Host(`example.com`,`www.example.com`)"
If I have dnsChallenge only enabled, I get this error:
time="2019-10-10T21:56:28Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,www.example.com\": unable to generate a certificate for the domains [example.com www.example.com]: acme: Error -> One or more domains had a problem:\n[example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://example.com/.well-known/acme-challenge/<SNIP> [192.168.1.1]: \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p\", url: \n[www.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.example.com/.well-known/acme-challenge/<SNIP> [192.168.1.1]: \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p\", url: \n" rule="Host(`example.com`,`www.example.com`)" providerName=letsEncrypt.acme routerName=www-example-com-https
What am I missing here?