Not able to obtain certificates via tlsChallenge or httpChallenge

XenoPhage · October 10, 2019, 10:00pm

Hi,

I'm trying to set up Let's Encrypt on a new server. I have this working pretty flawlessly on a different server using dnsChallenge, but that's not an option on this new server. So, I thought I could use either tlsChallenge or httpChallenge. The configuration looks pretty simple, but I can't get it to work. Any help/hints would be appreciated.

traefik.toml:

[global]
  checkNewVersion = true
  sendAnonymousUsage = false

[log]
  level = "DEBUG"

[accessLog]

[serversTransport]
  insecureSkipVerify = true

[entryPoints]
  [entryPoints.http]
    address = ":80"

  [entryPoints.https]
    address = ":443"

  [entryPoints.health]
    address = ":8080"

  [entryPoints.traefik]
    address = ":8443"

[providers.docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
  watch = true

[providers.file]
  filename = "servers.toml"

[api]
  dashboard = true

[ping]
  entryPoint = "health"

[certificatesResolvers.letsEncrypt.acme]
  email = "hostmaster@example.com"
  storage = "acme.json"
  [certificatesResolvers.letsEncrypt.acme.tlsChallenge]
  [certificatesResolvers.letsEncrypt.acme.httpChallenge]
    entryPoint = "http"

And here's what a typical container looks like in docker compose :

version: '3.6'
services:
  www-example-com:
    image: nginxinc/nginx-unprivileged:alpine
    container_name: www-example-com
    restart: always
    volumes:
      - /srv/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
      - /srv/nginx/www.example.com/html:/usr/share/nginx/html:ro
    labels:
      traefik.docker.network: "web"
      traefik.enable: true

      traefik.http.services.www-example-com-https.loadbalancer.server.port: 8080
      traefik.http.services.www-example-com-https.loadbalancer.server.scheme: "http"

      traefik.http.routers.www-example-com.entrypoints: "http,https"
      traefik.http.routers.www-example-com.rule: "Host(`example.com`,`www.example.com`)"
      traefik.http.routers.www-example-com.middlewares: "terry@file,httpsredirect@file"

      traefik.http.routers.www-example-com-https.entrypoints: "http,https"
      traefik.http.routers.www-example-com-https.rule: "Host(`example.com`,`www.example.com`)"
      traefik.http.routers.www-example-com-https.service: "www-example-com-https"
      traefik.http.routers.www-example-com-https.middlewares: "terry@file"
      traefik.http.routers.www-example-com-https.tls.certresolver: "letsEncrypt"
    networks:
      web:
        aliases:
          - www-example-com

networks:
  web:

If I have tlsChallenge only enabled, I get this error:

time="2019-10-10T21:53:05Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,www.example.com\": unable to generate a certificate for the domains [example.com www.example.com]: acme: Error -> One or more domains had a problem:\n[example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge, url: \n[www.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge, url: \n" providerName=letsEncrypt.acme routerName=www-example-com-https rule="Host(`example.com`,`www.example.com`)"

If I have dnsChallenge only enabled, I get this error:

time="2019-10-10T21:56:28Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,www.example.com\": unable to generate a certificate for the domains [example.com www.example.com]: acme: Error -> One or more domains had a problem:\n[example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://example.com/.well-known/acme-challenge/<SNIP> [192.168.1.1]: \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p\", url: \n[www.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.example.com/.well-known/acme-challenge/<SNIP> [192.168.1.1]: \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p\", url: \n" rule="Host(`example.com`,`www.example.com`)" providerName=letsEncrypt.acme routerName=www-example-com-https

What am I missing here?

XenoPhage · October 10, 2019, 10:04pm

Duh. I just realized my mistake. I'm on a staging server and DNS points to another server. Thus the domains don't resolve to the right place.

I'm going to go sit in the corner and think about what I've done. Let this be a lesson to me.

hangs head in shame

Topic		Replies	Views
Traefik Letsencrypt TLSChallenge - Documentation Incomplete? Traefik v2 letsencrypt-acme	12	1143	February 24, 2024
Issue requesting SSL using ACME Traefik v3 (latest) docker , letsencrypt-acme	0	26	September 18, 2024
Problems with Let's Encypt Certificate Generation Traefik v2 letsencrypt-acme	0	451	November 14, 2021
Basic example for" https with let's encrypt" return generated certificat Traefik v2 docker , letsencrypt-acme	1	988	November 26, 2019
Problem with LetsEncrypt certificate generation Traefik v2 letsencrypt-acme	1	1574	September 15, 2021

Not able to obtain certificates via tlsChallenge or httpChallenge

Related Topics