Not able to obtain certificates via tlsChallenge or httpChallenge

Hi,

I'm trying to set up Let's Encrypt on a new server. I have this working pretty flawlessly on a different server using dnsChallenge, but that's not an option on this new server. So, I thought I could use either tlsChallenge or httpChallenge. The configuration looks pretty simple, but I can't get it to work. Any help/hints would be appreciated.

traefik.toml:

[global]
  checkNewVersion = true
  sendAnonymousUsage = false

[log]
  level = "DEBUG"

[accessLog]

[serversTransport]
  insecureSkipVerify = true

[entryPoints]
  [entryPoints.http]
    address = ":80"

  [entryPoints.https]
    address = ":443"

  [entryPoints.health]
    address = ":8080"

  [entryPoints.traefik]
    address = ":8443"

[providers.docker]
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
  watch = true

[providers.file]
  filename = "servers.toml"

[api]
  dashboard = true

[ping]
  entryPoint = "health"

[certificatesResolvers.letsEncrypt.acme]
  email = "hostmaster@example.com"
  storage = "acme.json"
  [certificatesResolvers.letsEncrypt.acme.tlsChallenge]
  [certificatesResolvers.letsEncrypt.acme.httpChallenge]
    entryPoint = "http"

And here's what a typical container looks like in docker compose :

version: '3.6'
services:
  www-example-com:
    image: nginxinc/nginx-unprivileged:alpine
    container_name: www-example-com
    restart: always
    volumes:
      - /srv/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
      - /srv/nginx/www.example.com/html:/usr/share/nginx/html:ro
    labels:
      traefik.docker.network: "web"
      traefik.enable: true

      traefik.http.services.www-example-com-https.loadbalancer.server.port: 8080
      traefik.http.services.www-example-com-https.loadbalancer.server.scheme: "http"

      traefik.http.routers.www-example-com.entrypoints: "http,https"
      traefik.http.routers.www-example-com.rule: "Host(`example.com`,`www.example.com`)"
      traefik.http.routers.www-example-com.middlewares: "terry@file,httpsredirect@file"

      traefik.http.routers.www-example-com-https.entrypoints: "http,https"
      traefik.http.routers.www-example-com-https.rule: "Host(`example.com`,`www.example.com`)"
      traefik.http.routers.www-example-com-https.service: "www-example-com-https"
      traefik.http.routers.www-example-com-https.middlewares: "terry@file"
      traefik.http.routers.www-example-com-https.tls.certresolver: "letsEncrypt"
    networks:
      web:
        aliases:
          - www-example-com

networks:
  web:

If I have tlsChallenge only enabled, I get this error:

time="2019-10-10T21:53:05Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,www.example.com\": unable to generate a certificate for the domains [example.com www.example.com]: acme: Error -> One or more domains had a problem:\n[example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge, url: \n[www.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge, url: \n" providerName=letsEncrypt.acme routerName=www-example-com-https rule="Host(`example.com`,`www.example.com`)"

If I have dnsChallenge only enabled, I get this error:

time="2019-10-10T21:56:28Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,www.example.com\": unable to generate a certificate for the domains [example.com www.example.com]: acme: Error -> One or more domains had a problem:\n[example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://example.com/.well-known/acme-challenge/<SNIP> [192.168.1.1]: \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p\", url: \n[www.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.example.com/.well-known/acme-challenge/<SNIP> [192.168.1.1]: \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p\", url: \n" rule="Host(`example.com`,`www.example.com`)" providerName=letsEncrypt.acme routerName=www-example-com-https

What am I missing here?

Duh. I just realized my mistake. I'm on a staging server and DNS points to another server. Thus the domains don't resolve to the right place.

I'm going to go sit in the corner and think about what I've done. Let this be a lesson to me.

hangs head in shame

1 Like