Not creating _acme-challenge for domain

johnmmcgee · March 31, 2024, 3:02pm

Hello

I am unable to gain a certificate for a secondary domain using DNS challenge and the porkbun provider. I have tried configuring this without the domain01.net domain, as well. same result. I have verified by looking into the porkbun page that the ns entry is not being added. api is enabled. i have confirmed with acme.sh that this is being created. Please advise.

traefik launcher:

  --api.insecure=true \
  --api.dashboard=true \
  --providers.docker \
  --log.level=DEBUG \
  --entrypoints.web.address=:80 \
  --entrypoints.web.http.redirections.entrypoint.to=websecure \
  --entrypoints.web.http.redirections.entrypoint.scheme=https \
  --entrypoints.websecure.address=:443 \
  --entrypoints.websecure.http.tls=true \
  --entrypoints.websecure.http.tls.certResolver=letsencrypt \
  --entrypoints.websecure.http.tls.domains[0].main=domain0.net \
  --entrypoints.websecure.http.tls.domains[0].sans=*.domain0.net \
  --entrypoints.websecure.http.tls.domains[1].main=domain1.cloud \
  --entrypoints.websecure.http.tls.domains[1].sans=*.domain1.cloud \
  --certificatesresolvers.letsencrypt.acme.caServer="https://acme-staging.api.letsencrypt.org/directory" \
  --certificatesresolvers.letsencrypt.acme.dnschallenge=true \
  --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=porkbun \
  --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=30 \
  --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers[0]=162.159.8.140:53 \
  --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers[1]=173.245.58.37:53 \
  --certificatesresolvers.letsencrypt.acme.email=jmcgee@domain0.net \
  --certificatesresolvers.letsencrypt.acme.storage=/config/acme.json

container labels


                   "--label",
                    "traefik.docker.network=systemd-proxy",
                    "--label",
                    "traefik.enable=true",
                    "--label",
                    "traefik.http.routers.nextcloud.entrypoints=websecure",
                    "--label",
                    "traefik.http.routers.nextcloud.rule=Host(`domain1.cloud`)",
                    "--label",
                    "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt",

Log output

time="2024-03-31T09:48:57-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11851377744"
time="2024-03-31T09:48:57-04:00" level=debug msg="legolog: [INFO] [*.domain1.cloud] acme: use dns-01 solver"
time="2024-03-31T09:48:57-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Could not find solver for: tls-alpn-01"
time="2024-03-31T09:48:57-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Could not find solver for: http-01"
time="2024-03-31T09:48:57-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: use dns-01 solver"
time="2024-03-31T09:48:57-04:00" level=debug msg="legolog: [INFO] [*.domain1.cloud] acme: Preparing to solve DNS-01"
time="2024-03-31T09:49:09-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Preparing to solve DNS-01"
time="2024-03-31T09:49:21-04:00" level=debug msg="legolog: [INFO] [*.domain1.cloud] acme: Cleaning DNS-01 challenge"
time="2024-03-31T09:49:25-04:00" level=debug msg="legolog: [WARN] [*.domain1.cloud] acme: cleaning up failed: porkbun: unknown record ID for '_acme-challenge.domain1.cloud.' 'J_G_ijn06n0CtjsHJKLpFu-eAMVktJEdSfQFH55M_68' "
time="2024-03-31T09:49:25-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Cleaning DNS-01 challenge"
time="2024-03-31T09:49:29-04:00" level=debug msg="legolog: [WARN] [domain1.cloud] acme: cleaning up failed: porkbun: unknown record ID for '_acme-challenge.domain1.cloud.' 'wzft9XaXynndzHa15Hzk_LWXAQOiARVYjPZkJ0gPLGY' "
time="2024-03-31T09:49:29-04:00" level=error msg="Unable to obtain ACME certificate for domains \"domain1.cloud,*.domain1.cloud\"" providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=websecure-fluent-bit@docker rule="Host(`fluent-bit`)" error="unable to generate a certificate for the domains [domain1.cloud *.domain1.cloud]: error: one or more domains had a problem:\n[*.domain1.cloud] [*.domain1.cloud] acme: error presenting token: porkbun: could not find zone for FQDN \"_acme-challenge.domain1.cloud.\": could not find the start of authority for _acme-challenge.domain1.cloud.: NXDOMAIN\n[domain1.cloud] [domain1.cloud] acme: error presenting token: porkbun: could not find zone for FQDN \"_acme-challenge.domain1.cloud.\": could not find the start of authority for _acme-challenge.domain1.cloud.: NXDOMAIN\n"

bluepuma77 · April 1, 2024, 8:40am

Host() is used to automatically create a TLS cert, so it has to be a FQDN.

johnmmcgee · April 1, 2024, 12:53pm

I see where you are seeing that and that is odd that is trying to create one for that instance, when i dont have any traefik related labels for that particular container. Here are some more logs. The first entry is my restarting of the container that uses that domain1.cloud entry. I have used both the staging and nonstaging acme caservers with the same results. like i have stated, its like its not creating the domain entry and i cannot figure out why.

time="2024-04-01T08:49:31-04:00" level=debug msg="Provider event received {Status:die ID:e51403e6dd6ca1a3b5d688d3576d3546dd1c11dd1d51afba38c65e62cbe9a490 From:docker.io/library/nextcloud:latest Type:container Action:die Actor:{ID:e51403e6dd6ca1a3b5d688d3576d3546dd1c11dd1d51afba38c65e62cbe9a490 Attributes:map[PODMAN_SYSTEMD_UNIT:nextcloud.service containerExitCode:0 exitCode:0 image:docker.io/library/nextcloud:latest io.containers.autoupdate:registry name:nextcloud podId: traefik.docker.network:systemd-proxy traefik.enable:true traefik.http.routers.nextcloud.entrypoints:websecure traefik.http.routers.nextcloud.rule:Host(`domain1.cloud`) traefik.http.routers.nextcloud.tls:true traefik.http.routers.nextcloud.tls.certresolver:letsencrypt]} Scope:local Time:1711975771 TimeNano:1711975771106622228}" providerName=docker
time="2024-04-01T08:49:31-04:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"calibre-web\":{\"entryPoints\":[\"websecure\"],\"service\":\"calibre-web\",\"rule\":\"Host(`library.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"dnsblocklist\":{\"service\":\"dnsblocklist\",\"rule\":\"Host(`dnsblocklist`)\"},\"fluent-bit\":{\"service\":\"fluent-bit\",\"rule\":\"Host(`fluent-bit`)\"},\"frigate\":{\"entryPoints\":[\"websecure\"],\"service\":\"frigate\",\"rule\":\"Host(`frigate.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"immich-microservices\":{\"service\":\"immich-microservices\",\"rule\":\"Host(`immich-microservices`)\"},\"immich-postgres\":{\"service\":\"immich-postgres\",\"rule\":\"Host(`immich-postgres`)\"},\"immich-redis\":{\"service\":\"immich-redis\",\"rule\":\"Host(`immich-redis`)\"},\"immich-server\":{\"entryPoints\":[\"websecure\"],\"service\":\"immich-server\",\"rule\":\"Host(`photos.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"jellyfin\":{\"entryPoints\":[\"websecure\"],\"service\":\"jellyfin\",\"rule\":\"Host(`video.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"lldap\":{\"entryPoints\":[\"websecure\"],\"service\":\"lldap\",\"rule\":\"Host(`lldap.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"nextcloud\":{\"entryPoints\":[\"websecure\"],\"service\":\"nextcloud\",\"rule\":\"Host(`domain1.cloud`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"nzbget\":{\"entryPoints\":[\"websecure\"],\"service\":\"nzbget\",\"rule\":\"Host(`nzbget.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"openobserve\":{\"entryPoints\":[\"websecure\"],\"service\":\"openobserve\",\"rule\":\"Host(`logs.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"prowlarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"prowlarr\",\"rule\":\"Host(`prowlarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"radarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"radarr\",\"rule\":\"Host(`radarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"sftpgo\":{\"entryPoints\":[\"websecure\"],\"service\":\"sftpgo\",\"rule\":\"Host(`sftpgo.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"sonarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"sonarr\",\"rule\":\"Host(`sonarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"traefik\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"strip\"],\"service\":\"api@internal\",\"rule\":\"Host(`illmatic.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"uptime-kuma\":{\"entryPoints\":[\"websecure\"],\"service\":\"uptime-kuma\",\"rule\":\"Host(`monitoring-nas.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}}},\"services\":{\"calibre-web\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.35:8083\"}],\"passHostHeader\":true}},\"dnsblocklist\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.5.3:80\"}],\"passHostHeader\":true}},\"fluent-bit\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.1.2:2020\"}],\"passHostHeader\":true}},\"frigate\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.4:5000\"}],\"passHostHeader\":true}},\"immich-microservices\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.38:3001\"}],\"passHostHeader\":true}},\"immich-postgres\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.35:5432\"}],\"passHostHeader\":true}},\"immich-redis\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.28:6379\"}],\"passHostHeader\":true}},\"immich-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.24:3001\"}],\"passHostHeader\":true}},\"jellyfin\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.241:8096\"}],\"passHostHeader\":true}},\"lldap\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.9:17170\"}],\"passHostHeader\":true}},\"nextcloud\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.73:80\"}],\"passHostHeader\":true}},\"nzbget\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.11:6789\"}],\"passHostHeader\":true}},\"openobserve\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.3:5080\"}],\"passHostHeader\":true}},\"prowlarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.16:9696\"}],\"passHostHeader\":true}},\"radarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.68:7878\"}],\"passHostHeader\":true}},\"sftpgo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.5:8080\"}],\"passHostHeader\":true}},\"sonarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.178:8989\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.67:80\"}],\"passHostHeader\":true}},\"uptime-kuma\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.6:3001\"}],\"passHostHeader\":true}}},\"middlewares\":{\"strip\":{\"stripPrefix\":{\"prefixes\":[\"/traefik\"],\"forceSlash\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2024-04-01T08:49:31-04:00" level=debug msg="Adding route for domain1.cloud with TLS options default" entryPointName=websecure
time="2024-04-01T08:49:31-04:00" level=debug msg="Trying to challenge certificate for domain [domain1.cloud] found in HostSNI rule" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nextcloud@docker rule="Host(`domain1.cloud`)" providerName=letsencrypt.acme
time="2024-04-01T08:49:31-04:00" level=debug msg="Looking for provided certificate(s) to validate [\"domain1.cloud\" \"*.domain1.cloud\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2024-04-01T08:49:31-04:00" level=debug msg="Looking for provided certificate(s) to validate [\"domain1.cloud\" \"*.domain1.cloud\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2024-04-01T08:49:31-04:00" level=debug msg="Looking for provided certificate(s) to validate [\"domain1.cloud\"]..." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nextcloud@docker rule="Host(`domain1.cloud`)"
time="2024-04-01T08:49:31-04:00" level=debug msg="Domains [\"domain1.cloud\" \"*.domain1.cloud\"] need ACME certificates generation for domains \"domain1.cloud,*.domain1.cloud\"." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="Loading ACME certificates [domain1.cloud *.domain1.cloud]..." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="legolog: [INFO] [domain1.cloud, *.domain1.cloud] acme: Obtaining bundled SAN certificate"
time="2024-04-01T08:49:31-04:00" level=debug msg="Looking for provided certificate(s) to validate [\"domain1.cloud\" \"*.domain1.cloud\"]..." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="No ACME certificate generation required for domains [\"domain1.cloud\" \"*.domain1.cloud\"]." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="Looking for provided certificate(s) to validate [\"domain1.cloud\" \"*.domain1.cloud\"]..." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="No ACME certificate generation required for domains [\"domain1.cloud\" \"*.domain1.cloud\"]." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="Looking for provided certificate(s) to validate [\"domain1.cloud\" \"*.domain1.cloud\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2024-04-01T08:49:31-04:00" level=debug msg="No ACME certificate generation required for domains [\"domain1.cloud\" \"*.domain1.cloud\"]." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="No ACME certificate generation required for domains [\"domain1.cloud\" \"*.domain1.cloud\"]." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-01T08:49:31-04:00" level=debug msg="No ACME certificate generation required for domains [\"domain1.cloud\"]." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nextcloud@docker rule="Host(`domain1.cloud`)"
time="2024-04-01T08:49:31-04:00" level=debug msg="Provider event received {Status:start ID:19ef2d87fdd91805f872a2992881e98acb3afc51b163b83204595cf9276a2374 From:docker.io/library/nextcloud:latest Type:container Action:start Actor:{ID:19ef2d87fdd91805f872a2992881e98acb3afc51b163b83204595cf9276a2374 Attributes:map[PODMAN_SYSTEMD_UNIT:nextcloud.service containerExitCode:0 image:docker.io/library/nextcloud:latest io.containers.autoupdate:registry name:nextcloud podId: traefik.docker.network:systemd-proxy traefik.enable:true traefik.http.routers.nextcloud.entrypoints:websecure traefik.http.routers.nextcloud.rule:Host(`domain1.cloud`) traefik.http.routers.nextcloud.tls:true traefik.http.routers.nextcloud.tls.certresolver:letsencrypt]} Scope:local Time:1711975771 TimeNano:1711975771667294560}" providerName=docker
time="2024-04-01T08:49:32-04:00" level=debug msg="legolog: [INFO] [*.domain1.cloud] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11861786534"
time="2024-04-01T08:49:32-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11861786544"
time="2024-04-01T08:49:32-04:00" level=debug msg="legolog: [INFO] [*.domain1.cloud] acme: use dns-01 solver"
time="2024-04-01T08:49:32-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Could not find solver for: tls-alpn-01"
time="2024-04-01T08:49:32-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Could not find solver for: http-01"
time="2024-04-01T08:49:32-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: use dns-01 solver"
time="2024-04-01T08:49:32-04:00" level=debug msg="legolog: [INFO] [*.domain1.cloud] acme: Preparing to solve DNS-01"
time="2024-04-01T08:49:33-04:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"calibre-web\":{\"entryPoints\":[\"websecure\"],\"service\":\"calibre-web\",\"rule\":\"Host(`library.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"dnsblocklist\":{\"service\":\"dnsblocklist\",\"rule\":\"Host(`dnsblocklist`)\"},\"fluent-bit\":{\"service\":\"fluent-bit\",\"rule\":\"Host(`fluent-bit`)\"},\"frigate\":{\"entryPoints\":[\"websecure\"],\"service\":\"frigate\",\"rule\":\"Host(`frigate.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"immich-microservices\":{\"service\":\"immich-microservices\",\"rule\":\"Host(`immich-microservices`)\"},\"immich-postgres\":{\"service\":\"immich-postgres\",\"rule\":\"Host(`immich-postgres`)\"},\"immich-redis\":{\"service\":\"immich-redis\",\"rule\":\"Host(`immich-redis`)\"},\"immich-server\":{\"entryPoints\":[\"websecure\"],\"service\":\"immich-server\",\"rule\":\"Host(`photos.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"jellyfin\":{\"entryPoints\":[\"websecure\"],\"service\":\"jellyfin\",\"rule\":\"Host(`video.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"lldap\":{\"entryPoints\":[\"websecure\"],\"service\":\"lldap\",\"rule\":\"Host(`lldap.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"nextcloud\":{\"entryPoints\":[\"websecure\"],\"service\":\"nextcloud\",\"rule\":\"Host(`domain1.cloud`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"nzbget\":{\"entryPoints\":[\"websecure\"],\"service\":\"nzbget\",\"rule\":\"Host(`nzbget.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"openobserve\":{\"entryPoints\":[\"websecure\"],\"service\":\"openobserve\",\"rule\":\"Host(`logs.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"prowlarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"prowlarr\",\"rule\":\"Host(`prowlarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"radarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"radarr\",\"rule\":\"Host(`radarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"sftpgo\":{\"entryPoints\":[\"websecure\"],\"service\":\"sftpgo\",\"rule\":\"Host(`sftpgo.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"sonarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"sonarr\",\"rule\":\"Host(`sonarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"traefik\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"strip\"],\"service\":\"api@internal\",\"rule\":\"Host(`illmatic.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"uptime-kuma\":{\"entryPoints\":[\"websecure\"],\"service\":\"uptime-kuma\",\"rule\":\"Host(`monitoring-nas.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}}},\"services\":{\"calibre-web\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.35:8083\"}],\"passHostHeader\":true}},\"dnsblocklist\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.5.3:80\"}],\"passHostHeader\":true}},\"fluent-bit\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.1.2:2020\"}],\"passHostHeader\":true}},\"frigate\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.4:5000\"}],\"passHostHeader\":true}},\"immich-microservices\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.38:3001\"}],\"passHostHeader\":true}},\"immich-postgres\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.35:5432\"}],\"passHostHeader\":true}},\"immich-redis\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.28:6379\"}],\"passHostHeader\":true}},\"immich-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.24:3001\"}],\"passHostHeader\":true}},\"jellyfin\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.241:8096\"}],\"passHostHeader\":true}},\"lldap\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.9:17170\"}],\"passHostHeader\":true}},\"nextcloud\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.73:80\"}],\"passHostHeader\":true}},\"nzbget\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.11:6789\"}],\"passHostHeader\":true}},\"openobserve\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.3:5080\"}],\"passHostHeader\":true}},\"prowlarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.16:9696\"}],\"passHostHeader\":true}},\"radarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.68:7878\"}],\"passHostHeader\":true}},\"sftpgo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.5:8080\"}],\"passHostHeader\":true}},\"sonarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.178:8989\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.67:80\"}],\"passHostHeader\":true}},\"uptime-kuma\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.6:3001\"}],\"passHostHeader\":true}}},\"middlewares\":{\"strip\":{\"stripPrefix\":{\"prefixes\":[\"/traefik\"],\"forceSlash\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2024-04-01T08:49:49-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Preparing to solve DNS-01"
time="2024-04-01T08:49:54-04:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"calibre-web\":{\"entryPoints\":[\"websecure\"],\"service\":\"calibre-web\",\"rule\":\"Host(`library.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"dnsblocklist\":{\"service\":\"dnsblocklist\",\"rule\":\"Host(`dnsblocklist`)\"},\"fluent-bit\":{\"service\":\"fluent-bit\",\"rule\":\"Host(`fluent-bit`)\"},\"frigate\":{\"entryPoints\":[\"websecure\"],\"service\":\"frigate\",\"rule\":\"Host(`frigate.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"immich-microservices\":{\"service\":\"immich-microservices\",\"rule\":\"Host(`immich-microservices`)\"},\"immich-postgres\":{\"service\":\"immich-postgres\",\"rule\":\"Host(`immich-postgres`)\"},\"immich-redis\":{\"service\":\"immich-redis\",\"rule\":\"Host(`immich-redis`)\"},\"immich-server\":{\"entryPoints\":[\"websecure\"],\"service\":\"immich-server\",\"rule\":\"Host(`photos.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"jellyfin\":{\"entryPoints\":[\"websecure\"],\"service\":\"jellyfin\",\"rule\":\"Host(`video.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"lldap\":{\"entryPoints\":[\"websecure\"],\"service\":\"lldap\",\"rule\":\"Host(`lldap.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"nextcloud\":{\"entryPoints\":[\"websecure\"],\"service\":\"nextcloud\",\"rule\":\"Host(`domain1.cloud`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"nzbget\":{\"entryPoints\":[\"websecure\"],\"service\":\"nzbget\",\"rule\":\"Host(`nzbget.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"openobserve\":{\"entryPoints\":[\"websecure\"],\"service\":\"openobserve\",\"rule\":\"Host(`logs.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"prowlarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"prowlarr\",\"rule\":\"Host(`prowlarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"radarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"radarr\",\"rule\":\"Host(`radarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"sftpgo\":{\"entryPoints\":[\"websecure\"],\"service\":\"sftpgo\",\"rule\":\"Host(`sftpgo.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"sonarr\":{\"entryPoints\":[\"websecure\"],\"service\":\"sonarr\",\"rule\":\"Host(`sonarr.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"traefik\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"strip\"],\"service\":\"api@internal\",\"rule\":\"Host(`illmatic.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"uptime-kuma\":{\"entryPoints\":[\"websecure\"],\"service\":\"uptime-kuma\",\"rule\":\"Host(`monitoring-nas.domain0.net`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}}},\"services\":{\"calibre-web\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.35:8083\"}],\"passHostHeader\":true}},\"dnsblocklist\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.5.3:80\"}],\"passHostHeader\":true}},\"fluent-bit\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.1.2:2020\"}],\"passHostHeader\":true}},\"frigate\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.4:5000\"}],\"passHostHeader\":true}},\"immich-microservices\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.38:3001\"}],\"passHostHeader\":true}},\"immich-postgres\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.35:5432\"}],\"passHostHeader\":true}},\"immich-redis\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.8.28:6379\"}],\"passHostHeader\":true}},\"immich-server\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.24:3001\"}],\"passHostHeader\":true}},\"jellyfin\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.241:8096\"}],\"passHostHeader\":true}},\"lldap\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.9:17170\"}],\"passHostHeader\":true}},\"nextcloud\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.73:80\"}],\"passHostHeader\":true}},\"nzbget\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.11:6789\"}],\"passHostHeader\":true}},\"openobserve\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.3:5080\"}],\"passHostHeader\":true}},\"prowlarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.16:9696\"}],\"passHostHeader\":true}},\"radarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.68:7878\"}],\"passHostHeader\":true}},\"sftpgo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.5:8080\"}],\"passHostHeader\":true}},\"sonarr\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.178:8989\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.67:80\"}],\"passHostHeader\":true}},\"uptime-kuma\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.89.6.6:3001\"}],\"passHostHeader\":true}}},\"middlewares\":{\"strip\":{\"stripPrefix\":{\"prefixes\":[\"/traefik\"],\"forceSlash\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2024-04-01T08:50:06-04:00" level=debug msg="legolog: [INFO] [*.domain1.cloud] acme: Cleaning DNS-01 challenge"
time="2024-04-01T08:50:10-04:00" level=debug msg="legolog: [WARN] [*.domain1.cloud] acme: cleaning up failed: porkbun: unknown record ID for '_acme-challenge.domain1.cloud.' '3k0JjuSZdtgniGHgvJvU43zHSHWg2Knr5sHFUVsLpn0' "
time="2024-04-01T08:50:10-04:00" level=debug msg="legolog: [INFO] [domain1.cloud] acme: Cleaning DNS-01 challenge"
time="2024-04-01T08:50:14-04:00" level=debug msg="legolog: [WARN] [domain1.cloud] acme: cleaning up failed: porkbun: unknown record ID for '_acme-challenge.domain1.cloud.' 'FMjrRL2soN7OU6kHc7apux6Q-IX6CHO2jw53ff-HL_A' "
time="2024-04-01T08:50:14-04:00" level=error msg="Unable to obtain ACME certificate for domains \"domain1.cloud,*.domain1.cloud\"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme routerName=websecure-immich-redis@docker rule="Host(`immich-redis`)" error="unable to generate a certificate for the domains [domain1.cloud *.domain1.cloud]: error: one or more domains had a problem:\n[*.domain1.cloud] [*.domain1.cloud] acme: error presenting token: porkbun: could not find zone for FQDN \"_acme-challenge.domain1.cloud.\": could not find the start of authority for _acme-challenge.domain1.cloud.: NXDOMAIN\n[domain1.cloud] [domain1.cloud] acme: error presenting token: porkbun: could not find zone for FQDN \"_acme-challenge.domain1.cloud.\": could not find the start of authority for _acme-challenge.domain1.cloud.: NXDOMAIN\n"

bluepuma77 · April 1, 2024, 7:22pm

porkbun: could not find zone for FQDN _acme-challenge.domain1.cloud

Does domain1.cloud reside with porkbun under that account?

johnmmcgee · April 1, 2024, 7:37pm

yes it does. All manual resolutions work as well.

bluepuma77 · April 1, 2024, 7:40pm

You do have another strange FQDN:

Maybe clean up all your config, try with a single service and add them piece by piece.

What’s inside acme.json?

johnmmcgee · April 1, 2024, 7:49pm

thats pulling from containers that do not have traefik related labels. not sure how to prevent that. everything on domain0.net works as expected. Its just not working for domain1.cloud..

johnmmcgee · April 1, 2024, 7:57pm

Here's an example from one without any labels for traefik and one with, that works for domain0.net

# podman inspect --format='{{range $key, $value := .Config.Labels}}{{$key}}={{$value}}\n{{end}}' immich-redis
PODMAN_SYSTEMD_UNIT=immich-redis.service

# podman inspect --format='{{range $key, $value := .Config.Labels}}{{$key}}={{$value}}\n{{end}}' immich-server
PODMAN_SYSTEMD_UNIT=immich-server.service
org.opencontainers.image.created=2024-03-28T19:07:43.932Z
org.opencontainers.image.description=High performance self-hosted photo and video management solution.
org.opencontainers.image.licenses=AGPL-3.0
org.opencontainers.image.revision=16513b4a6e76a4187ae3f2c08de9d604570f69d9
org.opencontainers.image.source=https://github.com/immich-app/immich
org.opencontainers.image.title=immich
org.opencontainers.image.url=https://github.com/immich-app/immich
org.opencontainers.image.version=v1.100.0
traefik.docker.network=systemd-proxy
traefik.enable=true
traefik.http.routers.immich-server.entrypoints=websecure
traefik.http.routers.immich-server.rule=Host(`photos.domain0.net`)
traefik.http.routers.immich-server.tls.certresolver=letsencrypt

bluepuma77 · April 1, 2024, 8:31pm

Not sure how compatible Traefik providers.docker really is with podman.

Usually this is best practice for good configuration discovery (doc):

--providers.docker.exposedByDefault=false

johnmmcgee · April 1, 2024, 8:48pm

Awesome. I appreciate the assistance on that portion and that should help clean up my logs.

johnmmcgee · April 2, 2024, 2:52am

This did offer some log cleanup. However, still getting the same results. I have verified that an nslookup -type=TXT works when i manually add a record, from both domains. on all internal host and in the container.

This is really a head scratcher for me.

johnmmcgee · April 2, 2024, 4:08am

So i redid the whole configuration and moved from command switches to environment values and it seems this line fixed it, as its now spitting out in the logs that its reaching to the resolvers:

'TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_DNSCHALLENGE_RESOLVERS="162.159.8.140:53,173.245.58.37:53"'

maybe a typo on the switches on my part?

Topic		Replies	Views
Unable to generate a certificate for the domains Traefik v2 docker	8	1761	April 1, 2024
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4776	July 18, 2019
ACME challenge going to HTTPS with Invalid response Traefik v2 letsencrypt-acme	1	383	April 28, 2024
Unable to obtain ACME certificate for domains:last error: NS ns25.domaincontrol.com. returned NXDOMAIN for _acme-challenge.DOMAIN_NAME Traefik v2 docker-swarm	0	1116	March 30, 2020
Unable to obtain ACME certificate for domains with NS1 provider Traefik v2 docker , letsencrypt-acme	2	418	February 22, 2023

Not creating _acme-challenge for domain

Related topics