Problem with Lets Encrypt. ACME Fails

Traefik Traefik v2
,
1

Hello everybody,

I try to expose a Home Assistent over Traefik using a second Raspberry Pi with trafik. The goal is to enable SSL with a Lets Encrypt Certificate.

Scenario:

  • Custom public DNS Server with DynDNS (The Fritz!Box updates the DNS Records over a script when my IP changes); This works fine.
  • Port Forwarding over the router. Port 80 and 443 ends on the Raspberry Pi running traefik

Contents of traefik.yml

api:
  insecure: true

providers:
  file:
    directory: /services
    watch: true

certificatesResolvers:
  le:
    acme:
      email: mymail@example.com
      storage: /ssl/acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

docker-compose.yml of traefik

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.6
    # Enables the web UI and tells Traefik to listen to docker
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./logs:/etc/logs
      - ./ssl:/ssl
      - ./services:/services
    restart: always

services/myservice.yaml

http:
  routers:
    home-assistant-route:
      entryPoints:
      - web
      service: home-assistant
      rule: "Host(`internal.example.local`)"
      #tls:
      #  certresolver: le
    home-assistant-ext:
      entryPoints:
      - web
      service: home-assistant
      rule: "Host(`public.example.com`)"
    home-assistant-ssl:
      entryPoints:
      - websecure
      service: home-assistant
      rule: "Host(`public.example.com`)"
      tls:
        domains: 
          - public.example.com
        certResolver: le

  services:
    home-assistant:
      loadBalancer:
        servers:
        - url: http://192.168.0.7:8123/

Whats working

  • Access over http://internal.example.local which is resolves over my custom home DNS server
  • Access over http://public.example.com
  • Access over https://public.example.com which ends in a certificate error. By bypassing this warning the access is possible

Traefik reports this error: level=error msg="Unable to obtain ACME certificate for domains \"public.example.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:53603->127.0.0.11:53: i/o timeout" routerName=home-assistant-ssl@file providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(public.example.com)"

Any ideas how I could get this to work?

Thanks everybody!

2

Can you please check if you can reach the directory e.g. by using CUR? Seems that the issue is related to network connectivity to Lets Encrypt servers.

3

I got it!

It seems like my docker is not correct configured.

I manually add dns servers to the docker-compose file:

    dns:
      - 8.8.8.8
      - 4.4.4.4
2 Likes
4

Thanks for the update. Glad to hear that you solved the issue :slight_smile: