Problem with Lets Encrypt. ACME Fails

Hello everybody,

I try to expose a Home Assistent over Traefik using a second Raspberry Pi with trafik. The goal is to enable SSL with a Lets Encrypt Certificate.

Scenario:

  • Custom public DNS Server with DynDNS (The Fritz!Box updates the DNS Records over a script when my IP changes); This works fine.
  • Port Forwarding over the router. Port 80 and 443 ends on the Raspberry Pi running traefik

Contents of traefik.yml

api:
  insecure: true

providers:
  file:
    directory: /services
    watch: true

certificatesResolvers:
  le:
    acme:
      email: mymail@example.com
      storage: /ssl/acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

docker-compose.yml of traefik

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.6
    # Enables the web UI and tells Traefik to listen to docker
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./logs:/etc/logs
      - ./ssl:/ssl
      - ./services:/services
    restart: always

services/myservice.yaml

http:
  routers:
    home-assistant-route:
      entryPoints:
      - web
      service: home-assistant
      rule: "Host(`internal.example.local`)"
      #tls:
      #  certresolver: le
    home-assistant-ext:
      entryPoints:
      - web
      service: home-assistant
      rule: "Host(`public.example.com`)"
    home-assistant-ssl:
      entryPoints:
      - websecure
      service: home-assistant
      rule: "Host(`public.example.com`)"
      tls:
        domains: 
          - public.example.com
        certResolver: le

  services:
    home-assistant:
      loadBalancer:
        servers:
        - url: http://192.168.0.7:8123/

Whats working

  • Access over http://internal.example.local which is resolves over my custom home DNS server
  • Access over http://public.example.com
  • Access over https://public.example.com which ends in a certificate error. By bypassing this warning the access is possible

Traefik reports this error: level=error msg="Unable to obtain ACME certificate for domains \"public.example.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:53603->127.0.0.11:53: i/o timeout" routerName=home-assistant-ssl@file providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(public.example.com)"

Any ideas how I could get this to work?

Thanks everybody!

Can you please check if you can reach the directory e.g. by using CUR? Seems that the issue is related to network connectivity to Lets Encrypt servers.

I got it!

It seems like my docker is not correct configured.

I manually add dns servers to the docker-compose file:

    dns:
      - 8.8.8.8
      - 4.4.4.4
2 Likes

Thanks for the update. Glad to hear that you solved the issue :slight_smile: