Problem with Letsencrypt DNS Challenge with Google Cloud DNS

Traefik Traefik v2 (latest)
1

I'm currently trying to get a wildcard ACME certificate with DNS Challenge from Google cloud DNS. Traefik is only serving the TRAEFIK DEFAULT CERT.

The certificates resolver is sending an error message I don't understand:
cannot get ACME client googlecloud: unable to acquire config: invalid character 'o' in literal null (expecting 'u')" providerName=leresolver.acme

I've had successful DNS challenge with the gcloud service account and Traefik before.

The related debug messages:

level=debug msg="Looking for provided certificate(s) to validate [\"some.nu\" \"*.some.nu\"]..." providerName=leresolver.acme
level=debug msg="Domains [\"some.nu\" \"*.some.nu\"] need ACME certificates generation for domains \"some.nu,*.some.nu\"." providerName=leresolver.acme
level=debug msg="Loading ACME certificates [some.nu *.some.nu]..." providerName=leresolver.acme
level=debug msg="Building ACME client..." providerName=leresolver.acme
level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=leresolver.acme
level=info msg=Register... providerName=leresolver.acme
level=debug msg="legolog: [INFO] acme: Registering account for martin@erenfinbil.com"
level=debug msg="Using DNS Challenge provider: gcloud" providerName=leresolver.acme
level=error msg="Unable to obtain ACME certificate for domains \"some.nu,*.some.nu\" : cannot get ACME client googlecloud: unable to acquire config: invalid character 'o' in literal null (expecting 'u')" providerName=leresolver.acme
level=debug msg="Serving default certificate for request: \"home.some.nu\""

docker-compose.yml


secrets:
        gcp_service_account:
                file: "/home/server/docker/secrets/project-com-8a38da91d478.json"
        usersfile:
                file: "/home/server/docker/secrets/usersfile"
                
networks:
        traefik-proxy:
                external:
                        name: traefik-proxy

services:
        homeassistant:
                container_name: homeassistant
                image: homeassistant/home-assistant:latest
                restart: "unless-stopped"
                ports:
                        - 8123:8123
                volumes:
                        - ${USERDIR}/docker/homeassistant/config:/config:z
                        - ${USERDIR}/docker/shared:/shared:z
                environment:
                        - TZ=${TZ}
                networks:
                        - traefik-proxy
                labels:
                        - "traefik.enable=true"
                        - "traefik.http.routers.homeassistant.rule=(Host(`homeassistant.some.nu`))"
                        - "traefik.http.routers.homeassistant.entrypoints=websecure"
                        - "traefik.http.routers.homeassistant.tls.certresolver=leresolver"
                        - "traefik.http.routers.homeassistant.tls.domains[0].main=some.nu"
                        - "traefik.http.routers.homeassistant.tls.domains[0].sans=*.some.nu"
                        - "traefik.docker.network=traefik-proxy"
                        - "traefik.http.middlewares.homeassistant-auth.basicauth.usersfile=/run/secrets/usersfile"
                        - "traefik.http.routers.homeassistant.middlewares=homeassistant-auth"

        traefik:
                container_name: traefik
                image: traefik:latest
                restart: always
                networks:
                        - traefik-proxy
                ports:
                        - 80:80
                        - 443:443
                        - 8080:8080
                environment:
                        - GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/gcp_service_account
                        - GCE_SERVICE_ACCOUNT_FILE=/run/secrets/gcp_service_account
                        - GCE_PROJECT=erenfinbil-com
                        - GCE_SERVICE_ACCOUNT=some-nu-dns@project-com.iam.gserviceaccount.com
                volumes:
                        - /var/run/docker.sock:/var/run/docker.sock:z
                        - ${USERDIR}/docker/traefik:/etc/traefik:z
                        - ${USERDIR}/docker/shared:/shared:z
                        - ${USERDIR}/docker/traefik/traefik.yml:/etc/traefik/traefik.yml:z
                secrets:
                        - "gcp_service_account"

traefik.yml


entryPoints:
  web:
    address: ':80'
  websecure:
    address: ':443'
  traefik:
    address: ':8080'

providers:
  docker:
    watch: true
    exposedByDefault: false

api:
  insecure: true
  dashboard: true
  debug: true

certificatesResolvers:
  leresolver:
    acme:
      email: server@domain.com
      storage: /etc/traefik/acme/acme.json
      dnsChallenge:
        # used during the challenge
        provider: gcloud

log:
  level: DEBUG
  filePath: "/etc/traefik/logs/traefik.log"

* (Domain named have been changed)

Any help is appreciated.

2

Hello,

unable to acquire config: invalid character 'o' in literal null (expecting 'u')

It's a issue with your google configuration file: gcp_service_account

3

I am also seeing similar message cannot get ACME client googlecloud: unable to acquire config: invalid character 'a' in literal true (expecting 'u')" providerName=letsencrypt.acme

I downloaded service-account.json from GCP and created configmap out of it with out any change.

Also I am supplying following to pod

    env:
      - name: GCE_PROJECT
        valueFrom:
          configMapKeyRef:
            name: gcloud-account
            key: gce_project.  
      - name: GCE_SERVICE_ACCOUNT
        valueFrom:
          configMapKeyRef:
            name: gcloud-account
            key: gce_service_account       # Account name from GCP
      - name: GCE_SERVICE_ACCOUNT_FILE
        value: "/etc/traefik/gce_service_account_file.json"

What need to be changed to get it fixed ?

4
5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.