Problems to get tls certificates for my docker stack

Hello folks,

I'm fairly new to traefik so please bear with me.

I want to get tls certificates for my internal docker applications and tried it for hours to get it to work but had no success. Maybe someone has advice for me. I run a few docker container on my LAN and can reach them via my wildcard dns e.g.: smokeping.internal.foo.bar this works like a charm. To achieve this I used a domain which is registered via cloudflare and points to my local machine. This is my traefik docker-compose file (post tls configuration):

version: "3.3"    

services:    

  traefik:    
    image: "traefik:v2.5"    
    container_name: "traefik"    
    command:    
      - "--log.level=DEBUG"    
      - "--api.insecure=true"    
      - "--providers.docker=true"    
      - "--providers.docker.exposedbydefault=false"    
      - "--entrypoints.web.address=:80"    
      - "--entryPoints.web-secure.address=:443"    
      - "--certificatesResolvers.primary.acme.email=mymail@mail.com"    
      - "--certificatesResolvers.primary.acme.storage=acme.json"    
      - "--certificatesResolvers.primary.acme.dnsChallenge=true"    
      - "--certificatesResolvers.primary.acme.dnsChallenge.provider=cloudflare"    
      - "--certificatesResolvers.primary.acme.dnsChallenge.delayBeforeCheck=0"    
      - "--certificatesResolvers.primary.acme.dnsChallenge.resolvers=1.1.1.1:53"    
    environment:    
      - CF_API_EMAIL=mymail@mail.com    
      - CF_API_KEY=thisismyapikey    
    ports:    
      - "80:80"    
      - "443:443"    
        #      - "8080:8080"    
    volumes:    
      - "/var/run/docker.sock:/var/run/docker.sock:ro"    
      - "/app/traefik/acme.json:/acme.json"    

    restart: unless-stopped    
    labels:    
      - "traefik.enable=true"    
      - "traefik.http.routers.api.rule=Host(`traefik.internal.foo.bar`)"    
      - "traefik.http.routers.api.service=api@internal"    
      - "traefik.http.routers.api.entrypoints=web"    
      # wildcard certs    
      - "traefik.http.routers.api.tls.domains[0].main=internal.foo.bar"    
      - "traefik.http.routers.api.tls.domains[0].sans=*.internal.foo.bar"    
    networks:    
      - web    
networks:    
  web:    
    external: true 

This is my e.g. smokeping docker-compose file:

version: "2.1"    
services:    
  smokeping:    
    image: lscr.io/linuxserver/smokeping    
    container_name: smokeping    
    environment:    
      - PUID=1000    
      - PGID=1000    
      - TZ=Europe/Berlin    
    volumes:    
      - /app/smokeping/config:/config    
      - /app/smokeping/data:/data    
        #    ports:    
        #      - 80:80    
    networks:    
      - web    
    restart: unless-stopped    
    labels:    
      - "traefik.enable=true"    
      - "traefik.http.routers.smokeping.rule=Host(`smokeping.internal.foo.bar`)"    
      - "traefik.http.routers.smokeping.entrypoints=web-secure"    
      - "traefik.http.routers.smokeping.tls.certResolver=primary"    
networks:    
  web:    
    external: true 

This is the traefik log file with the error which causes the problem (well atleast it think this is the problem):

time="2022-03-21T08:32:39Z" level=error msg="Unable to obtain ACME certificate for domains \"smokeping.internal.foo.bar\": unable to generate a certificate for the domains [smokeping.internal.foo.bar]: error: one or more domains had a problem:\n[smokeping.internal.foo.bar] [smokeping.internal.foo.bar] acme: error presenting token: cloudflare: failed to find zone foo.bar.: ListZonesContext command failed: HTTP status 400: Invalid request headers (6003)\n" routerName=smokeping@docker rule="Host(`smokeping.internal.foo.bar`)" providerName=primary.acme

I tried to resolve the hostname within the traefik container and it does work. I also created a API-token for my cloudflare account which has the following abilities: Zone Settings:Read, Zone:Read, DNS:Edit

For reference to build my docker stack i followed this guide: SensePost | Building a hipster-aware pi home server Everything works till the tls configuration: SensePost | Building a hipster-aware pi home server

Maybe someone can help me, thank you in advance!

Hello @therealmaass,

Your issue seems to come from here. It might be a configuration error on the Cloudflare configuration.

Hope it helps :smiley:

Seems the issue is related to the privileges assigned to the API token. I have found a similar issue on CloudFlare forums. I hope that helps, please let us know.

https://community.cloudflare.com/t/api-token-for-traefik-dns-challenge/132084

1 Like