Resolvers for Let's Encrypt DNS-01 challenge are not used

klnsb · October 26, 2023, 5:04pm

Hello,

I'm trying to configure Traefik with Let's Encrypt using DNS-01 challenge and the pdns provider.

I already accomplished this scenario using cert-manager instead of Traefik and it works fine, but I had to add extra configuration because I'm using a split-horizon DNS setup.

My assumption is that the resolvers config for Traefik should accomplish the same behavior.

I am using the latest version of Traefik on a standalone Docker install :

Version:      2.10.5
Codename:     saintmarcelin
Go version:   go1.21.3
Built:        2023-10-11T13:54:02Z
OS/Arch:      linux/amd64

Here is my configuration :

docker.compose.yml

version: "3.8"

networks:
  traefik_public:
    external: true

services:
  server:
    command: "--configFile=/configs/traefik_static_config.toml"
    container_name: traefik
    environment:
      PDNS_API_KEY: "${PDNS_API_KEY}"
      PDNS_API_URL: "${PDNS_API_URL}"
    image: traefik:2.10.5
    networks:
      - traefik_public
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    restart: always
    volumes:
      - "server_certs:/certs"
      - "server_config:/configs"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

volumes:
  server_certs:
    driver_opts:
      device: "${VOLUMES_BASE_PATH}/traefik/server/certs"
      o: bind
      type: none

  server_config:
    driver_opts:
      device: "${VOLUMES_BASE_PATH}/traefik/server/configs"
      o: bind
      type: none

traefik_static_config.toml

[accessLog]

[api]
  dashboard = true

[certificatesResolvers.myresolver.acme]
  caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  email = "letsencrypt@example.com"
  storage = "/certs/acme.json"

  [certificatesResolvers.myresolver.acme.dnsChallenge]
    provider = "pdns"
    resolvers = ["192.168.1.1:53", "192.168.1.2:53"]

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web.http]
    [entryPoints.web.http.redirections]
      [entryPoints.web.http.redirections.entryPoint]
        to = "websecure"
        scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[log]
  level = "DEBUG"

[metrics]
  [metrics.prometheus]

[ping]

[providers]
  [providers.docker]
    exposedByDefault = false

  [providers.file]
    filename = "/configs/traefik_dynamic_config.toml"

traefik_dynamic_config.toml

[tls.options]
  [tls.options.default]
    sniStrict = true

  [tls.options.intermediate]
  cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    ]
    minVersion = "VersionTLS12"
    sniStrict = true

  [tls.options.modern]
    minVersion = "VersionTLS13"
    sniStrict = true

And the log output in DEBUG level :

time="2023-10-25T05:09:37Z" level=info msg="Configuration loaded from file: /configs/traefik_static_config.toml"
time="2023-10-25T05:09:37Z" level=info msg="Traefik version 2.10.5 built on 2023-10-11T13:54:02Z"
time="2023-10-25T05:09:37Z" level=debug msg="Static configuration loaded {...}"
time="2023-10-25T05:09:37Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2023-10-25T05:09:37Z" level=debug msg="Configured Prometheus metrics" metricsProviderName=prometheus
time="2023-10-25T05:09:37Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2023-10-25T05:09:37Z" level=debug msg="Starting TCP Server" entryPointName=websecure
time="2023-10-25T05:09:37Z" level=debug msg="Starting TCP Server" entryPointName=traefik
time="2023-10-25T05:09:37Z" level=debug msg="Starting TCP Server" entryPointName=web
time="2023-10-25T05:09:37Z" level=info msg="Starting provider *file.Provider"
time="2023-10-25T05:09:37Z" level=debug msg="*file.Provider provider configuration: {\"watch\":true,\"filename\":\"/configs/traefik_dynamic_config.toml\"}"
time="2023-10-25T05:09:37Z" level=info msg="Starting provider *traefik.Provider"
time="2023-10-25T05:09:37Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2023-10-25T05:09:37Z" level=info msg="Starting provider *docker.Provider"
time="2023-10-25T05:09:37Z" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2023-10-25T05:09:37Z" level=info msg="Starting provider *acme.Provider"
time="2023-10-25T05:09:37Z" level=debug msg="*acme.Provider provider configuration: {...}"
time="2023-10-25T05:09:37Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=myresolver.acme
time="2023-10-25T05:09:37Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-10-25T05:09:37Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-10-25T05:09:37Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-10-25T05:09:37Z" level=debug msg="Configuration received: {...}" providerName=file
time="2023-10-25T05:09:37Z" level=debug msg="Configuration received: {...}" providerName=internal
time="2023-10-25T05:09:37Z" level=debug msg="Configuration received: {...}" providerName=myresolver.acme
time="2023-10-25T05:09:37Z" level=debug msg="Provider connection established with docker 24.0.6 (API 1.43)" providerName=docker
time="2023-10-25T05:09:37Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-10-25T05:09:37Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=web-to-websecure@internal
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
time="2023-10-25T05:09:37Z" level=debug msg="Setting up redirection to https 443" middlewareType=RedirectScheme entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
time="2023-10-25T05:09:37Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" entryPointName=traefik routerName=prometheus@internal middlewareName=tracing middlewareType=TracingForwarder
time="2023-10-25T05:09:37Z" level=debug msg="Added outgoing tracing middleware ping@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=ping@internal middlewareName=tracing
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=metrics-entrypoint middlewareType=Metrics
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=metrics-entrypoint middlewareType=Metrics
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=metrics-entrypoint middlewareType=Metrics
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=traefik middlewareName=metrics-entrypoint
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=web middlewareName=metrics-entrypoint
time="2023-10-25T05:09:37Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-10-25T05:09:37Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareType=TracingForwarder entryPointName=web routerName=web-to-websecure@internal middlewareName=tracing
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web routerName=web-to-websecure@internal
time="2023-10-25T05:09:37Z" level=debug msg="Setting up redirection to https 443" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-10-25T05:09:37Z" level=debug msg="Added outgoing tracing middleware ping@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=ping@internal middlewareName=tracing
time="2023-10-25T05:09:37Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=prometheus@internal
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=websecure
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=metrics-entrypoint middlewareType=Metrics
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" entryPointName=web middlewareType=Metrics middlewareName=metrics-entrypoint
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" routerName=nexttest@docker serviceName=app-test middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareName=metrics-service middlewareType=Metrics serviceName=app-test entryPointName=websecure routerName=nexttest@docker
time="2023-10-25T05:09:37Z" level=debug msg="Creating load-balancer" routerName=nexttest@docker serviceName=app-test entryPointName=websecure
time="2023-10-25T05:09:37Z" level=debug msg="Creating server 0 http://172.19.0.3:80" entryPointName=websecure routerName=nexttest@docker serviceName=app-test serverName=0
time="2023-10-25T05:09:37Z" level=debug msg="child http://172.19.0.3:80 now UP"
time="2023-10-25T05:09:37Z" level=debug msg="Propagating new UP status"
time="2023-10-25T05:09:37Z" level=debug msg="Added outgoing tracing middleware app-test" routerName=nexttest@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=websecure
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=traefik middlewareName=metrics-entrypoint
time="2023-10-25T05:09:37Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint entryPointName=web middlewareType=Metrics
time="2023-10-25T05:09:37Z" level=debug msg="Adding route for test.example.com with TLS options modern@file" entryPointName=websecure
time="2023-10-25T05:09:37Z" level=debug msg="Trying to challenge certificate for domain [test.example.com] found in HostSNI rule" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nexttest@docker rule="Host(`test.example.com`)" providerName=myresolver.acme
time="2023-10-25T05:09:37Z" level=debug msg="Looking for provided certificate(s) to validate [\"test.example.com\"]..." providerName=myresolver.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nexttest@docker rule="Host(`test.example.com`)"
time="2023-10-25T05:09:37Z" level=debug msg="Domains [\"test.example.com\"] need ACME certificates generation for domains \"test.example.com\"." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nexttest@docker rule="Host(`test.example.com`)" providerName=myresolver.acme
time="2023-10-25T05:09:37Z" level=debug msg="Loading ACME certificates [test.example.com]..." providerName=myresolver.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nexttest@docker rule="Host(`test.example.com`)"
time="2023-10-25T05:09:37Z" level=debug msg="Building ACME client..." providerName=myresolver.acme
time="2023-10-25T05:09:37Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=myresolver.acme
time="2023-10-25T05:09:37Z" level=debug msg="Using DNS Challenge provider: pdns" providerName=myresolver.acme
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Obtaining bundled SAN certificate"
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9058374894"
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Could not find solver for: tls-alpn-01"
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Could not find solver for: http-01"
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: use dns-01 solver"
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Preparing to solve DNS-01"
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Trying to solve DNS-01"
time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Checking DNS record propagation using [192.168.1.1:53 192.168.1.2:53]"
time="2023-10-25T05:09:40Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2023-10-25T05:09:50Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:10:02Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:10:14Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:10:26Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:10:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:10:50Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:11:02Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:11:14Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:11:26Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:11:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Waiting for DNS record propagation."
time="2023-10-25T05:11:40Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Cleaning DNS-01 challenge"
time="2023-10-25T05:11:41Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9058374894"
time="2023-10-25T05:11:41Z" level=error msg="Unable to obtain ACME certificate for domains \"test.example.com\": unable to generate a certificate for the domains [test.example.com]: error: one or more domains had a problem:\n[test.example.com] propagation: time limit exceeded: last error: read udp 172.19.0.2:47017->10.0.0.1:53: i/o timeout\n" routerName=nexttest@docker rule="Host(`test.example.com`)" providerName=myresolver.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"

You can see in the attached logs that the resolvers config has been detected :

time="2023-10-25T05:09:38Z" level=debug msg="legolog: [INFO] [test.example.com] acme: Checking DNS record propagation using [192.168.1.1:53 192.168.1.2:53]"

But on the last line that those resolvers are not used, and instead the resolvers defined in /etc/resolv.conf are used :

time="2023-10-25T05:11:41Z" level=error msg="Unable to obtain ACME certificate for domains \"test.example.com\": unable to generate a certificate for the domains [test.example.com]: error: one or more domains had a problem:\n[test.example.com] propagation: time limit exceeded: last error: read udp 172.19.0.2:47017->10.0.0.1:53: i/o timeout\n" routerName=test@docker rule="Host(`test.example.com`)" providerName=myresolver.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"

Does anyone encounter the same issue?

bluepuma77 · October 26, 2023, 5:34pm

You have to assign the certResolver to the entrypoint or router, check simple Traefik example.

klnsb · October 27, 2023, 7:04am

It is already assigned :

  app:
    container_name: nextcloud_app
    depends_on:
      - db
      - redis
    environment:
      NEXTCLOUD_DATA_DIR: /data
    image: nextcloud:25.0.11-apache
    labels:
      - "com.centurylinklabs.watchtower.depends-on=nextcloud_db"
      - "traefik.docker.network=traefik_public"
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.rule=Host(`test.example.com`)"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.routers.nextcloud.tls.options=modern@file"
    restart: always
    networks:
      - internal
      - traefik_public
    user: '10000:10000'
    volumes:
      - app:/var/www/html
      - data:/data

bluepuma77 · October 27, 2023, 7:28am

Did you try to remove your local DNS servers? It’s rather unusual to use local IPs.

klnsb · October 27, 2023, 7:42am

What do you mean? The ones defined in resolvers?

ldez · October 27, 2023, 3:24pm

Hello,

technically, (I'm the maintainer of lego and a core maintainer of Traefik), the resolvers are the same for all the DNS calls, so your log is a bit surprising.

It would be interesting if you could create a simple stack that I can use to reproduce your context.

klnsb · October 27, 2023, 4:59pm

Hello @ldez

Just tried with this stack and got the same issue :

version: "3.8"

services:
  traefik:
    command:
      - "--api.insecure=true"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=pdns"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=192.168.1.1:53,192.168.1.2:53"
      - "--certificatesresolvers.myresolver.acme.email=letsencrypt@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=acme.json"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
    container_name: traefik
    environment:
      PDNS_API_KEY: "${PDNS_API_KEY}"
      PDNS_API_URL: "${PDNS_API_URL}"
    image: traefik:2.10.5
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    container_name: whoami
    image: traefik/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

klnsb · October 29, 2023, 4:39pm

When inspecting network trafic from my firewall, I can see for each of the following log entry :

level=debug msg="legolog: [INFO] [whoami.klnsb.com] acme: Waiting for DNS record propagation."

that 2 requests are made to the resolvers defined in /etc/resolv.conf, and then a third request is made to the IP addresses corresponding to the NS records.
I believe the first 2 queries should be made to the resolvers defined in the argument --certificatesresolvers.myresolver.acme.dnschallenge.resolvers, but it doesn't seem to work.

klnsb · October 31, 2023, 9:41pm

I just tried directly with lego and I faced the same issue :

PS C:\Users\test> docker run -e PDNS_API_KEY=<pdns_api_key> -e PDNS_API_URL=<pdns_api_url> goacme/lego -d test.example.com -s "https://acme-staging-v02.api.letsencrypt.org/directory" -a -m "letsencrypt@example.com" --dns pdns --dns.resolvers 192.168.1.1:53 --dns.resolvers 192.168.1.2:53 run

Logs :

2023/10/31 21:35:06 No key found for account letsencrypt@example.com. Generating a P256 key.
2023/10/31 21:35:06 Saved key to /.lego/accounts/acme-staging-v02.api.letsencrypt.org/letsencrypt@example.com/keys/letsencrypt@example.com.key
2023/10/31 21:35:06 [INFO] acme: Registering account for letsencrypt@example.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2023/10/31 21:35:07 [INFO] [test.example.com] acme: Obtaining bundled SAN certificate
2023/10/31 21:35:07 [INFO] [test.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9190291414
2023/10/31 21:35:07 [INFO] [test.example.com] acme: Could not find solver for: tls-alpn-01
2023/10/31 21:35:07 [INFO] [test.example.com] acme: Could not find solver for: http-01
2023/10/31 21:35:07 [INFO] [test.example.com] acme: use dns-01 solver
2023/10/31 21:35:07 [INFO] [test.example.com] acme: Preparing to solve DNS-01
2023/10/31 21:35:07 [INFO] [test.example.com] acme: Trying to solve DNS-01
2023/10/31 21:35:07 [INFO] [test.example.com] acme: Checking DNS record propagation using [10.95.16.2:53 10.95.16.4:53]
2023/10/31 21:35:09 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/10/31 21:35:19 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:35:31 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:35:43 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:35:56 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:36:08 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:36:20 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:36:32 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:36:44 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:36:56 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:37:08 [INFO] [test.example.com] acme: Waiting for DNS record propagation.
2023/10/31 21:37:10 [INFO] [test.example.com] acme: Cleaning DNS-01 challenge
2023/10/31 21:37:10 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/9190291414
2023/10/31 21:37:10 Could not obtain certificates:
        error: one or more domains had a problem:
[test.example.com] propagation: time limit exceeded: last error: read udp 172.17.0.2:37195->10.0.0.1:53: i/o timeout