Sectigo ACME failing for OV certs and TLS challenge

Hi,
This config was working fine until last couple of weeks, now when I try to add the annotation to request a certificate, it throws an error.

time="2022-12-13T09:40:09Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme.sectigo.com/v2/OV/newOrder :: urn:ietf:params:acme:error:badNonce :: The Replay Nonce is not recognized"
time="2022-12-13T09:40:24Z" level=debug msg="legolog: [INFO] [seminarlist.domain.de] AuthURL: https://acme.sectigo.com/v2/OV/authz/wTw7rkAoEY67GiXEnEI8RQ"
time="2022-12-13T09:40:24Z" level=debug msg="legolog: [INFO] [seminarlist.domain.de] acme: Could not find solver for: http-01"
time="2022-12-13T09:40:24Z" level=debug msg="legolog: [INFO] [seminarlist.domain.de] acme: Could not find solver for: dns-01"
time="2022-12-13T09:40:33Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme.sectigo.com/v2/OV/authz/xxxxxxxxxxxxxxxxxxxxxxxx"


time="2022-12-13T10:26:32Z" level=error msg="Unable to obtain ACME certificate for domains \"itswiki.ops-kone.domain.de\": unable to generate a certificate for the domains [itswiki.ops-kone.domain.de]: error: one or more domains had a problem:\n[itswiki.ops-kone.domain.de] [itswiki.ops-kone.domain.de] acme: could not determine solvers\n" providerName=sectigo.acme ACME CA="https://acme.sectigo.com/v2/OV" routerName=websecure-itsops-team-test-itswiki-itswiki-ops-kone-domain-de@kubernetes rule="Host(`itswiki.ops-kone.domain.de`) && PathPrefix(`/`)"

Nothing has changed in the Traefik config, which is basically this:

    [certificatesResolvers.sectigo.acme]
      email = "itsops@domain.de"
      storage = "/certs/sectigo.json"
      caServer = "https://acme.sectigo.com/v2/OV"
      [certificatesResolvers.sectigo.acme.tlsChallenge]
      [certificatesResolvers.sectigo.acme.eab]
        kid = "xxxxxxxxxxxxxxxxxxxxxxx"
        hmacEncoded = "xxxxxxxxxxxxxxxxxxxxxxx"

And the only thing I needed to do is to add the following annotation:

traefik.ingress.kubernetes.io/router.tls.certresolver: sectigo

this is my static config:

    #[global]
    #
    [accessLog] 

    [serversTransport]
    # Do not verify backend certificates (use https backends)
      insecureSkipVerify = true
    
    [certificatesResolvers.sectigo.acme]
      email = "itsops@domain.de"
      storage = "/certs/sectigo.json"
      caServer = "https://acme.sectigo.com/v2/OV"
      [certificatesResolvers.sectigo.acme.tlsChallenge]
      [certificatesResolvers.sectigo.acme.eab]
        kid = "xxxxxxxxxxxxxxxxxxxx"
        hmacEncoded = "xxxxxxxxxxxxxxxxxx"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
        #compress = true
      [entryPoints.websecure]
        address = ":443"
        [entryPoints.websecure.http]
          [entryPoints.websecure.http.tls]
        [entryPoints.websecure.forwardedHeaders]
          insecure = true
        [entryPoints.websecure.proxyProtocol]
          insecure = true

      [entryPoint.traefik]
        address = ":8080"
    
    [api]
      insecure = false
      dashboard = true
      #debug = true
    
    [log]
      level = "DEBUG"
    
    [providers]
      [providers.file]
        directory = "/etc/traefik-dyn"
        watch = true
      [providers.kubernetesingress]
        ingressClass = "traefik-ext"
    [metrics]
      [metrics.prometheus]
        addEntryPointsLabels = true
        addServicesLabels = true
        buckets=[0.1,0.3,1.2,5.0]
        entryPoint = "traefik"
    #
    [ping]
      entryPoint = "websecure"
      manualRouting = true

I recommend to add the kubernetes label.

thanks!
It happened to be that my domains in Sectigo where expired, from the yearly verification side. Now it is all good. Would be nice if I could see a more descriptive error when a domain cannot be requested.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.