SSL cert not served through ACME-DNS

_Ray · March 24, 2022, 10:41am

Hey,

I am trying to create a wildcard ssl cert through a local acme-dns server.
I simply can't figure out what part doesn't work.
All public records (A, CNAME, NS) are correct.

All config and logs:

ACME-DNS log

-- Journal begins at Thu 2022-01-06 14:32:57 UTC. --
Mar 24 10:00:07 test-docker systemd[1]: Started Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=info msg="Using config file" file=/etc/acme-dns/config.cfg
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=info msg="Connected to database"
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=debug msg="Adding new record to domain" domain=auth.example.com. recordtype=A
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=debug msg="Adding new record to domain" domain=auth.example.com. recordtype=NS
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=debug msg="Adding new record to domain" domain=auth.example.com. recordtype=SOA
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=info msg="Listening HTTP" host="10.81.1.10:8090"
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=info msg="Listening DNS" addr="10.81.1.10:53" proto=udp4
Mar 24 10:00:07 test-docker acme-dns[3835072]: time="2022-03-24T10:00:07Z" level=info msg="2022/03/24 10:00:07 [INFO][cache:0xc000130280] Started certificate maintenance routine"
Mar 24 10:01:12 test-docker acme-dns[3835072]: time="2022-03-24T10:01:12Z" level=debug msg="Created new user" user=f29471f4-9e51-4f44-b82a-49f1a3e3ac36
... adding CNAME
Mar 24 10:16:43 test-docker acme-dns[3835072]: time="2022-03-24T10:16:43Z" level=debug msg="TXT updated" subdomain=5d59080a-3510-4593-b963-8abdd40374c1 txt=X7WsUiuwvLMmdT6p83kisVYrIgZS9UcjGUiCE85gqnI
Mar 24 10:16:44 test-docker acme-dns[3835072]: time="2022-03-24T10:16:44Z" level=debug msg="TXT updated" subdomain=5d59080a-3510-4593-b963-8abdd40374c1 txt=AUYodg3M0CHeFzWwHV2FhEm0-BO29wwnFGAT99C8-Ho
Mar 24 10:16:46 test-docker acme-dns[3835072]: time="2022-03-24T10:16:46Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=TXT rcode=NOERROR
Mar 24 10:16:46 test-docker acme-dns[3835072]: time="2022-03-24T10:16:46Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=SOA rcode=NXDOMAIN
Mar 24 10:16:48 test-docker acme-dns[3835072]: time="2022-03-24T10:16:48Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=TXT rcode=NOERROR
Mar 24 10:16:48 test-docker acme-dns[3835072]: time="2022-03-24T10:16:48Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=SOA rcode=NXDOMAIN
... Errors repeat
Mar 24 10:18:42 test-docker acme-dns[3835072]: time="2022-03-24T10:18:42Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=SOA rcode=NXDOMAIN
Mar 24 10:18:44 test-docker acme-dns[3835072]: time="2022-03-24T10:18:44Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=TXT rcode=NOERROR
Mar 24 10:18:44 test-docker acme-dns[3835072]: time="2022-03-24T10:18:44Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=SOA rcode=NXDOMAIN
Mar 24 10:18:46 test-docker acme-dns[3835072]: time="2022-03-24T10:18:46Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=TXT rcode=NOERROR
Mar 24 10:18:46 test-docker acme-dns[3835072]: time="2022-03-24T10:18:46Z" level=debug msg="Answering question for domain" domain=5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com. qtype=SOA rcode=NXDOMAIN

ACME-DNS config

[general]
# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
# In this case acme-dns will error out and you will need to define the listening interface
# for example: listen = "127.0.0.1:53"
listen = "10.81.1.10:53"
# protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
protocol = "udp4"
# domain name to serve the requests off of
domain = "auth.example.com"
# zone name server
nsname = "auth.example.com"
# admin email address, where @ is substituted with .
nsadmin = "edv.example.com"
# predefined records served in addition to the TXT
records = [
    # domain pointing to the public IP of your acme-dns server
    "auth.example.com. A PUBLIC_IP",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "auth.example.com. NS auth.example.com.",
]
# debug messages from CORS etc
debug = false

[database]
# Database engine to use, sqlite3 or postgres
engine = "sqlite3"
# Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
connection = "/var/lib/acme-dns/acme-dns.db"
# connection = "postgres://user:password@localhost/acmedns_db"

[api]
# listen ip eg. 127.0.0.1
ip = "10.81.1.10"
# disable registration endpoint
disable_registration = false
# listen port, eg. 443 for default HTTPS
port = "8090"
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "none"
# only used if tls = "cert"
tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
# only used if tls = "letsencrypt"
acme_cache_dir = "api-certs"
# CORS AllowOrigins, wildcards can be used
corsorigins = [
    "*"
]
# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

[logconfig]
# logging level: "error", "warning", "info" or "debug"
loglevel = "debug"
# possible values: stdout, TODO file & integrations
logtype = "stdout"
# file path for logfile TODO
# logfile = "./acme-dns.log"
# format, either "json" or "text"
logformat = "text"

traefik log

time="2022-03-24T10:16:41Z" level=info msg="Configuration loaded from file: /traefik.yml",
time="2022-03-24T10:18:49Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]: error: one or more domains had a problem:\n[*.example.com] time limit exceeded: last error: could not determine the zone: unexpected response code 'SERVFAIL' for 5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com.\n[example.com] time limit exceeded: last error: could not determine the zone: unexpected response code 'SERVFAIL' for 5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com.\n" providerName=le-dns.acme

traefik log - debug

time="2022-03-24T10:59:19Z" level=info msg="Configuration loaded from file: /traefik.yml"
time="2022-03-24T10:59:19Z" level=info msg="Traefik version 2.6.1 built on 2022-02-14T16:50:25Z"
time="2022-03-24T10:59:19Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"middlewares\":[\"secureHeaders@file\",\"nofloc@file\"],\"tls\":{\"certResolver\":\"le-dns\",\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"},\"file\":{\"directory\":\"/configurations\",\"watch\":true}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"le-dns\":{\"acme\":{\"email\":\"edv@example.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"EC384\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"acme-dns\"}}}},\"pilot\":{\"dashboard\":true}}"
time="2022-03-24T10:59:19Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2022-03-24T10:59:19Z" level=info msg="Starting provider aggregator.ProviderAggregator"
time="2022-03-24T10:59:19Z" level=debug msg="Start TCP Server" entryPointName=websecure
time="2022-03-24T10:59:19Z" level=debug msg="Start TCP Server" entryPointName=web
time="2022-03-24T10:59:19Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2022-03-24T10:59:19Z" level=info msg="Starting provider *file.Provider"
time="2022-03-24T10:59:19Z" level=debug msg="*file.Provider provider configuration: {\"directory\":\"/configurations\",\"watch\":true}"
time="2022-03-24T10:59:19Z" level=info msg="Starting provider *traefik.Provider"
time="2022-03-24T10:59:19Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2022-03-24T10:59:19Z" level=info msg="Starting provider *acme.Provider"
time="2022-03-24T10:59:19Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"edv@example.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"EC384\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"acme-dns\"},\"ResolverName\":\"le-dns\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
time="2022-03-24T10:59:19Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=le-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2022-03-24T10:59:19Z" level=info msg="Testing certificate renew..." providerName=le-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2022-03-24T10:59:19Z" level=info msg="Starting provider *docker.Provider"
time="2022-03-24T10:59:19Z" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2022-03-24T10:59:19Z" level=debug msg="Configuration received from provider file: {\"http\":{\"middlewares\":{\"nofloc\":{\"headers\":{\"customResponseHeaders\":{\"Permissions-Policy\":\"interest-cohort=()\"}}},\"secureHeaders\":{\"headers\":{\"sslRedirect\":true,\"stsSeconds\":31536000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true}},\"user-auth\":{\"basicAuth\":{\"users\":[\"root:$apr1$gojf841w$Ov35PK/BZRmrP44ULzmuf0\"]}}}},\"tcp\":{},\"udp\":{},\"tls\":{\"options\":{\"default\":{\"minVersion\":\"VersionTLS12\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"],\"clientAuth\":{},\"alpnProtocols\":[\"h2\",\"http/1.1\",\"acme-tls/1\"]}}}}" providerName=file
time="2022-03-24T10:59:19Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645},\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}},\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"models\":{\"websecure\":{\"middlewares\":[\"secureHeaders@file\",\"nofloc@file\"],\"tls\":{\"certResolver\":\"le-dns\",\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"tls\":{}}" providerName=internal
time="2022-03-24T10:59:19Z" level=debug msg="Configuration received from provider le-dns.acme: {\"http\":{},\"tls\":{}}" providerName=le-dns.acme
time="2022-03-24T10:59:19Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
time="2022-03-24T10:59:19Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2022-03-24T10:59:19Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {\"Timeout\":4000000000}"
...
time="2022-03-24T10:59:20Z" level=debug msg="Looking for provided certificate(s) to validate [\"example.com\" \"*.example.com\"]..." providerName=le-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2022-03-24T10:59:20Z" level=debug msg="Domains [\"example.com\" \"*.example.com\"] need ACME certificates generation for domains \"example.com,*.example.com\"." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le-dns.acme
time="2022-03-24T10:59:20Z" level=debug msg="Loading ACME certificates [example.com *.example.com]..." providerName=le-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2022-03-24T10:59:20Z" level=debug msg="Building ACME client..." providerName=le-dns.acme
time="2022-03-24T10:59:20Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=le-dns.acme
time="2022-03-24T10:59:20Z" level=debug msg="Using DNS Challenge provider: acme-dns" providerName=le-dns.acme
time="2022-03-24T10:59:20Z" level=debug msg="legolog: [INFO] [example.com, *.example.com] acme: Obtaining bundled SAN certificate"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [*.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/90950720200"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/90950720210"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [*.example.com] acme: use dns-01 solver"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [example.com] acme: Could not find solver for: tls-alpn-01"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [example.com] acme: Could not find solver for: http-01"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [example.com] acme: use dns-01 solver"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Preparing to solve DNS-01"
time="2022-03-24T10:59:21Z" level=debug msg="legolog: [INFO] [example.com] acme: Preparing to solve DNS-01"
time="2022-03-24T10:59:22Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Trying to solve DNS-01"
time="2022-03-24T10:59:22Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2022-03-24T10:59:24Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]"
time="2022-03-24T10:59:24Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:26Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:28Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:30Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:32Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:34Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:36Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:38Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:40Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:42Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:44Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:46Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:48Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:50Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:52Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:54Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:56Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T10:59:58Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:00Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:02Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:04Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:06Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:08Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:10Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:12Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:14Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:16Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:18Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:20Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:22Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:24Z" level=debug msg="legolog: [INFO] [example.com] acme: Trying to solve DNS-01"
time="2022-03-24T11:00:24Z" level=debug msg="legolog: [INFO] [example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2022-03-24T11:00:26Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]"
time="2022-03-24T11:00:26Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:28Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:30Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:32Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:34Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:36Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:38Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:40Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:42Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:44Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:46Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:48Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:50Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:52Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:54Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:56Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:00:58Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:00Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:02Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:04Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:06Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:08Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:10Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:12Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:14Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:16Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:18Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:20Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:22Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:24Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation."
time="2022-03-24T11:01:26Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Cleaning DNS-01 challenge"
time="2022-03-24T11:01:26Z" level=debug msg="legolog: [INFO] [example.com] acme: Cleaning DNS-01 challenge"
time="2022-03-24T11:01:26Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/90950720200 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"0101x1hqKsuhtlIPdTiTlULwI6vCe0AJkSW-QmJyvGEx9PQ\""
time="2022-03-24T11:01:27Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/90950720200"
time="2022-03-24T11:01:27Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/90950720210"
time="2022-03-24T11:01:27Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]: error: one or more domains had a problem:\n[*.example.com] time limit exceeded: last error: could not determine the zone: unexpected response code 'SERVFAIL' for 5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com.\n[example.com] time limit exceeded: last error: could not determine the zone: unexpected response code 'SERVFAIL' for 5d59080a-3510-4593-b963-8abdd40374c1.auth.example.com.\n" providerName=le-dns.acme

docker-compose.yml traefik

version: '3.3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    environment:
      - ACME_DNS_API_BASE=http://10.81.1.10:8090
      - ACME_DNS_STORAGE_PATH=/acme-dns
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/traefik/traefik.yml:/traefik.yml:ro
      - /etc/traefik/acme.json:/acme.json
      - /etc/traefik/acme-dns:/acme-dns
      # Add folder with dynamic configuration yml
      - /etc/traefik/dyn_config:/configurations
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=web, websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)"
#      - "traefik.http.routers.traefik-secure.tls.certresolver=le-dns"
#      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.com"
#      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.com"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

Static traefik config

global:
  checkNewVersion: true

api:
  dashboard: true  # true by default
  insecure: true  # Don't do this in production!

# Entry Points configuration
# ---
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    http:
      middlewares:
        - secureHeaders@file
        - nofloc@file
      tls:
        certResolver: le-dns
        domains:
          - main: example.com
            sans:
              - "*.example.com"


# Configure your CertificateResolver here...
# ---
certificatesResolvers:
  le-dns:
    acme:
      email: edv@example.com
      storage: acme.json
      keyType: EC384
      dnsChallenge:
        provider: acme-dns

providers:
  docker:
    exposedByDefault: false  # Default is true
  file:
    # watch for dynamic configuration changes
    directory: /configurations
    watch: true

Dynamic traefik conig

# Dynamic configuration
http:
  middlewares:
    nofloc:
      headers:
        customResponseHeaders:
          Permissions-Policy: "interest-cohort=()"
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000

    user-auth:
      basicAuth:
        users:
          - "user:$apr1$password"

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

Best regards,
_Ray

_Ray · March 24, 2022, 3:28pm

If I just use dig/nslookup on the subdomain through my normal dns server, I receive a servfail.
However, if i directly target the acme-dns server I get a valid response.

In both cases however, the acme-dns server answers.

When forcing the traefik container to use 8.8.8.8 as its DNS Server I get an "JWS has an invalid anti-replay nonce" error.

time="2022-03-24T15:49:27Z" level=debug msg="Looking for provided certificate(s) to validate [\"example.com\" \"*.example.com\"]..." providerName=le-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory",
time="2022-03-24T15:49:27Z" level=debug msg="Domains [\"example.com\" \"*.example.com\"] need ACME certificates generation for domains \"example.com,*.example.com\"." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le-dns.acme,
time="2022-03-24T15:49:27Z" level=debug msg="Loading ACME certificates [example.com *.example.com]..." providerName=le-dns.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory",
time="2022-03-24T15:49:27Z" level=debug msg="Building ACME client..." providerName=le-dns.acme,
time="2022-03-24T15:49:27Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=le-dns.acme,
time="2022-03-24T15:49:28Z" level=debug msg="Using DNS Challenge provider: acme-dns" providerName=le-dns.acme,
time="2022-03-24T15:49:28Z" level=debug msg="legolog: [INFO] [example.com, *.example.com] acme: Obtaining bundled SAN certificate",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [*.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/91016304580",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/91016304590",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [*.example.com] acme: use dns-01 solver",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [example.com] acme: Could not find solver for: tls-alpn-01",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [example.com] acme: Could not find solver for: http-01",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [example.com] acme: use dns-01 solver",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Preparing to solve DNS-01",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [example.com] acme: Preparing to solve DNS-01",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Trying to solve DNS-01",
time="2022-03-24T15:49:29Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]",
time="2022-03-24T15:49:31Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]",
time="2022-03-24T15:49:41Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:49:53Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:50:05Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:50:18Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:50:30Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:50:32Z" level=debug msg="legolog: [INFO] [example.com] acme: Trying to solve DNS-01",
time="2022-03-24T15:50:32Z" level=debug msg="legolog: [INFO] [example.com] acme: Checking DNS record propagation using [127.0.0.11:53]",
time="2022-03-24T15:50:34Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]",
time="2022-03-24T15:50:44Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:50:56Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:51:08Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:51:20Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:51:32Z" level=debug msg="legolog: [INFO] [example.com] acme: Waiting for DNS record propagation.",
time="2022-03-24T15:51:34Z" level=debug msg="legolog: [INFO] [*.example.com] acme: Cleaning DNS-01 challenge",
time="2022-03-24T15:51:34Z" level=debug msg="legolog: [INFO] [example.com] acme: Cleaning DNS-01 challenge",
time="2022-03-24T15:51:34Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/91016304580 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"0102mOB09QC48h6jvKM9Od2sfSyf-xLmxCrJnGCBmhtRQnM\"",
time="2022-03-24T15:51:35Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/91016304580",
time="2022-03-24T15:51:35Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/91016304590",
time="2022-03-24T15:51:35Z" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]: error: one or more domains had a problem:\n[*.example.com] time limit exceeded: last error: read udp 172.30.0.2:43930->PUBLIC_IP:53: i/o timeout\n[example.com] time limit exceeded: last error: read udp 172.30.0.2:54190->PUBLIC_IP:53: i/o timeout\n" providerName=le-dns.acme

Topic		Replies	Views
Wildcard certificate with letsencrypt - Waiting for DNS record propagation Traefik v2 docker , letsencrypt-acme	1	2284	January 2, 2020
Unable to obtain ACME certificate for wildcard domains Traefik v2 letsencrypt-acme	20	8671	May 3, 2020
Problem obtaining ACME certificate for domain Traefik v2 docker , letsencrypt-acme	0	1390	January 14, 2022
Wildcard certs not working (using Route53) Traefik v2 letsencrypt-acme	15	1567	July 11, 2023
Issue requesting SSL using ACME Traefik v3 (latest) docker , letsencrypt-acme	0	59	September 18, 2024

SSL cert not served through ACME-DNS

Related topics