TLS challenge validation fails

grindsa · May 29, 2023, 12:52pm

Hi,

I am maintaining a Non-Letsencrypt ACME server implementation. One of my users did contact me claiming that certificate enrollment does not work when using tls-alpn-01 challenge validation. I think i was able to replicate the issue in my lab by using your reference config with some smaller modifications.

version: '3.3'

services:
  traefik:
    image: traefik:latest
    container_name: "traefik"    
    command: 
      - "--log.level=DEBUG"    
      - "--api.insecure=true" 
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"       
      - "--entrypoints.websecure.address=:443" 
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      # - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"      
      - "--certificatesresolvers.myresolver.acme.caserver=http://192.168.14.1/directory"
      - "--certificatesresolvers.myresolver.acme.email=grindsa@foo.bar"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"      
    ports:
      - "80:80"
      - "443:443"      
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"      
      - "/var/run/docker.sock:/var/run/docker.sock"

  whoami:
    image: traefik/whoami
    labels:
      - "traefik.enable=true"    
      - "traefik.http.routers.whoami.rule=Host(`whoami.bar.local`)"
      - "traefik.http.routers.whoami.entrypoints=web,websecure"
      # - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

I see that the challenge validation failes on the acme-server as the certificate presented by traeffik is wrong/missing the respective SAN and certificate extension fields. Below an example certificate which gets presented to acme-server.

CN=TRAEFIK DEFAULT CERT
SAN=DNS:067a6fd3d2ae306dcbc0d928f0f61831.c956d58339495978d4bd31aa6ffa992d.traefik.default

Is my configuration incomplete or did i get hit by a bug?

Thank you for your help and have a nice day.

/G.

bluepuma77 · May 29, 2023, 4:38pm

Your setup probably does not work because you have a private hostname. For LetsEncrypt validation you need a public domain name.

Optionally check this simple Traefik example.

grindsa · May 29, 2023, 7:34pm

I am not using LE but a private acme server which does allow private domains.

Further challenge validation via http-01 works without issues. Only when using tls-alpn-01 validation fails as my traefik instance does present the wrong certificate vor validation.

BR G.

bluepuma77 · May 29, 2023, 7:52pm

Traefik uses le-go, maybe their community can help better. They probably have a similar forum.

grindsa · May 30, 2023, 2:16pm

Thank you for your answer. I meanwhile found the issue by myself.

It seems that Traefik routes the validation requests coming from the acme-server based on the ALPN extension included in the ClientHello message. This was missing in my implementation. After adding the extension with a correct protocol name ("acme-tls/1") everything works as expected.

system · June 2, 2023, 2:17pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik Letsencrypt TLSChallenge - Documentation Incomplete? Traefik v2 letsencrypt-acme	12	1887	February 24, 2024
Not able to obtain certificates via tlsChallenge or httpChallenge Traefik v2 letsencrypt-acme	1	3986	October 10, 2019
Problem with LetsEncrypt certificate generation Traefik v2 letsencrypt-acme	1	1679	September 15, 2021
Unable to get HTTPS to work at all Traefik v3 (latest) docker , letsencrypt-acme	2	499	March 2, 2024
Issue requesting SSL using ACME Traefik v3 (latest) docker , letsencrypt-acme	0	152	September 18, 2024

TLS challenge validation fails

Related topics