I am running two servers: Server 1 is reachable from the public internet, while server 2 is in a private LAN but can be reached by server 1. Server 1 runs nginx, which forwards HTTPS traffic to a traefik proxy also running on server 1 that provides a HTTPS endpoint for some services running on server 1, but redirects some other HTTPS requests to server 2. Server 2 also runs a traefik proxy as a HTTPS endpoint for its services. Server 2 should remain in charge of the TLS keys for its services. I am using the ACME TLS challenge so that I don't have to configure a HTTP proxy as well.
The traefik proxy on server 1 has a dynamic configuration file that configures the forwards to server 2 for certain host names:
tcp:
routers:
server2:
rule: HostSNI(`app1.example.org`, `app2.example.org`, `app3.example.org`)
service: server2
tls:
passthrough: true
services:
server2:
loadBalancer:
servers:
- address: 10.200.2.14:443
In addition, server 1 has other dynamic configuration files and a Docker provider for configuring its own services. It has an acme certificate resolver configured for its own services.
Server 2 also has an acme certificate resolver configured:
certificatesResolvers:
letsencrypt:
acme:
email: server2@example.org
storage: /data/acme.json
tlsChallenge: {}
While the ACME certificate generation works flawlessly on server 1, it doesn't work on server 2. I see this in the logs:
time="2022-01-23T18:24:04Z" level=error msg="Unable to obtain ACME certificate for domains \"app1.example.org\": unable to generate a certificate for the domains [app1.example.org]: error: one or more domains had a problem:\n[app1.example.org] acme: error: 400 :: urn:ietf:params:acme:error:tls :: remote error: tls: internal error\n" providerName=letsencrypt.acme routerName=portainer@file rule="Host(`app1.example.org`)"
These errors are shown repeatedly for all host names hosted by server 2. The odd thing is that very rarely, the certificate generation seems to succeed for one of the host names.
I am new to traefik and am a bit lost how to proceed. How can I find out more details about the error? Is the scenario not a supported one?