"tls: internal error" with Let’s Encrypt behind TLS passthrough proxy

I am running two servers: Server 1 is reachable from the public internet, while server 2 is in a private LAN but can be reached by server 1. Server 1 runs nginx, which forwards HTTPS traffic to a traefik proxy also running on server 1 that provides a HTTPS endpoint for some services running on server 1, but redirects some other HTTPS requests to server 2. Server 2 also runs a traefik proxy as a HTTPS endpoint for its services. Server 2 should remain in charge of the TLS keys for its services. I am using the ACME TLS challenge so that I don't have to configure a HTTP proxy as well.

The traefik proxy on server 1 has a dynamic configuration file that configures the forwards to server 2 for certain host names:

tcp:
    routers:
        server2:
            rule: HostSNI(`app1.example.org`, `app2.example.org`, `app3.example.org`)
            service: server2
            tls:
                passthrough: true
    services:
        server2:
            loadBalancer:
                servers:
                    - address: 10.200.2.14:443

In addition, server 1 has other dynamic configuration files and a Docker provider for configuring its own services. It has an acme certificate resolver configured for its own services.

Server 2 also has an acme certificate resolver configured:

certificatesResolvers:
    letsencrypt:
      acme:
          email: server2@example.org
          storage: /data/acme.json
          tlsChallenge: {}

While the ACME certificate generation works flawlessly on server 1, it doesn't work on server 2. I see this in the logs:

time="2022-01-23T18:24:04Z" level=error msg="Unable to obtain ACME certificate for domains \"app1.example.org\": unable to generate a certificate for the domains [app1.example.org]: error: one or more domains had a problem:\n[app1.example.org] acme: error: 400 :: urn:ietf:params:acme:error:tls :: remote error: tls: internal error\n" providerName=letsencrypt.acme routerName=portainer@file rule="Host(`app1.example.org`)"

These errors are shown repeatedly for all host names hosted by server 2. The odd thing is that very rarely, the certificate generation seems to succeed for one of the host names.

I am new to traefik and am a bit lost how to proceed. How can I find out more details about the error? Is the scenario not a supported one?

It turns out that this setup is supported and my setup was simply misconfigured.

I noticed that the certificate generation actually only failed for services that were listening to multiple host names, for example Host(`example.org`) || Host(`www.example.org`). I had tested the forward only by opening the first domain (example.org) and thus hadn’t noticed noticed that the forward for the second domain (www.example.org) did not actually work. In some cases, I had simply forgotten to configure the second domain in the TCP router, in some other cases I had erroneously assumed that wildcards would work with HostSNI (for example HostSNI(`*.example.org`)), which in fact they don’t.

After fixing the TCP router on server 1, the certificate generation on server 2 now works properly.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.