Traefik cannot generate certificate on OVH

jaros85 · February 14, 2023, 12:13pm

Hello everyone.

On Docker, I installed Portainer and then create a new Stack with Traefik. I logged into my OVH and generate API keys. My docker-compose file looks like below.

I use this manual for OVH https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/ I want to generate wildcard certificate for my domain.

version: "3.8"

volumes:
  trafeik_crt:

networks:
  frontend_proxy:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.5.0/26

services:

  traefik:
    container_name: Traefik
    image: traefik:latest
    environment:
      TRAEFIK_LOG_LEVEL: 'DEBUG'
      TRAEFIK_GLOBAL_CHECKNEWVERSION: 'true'
      TRAEFIK_PROVIDERS_DOCKER: 'true'
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: 'true'
      TRAEFIK_API: 'true'
      TRAEFIK_API_DASHBOARD: 'true'
      TRAEFIK_API_INSECURE: 'true'
      OVH_ENDPOINT: 'ovh-eu'
      OVH_APPLICATION_KEY: 'my_app_key'
      OVH_APPLICATION_SECRET: 'my_secret'
      OVH_CONSUMER_KEY: 'my_cons_key'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot: 'true'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE: 'true'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE_PROVIDER: 'ovh'
#      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_CASERVER: 'ttps://acme-v02.api.letsencrypt.org/directory'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_EMAIL: 'info@mydomain.com'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_STORAGE: '/letsencrypt/acme.json'
      TRAEFIK_ENTRYPOINTS_web: 'true'
      TRAEFIK_ENTRYPOINTS_webs: 'true'
      TRAEFIK_ENTRYPOINTS_web_ADDRESS: ':80'
      TRAEFIK_ENTRYPOINTS_webs_ADDRESS: ':443'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO: 'webs'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT: 'true'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: 'https'
      
    hostname:
      srv_traefik1
    ports:
      - 8051:80/tcp # Trafeik HTTP
      - 8052:8080/tcp # Trafeik WebUI
      - 4351:443/tcp # Trafeik HTTPS
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - trafeik_crt:/letsencrypt
    networks:
      frontend_proxy:
        ipv4_address: 172.20.5.2
    dns:
      - 172.16.25.1;
   restart: unless-stopped

When I enable DEBUG logs I got the below error

time="2023-02-13T12:50:57+01:00" level=debug msg="Creating load-balancer" entryPointName=web serviceName=httpd-httpd-main routerName=httpd_main@docker
time="2023-02-13T12:50:57+01:00" level=debug msg="Creating server 0 http://172.20.5.3:80" entryPointName=web serviceName=httpd-httpd-main serverName=0 routerName=httpd_main@docker 
time="2023-02-13T12:50:57+01:00" level=debug msg="child http://172.20.5.3:80 now UP"
time="2023-02-13T12:50:57+01:00" level=debug msg="Propagating new UP status" 
time="2023-02-13T12:50:57+01:00" level=debug msg="Added outgoing tracing middleware httpd-httpd-main" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=httpd_main@docker
time="2023-02-13T12:50:57+01:00" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery 
time="2023-02-13T12:50:57+01:00" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=webs middlewareName=traefik-internal-recovery 
time="2023-02-13T12:50:57+01:00" level=debug msg="Adding route for mydomain.com with TLS options default" entryPointName=web
time="2023-02-13T12:50:57+01:00" level=debug msg="Adding route for mydomain.com with TLS options default" entryPointName=webs
time="2023-02-13T12:50:57+01:00" level=debug msg="Trying to challenge certificate for domain [mydomain.com] found in HostSNI rule" rule="Host(mydomain.com)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker
time="2023-02-13T12:50:57+01:00" level=debug msg="Looking for provided certificate(s) to validate [\"mydomain.com\"]..." routerName=httpd_main@docker rule="Host(mydomain.com)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-02-13T12:50:57+01:00" level=debug msg="Domains [\"mydomain.com\"] need ACME certificates generation for domains \"mydomain.com\"." providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker rule="Host(mydomain.com)"
time="2023-02-13T12:50:57+01:00" level=debug msg="Loading ACME certificates [mydomain.com]..." rule="Host(mydomain.com)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker
time="2023-02-13T12:51:01+01:00" level=debug msg="Building ACME client..." providerName=certbot.acme
time="2023-02-13T12:51:01+01:00" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=certbot.acme
time="2023-02-13T12:51:11+01:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:44201->127.0.0.11:53: i/o timeout" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker rule="Host(mydomain.com)" providerName=certbot.acme

cakiwi · February 14, 2023, 1:33pm

Remove the ; this is invalid and causing the dns lookup to fail.

bluepuma77 · February 14, 2023, 1:56pm

Wow, haven't seen so many ENVIRONMENT VARIABLES in a long time, people tend to use the command section or a separate traefik.yml file. It's actually not "certbot", which in your config is just used as a name. certbot is a different product, Traefik uses le-go.

Here is a default template, I find it a lot easier to read.

version: '3.9'

services:
  traefik:
    image: traefik:v2.9
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik-certificates:/traefik-certificates
    command:
      --providers.docker=true
      --providers.docker.network=proxy
      --providers.docker.exposedByDefault=false
      --entrypoints.web.address=:80
      --entrypoints.web.http.redirections.entrypoint.to=websecure
      --entrypoints.web.http.redirections.entrypoint.scheme=https
      --entrypoints.websecure.address=:443
      --entrypoints.websecure.http.tls.certResolver=myresolver
      --api.debug=true
      --api.dashboard=true
      --log.level=DEBUG
      --accesslog=true
      --certificatesresolvers.myresolver.acme.email=mail@example.com
      --certificatesresolvers.myresolver.acme.tlschallenge=true
      --certificatesresolvers.myresolver.acme.storage=/traefik-certificates/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`example.com`) || Host(`www.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy

Add your 4 OVH env vars and update domains. dnschallenge probably can be enabled like this:

      --certificatesResolvers.myresolver.acme.email=mail@example.com
      --certificatesResolvers.myresolver.acme.dnschallenge=true
      --certificatesResolvers.myresolver.acme.dnschallenge.provider=ovh
      --certificatesResolvers.myresolver.acme.storage=/traefik-certificates/acme.json

jaros85 · February 14, 2023, 2:06pm

Thank you for your help.
After remove semicolon after IF everything start working correctly.
Don't know why I put it there

I got one more question.
How to manage cipher for TLS.
I used this test https://www.ssllabs.com/ssltest and for TLS1.2 some of them got "weak" status and I want to disable them.

cakiwi · February 14, 2023, 10:34pm

You'll need to setup a dynamic-file provider and create some tls options.

Honestly if you can get away with it set the TLS minVersion to VersionTLS13 as all the ciphers are 'high security' and provide perfect forward secrecy.

tls:
  options:
    default:
      minVersion: VersionTLS13

jaros85 · February 15, 2023, 11:02am

Thank forh help.
I found solution by adding provider from file configuration as dynamic configuration and now everything works like I wants.

system · February 18, 2023, 11:02am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't use SSL with LETSENCRYPT: No ACME certificate generation required for domains Traefik v2 (latest) docker	1	2577	December 23, 2019
Unable to obtain ACME certificate for wildcard domains Traefik v2 (latest) letsencrypt-acme	20	7895	May 3, 2020
Can't create letsencrypt wildcard certificates with traefik 2.0.0-beta1 Traefik v2 (latest) docker-swarm , letsencrypt-acme	6	8229	February 25, 2020
Can't get certificates through DNS-01 Traefik v2 (latest) docker , letsencrypt-acme	4	1507	January 15, 2022
Issue certificate using dns-01 challenge with Traefik Traefik v2 (latest) letsencrypt-acme	4	344	June 7, 2023

Traefik cannot generate certificate on OVH

Related Topics