Traefik can't connect to lets encrypt directory

markbeazley · February 19, 2020, 12:39pm

I'm using the following docker-compose.yaml

version: '3.7'

services:
    reverse-proxy:
        image: traefik:v2.1
        ports:
          - "80:80"
          - "443:443"
        volumes:
            - ./traefik.yml:/etc/traefik/traefik.yml:ro
            - ./conf.d/:/etc/traefik/conf.d/:ro
            - ./certs/:/etc/ssl/:ro
            - ./acme.json:/etc/traefik/acme.json

traefik.yml:

entryPoints:
  web:
    address: ":80"

  web-secure:
    address: ":443"

providers:
  file:
    directory: /etc/traefik/conf.d

certificatesResolvers:
  lets-encrypt:
    acme:
      email: example@example.org
      storage: /etc/traefik/acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

accessLog: {}

Example Domain config (loaded from a file in /etc/traefik/conf.d/)

http:
   routers:
      exmaple-new:
        rule: "Host(`example.org`)"
        entryPoints:
            - "web"
        service: "example-site-new"
        middlewares:
            - "force-https"
      example-new-secure:
        rule: "Host(`example.org`)"
        entryPoints:
            - "web-secure"
        service: " example-site-new"
        tls:
           certResolver: "lets-encrypt"
   services:
      example-site-new:
       loadBalancer:
         passHostHeader: true
         servers:
           - url: "http://endpointip:8000/"

I've been getting emails from lets encrypt saying the certificates used by this instance hadn't been renewed, acme.json hasn't been modified since the 15th Janauary, so I backed it up and create a new blank one, after restarting the container I get the following error for each domain/cert:

reverse-proxy_1  | time="2020-02-19T12:16:03Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority" rule="Host(`example.org`)" providerName=lets-encrypt.acme routerName=example-site-secure@file

If I try and use wget to request the url in the container I get this:

docker exec -it traefik_reverse-proxy_1 wget https://acme-v02.api.letsencrypt.org/directory
Connecting to acme-v02.api.letsencrypt.org (172.65.32.248:443)
ssl_client: acme-v02.api.letsencrypt.org: TLS connect failed
wget: error getting response: Connection reset by peer

It works fine if I run the same command on the host machine.

markbeazley · February 28, 2020, 8:58am

If anyone else comes across this my issue was this volume mount

Which completely replaced everything in the /etc/ssl folder including everything needed for the container to make outgoing SSL connections. Changed this to a different location and restarted the container and it all works fine.

Topic		Replies	Views
HTTPS let's encrypt not working Traefik v2 docker , letsencrypt-acme	2	4337	November 15, 2019
Traefik + Docker + Let's Encrypt Traefik v2 docker , letsencrypt-acme	4	757	April 6, 2021
Problem with LetsEncrypt certificate generation Traefik v2 letsencrypt-acme	1	1573	September 15, 2021
Problem with Lets Encrypt. ACME Fails Traefik v2 docker , letsencrypt-acme	3	3260	March 11, 2022
Problems with Let's Encypt Certificate Generation Traefik v2 letsencrypt-acme	0	451	November 14, 2021

Traefik can't connect to lets encrypt directory

Related Topics