Traefik fails to obtain wildcard from cloudflare // ACME error

Hello,

I'm trying to get Traefik container configured on my Firewalla Gold (posted in their forum but no response yet).

Already had my domain registered on cloudflare with two records as DNS only, no proxy.

A record > WAN IP
CNAME record > mydomain

I'm also using a pi-hole container running fine using 172.16.0.2/24.
Container is running but timing out on API to cloudflare with this log:

Unable to obtain ACME certificate for domains "Get "https://acme-v02.api.letsencrypt.org/directory/": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:35897->127.0.0.11:53: i/o timeout"

My docker-compose file:

root@firewalla:/mnt/traefik# cat docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=****
      - CF_DNS_API_TOKEN=****
      # - CF_API_KEY=YOU_API_KEY
      # be sure to use the correct one depending on if you are using a token or key
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/traefik/data/traefik.yml:/traefik.yml:ro
      - /mnt/traefik/data/acme.json:/acme.json
      - /mnt/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard-internal.local.mydomain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:****"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard-internal.local.mydomain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.mydomain.example.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

traefik.yml file:

root@firewalla:/mnt/traefik/data# cat traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: liquid_322@Hotmail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

Cant resolve anything from inside the container.
Bypassed all rules in my firewalla and same symptom.

root@firewalla:/mnt/traefik/data# docker network list
NETWORK ID          NAME                DRIVER              SCOPE
e32e3a5f2eaa        bridge              bridge              local
58e2044a2cb8        host                host                local
ebe968f9d0a0        none                null                local
ad951abeebca        pi-hole_default     bridge              local
dc1d1432326f        proxy               bridge              local
root@firewalla:/mnt/traefik/data# docker network inspect proxy
[
    {
        "Name": "proxy",
        "Id": "dc1d1432326f7138b88053c13416d17c2b9c2658e4fce6984e14874884beb59c",
        "Created": "2022-11-20T12:35:47.666214591-10:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "2333bf675279538a0882a6e56f62467a005679516d431952453daa6746d34090": {
                "Name": "traefik",
                "EndpointID": "57a86f375a93643eb9d0b60e6b3150e43201eb83f3c0846ce8362abffbfb0558",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]
root@firewalla:/mnt/traefik/data#

Thinking this may be due to DNS but unsure where to look.

Can you please format your configs? Use 3 backticks before and after each snippet.

1 Like

Thanks, looks like it was already done as format looks better than how it was added after pasting. Will note this for next time though.

Do i need to add in resolv.conf under volumes? i tried this '/etc/resolv.conf:/resolv.conf' but no change.

FW is not blocking internal connection from what i can see. Put in bypass mode and no change.

Would love to get this working. Maybe i need to edit resolv.conf and put some specific entries here?

container routes

I can ping pihole IP and 127.0.0.1 from inside the container along with container GW which is proxy network.

No blocks on FW.

Is my local DNS record broken somehow?

I think Traefik is not loading your static config file, as it seems not to be on the checked paths.

You can use command: -- configFile=/path/traefik.yml on Traefik container in docker-compose.yml.

1 Like

So i figured out that it was a routing issue. After adding in these, i was able to restart container and saw my wildcard pulled down.

sudo ip route add 172.18.0.0/24 dev br-$(sudo docker network inspect proxy |jq -r '.[0].Id[0:12]') table lan_routable
sudo ip route add 172.18.0.0/24 dev br-$(sudo docker network inspect proxy |jq -r '.[0].Id[0:12]') table wan_routable

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.