Traefik fails to obtain wildcard from cloudflare // ACME error

HanYol0 · November 22, 2022, 9:24am

Hello,

I'm trying to get Traefik container configured on my Firewalla Gold (posted in their forum but no response yet).

Already had my domain registered on cloudflare with two records as DNS only, no proxy.

A record > WAN IP
CNAME record > mydomain

I'm also using a pi-hole container running fine using 172.16.0.2/24.
Container is running but timing out on API to cloudflare with this log:

Unable to obtain ACME certificate for domains "Get "https://acme-v02.api.letsencrypt.org/directory/": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:35897->127.0.0.11:53: i/o timeout"

My docker-compose file:

root@firewalla:/mnt/traefik# cat docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=****
      - CF_DNS_API_TOKEN=****
      # - CF_API_KEY=YOU_API_KEY
      # be sure to use the correct one depending on if you are using a token or key
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/traefik/data/traefik.yml:/traefik.yml:ro
      - /mnt/traefik/data/acme.json:/acme.json
      - /mnt/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard-internal.local.mydomain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:****"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard-internal.local.mydomain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.mydomain.example.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

traefik.yml file:

root@firewalla:/mnt/traefik/data# cat traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: liquid_322@Hotmail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

Cant resolve anything from inside the container.
Bypassed all rules in my firewalla and same symptom.

root@firewalla:/mnt/traefik/data# docker network list
NETWORK ID          NAME                DRIVER              SCOPE
e32e3a5f2eaa        bridge              bridge              local
58e2044a2cb8        host                host                local
ebe968f9d0a0        none                null                local
ad951abeebca        pi-hole_default     bridge              local
dc1d1432326f        proxy               bridge              local
root@firewalla:/mnt/traefik/data# docker network inspect proxy
[
    {
        "Name": "proxy",
        "Id": "dc1d1432326f7138b88053c13416d17c2b9c2658e4fce6984e14874884beb59c",
        "Created": "2022-11-20T12:35:47.666214591-10:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "2333bf675279538a0882a6e56f62467a005679516d431952453daa6746d34090": {
                "Name": "traefik",
                "EndpointID": "57a86f375a93643eb9d0b60e6b3150e43201eb83f3c0846ce8362abffbfb0558",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]
root@firewalla:/mnt/traefik/data#

Thinking this may be due to DNS but unsure where to look.

bluepuma77 · November 22, 2022, 9:58am

Can you please format your configs? Use 3 backticks before and after each snippet.

HanYol0 · November 22, 2022, 5:34pm

Thanks, looks like it was already done as format looks better than how it was added after pasting. Will note this for next time though.

HanYol0 · November 22, 2022, 5:38pm

Do i need to add in resolv.conf under volumes? i tried this '/etc/resolv.conf:/resolv.conf' but no change.

FW is not blocking internal connection from what i can see. Put in bypass mode and no change.

Would love to get this working. Maybe i need to edit resolv.conf and put some specific entries here?

HanYol0 · November 23, 2022, 4:02am

container routes

I can ping pihole IP and 127.0.0.1 from inside the container along with container GW which is proxy network.

No blocks on FW.

Is my local DNS record broken somehow?

bluepuma77 · November 23, 2022, 5:57pm

I think Traefik is not loading your static config file, as it seems not to be on the checked paths.

You can use command: -- configFile=/path/traefik.yml on Traefik container in docker-compose.yml.

HanYol0 · November 24, 2022, 10:53pm

So i figured out that it was a routing issue. After adding in these, i was able to restart container and saw my wildcard pulled down.

sudo ip route add 172.18.0.0/24 dev br-$(sudo docker network inspect proxy |jq -r '.[0].Id[0:12]') table lan_routable
sudo ip route add 172.18.0.0/24 dev br-$(sudo docker network inspect proxy |jq -r '.[0].Id[0:12]') table wan_routable

system · November 27, 2022, 10:54pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to obtain ACME certificates timeout Traefik v2 (latest) docker	8	4871	December 8, 2020
Unable to obtain ACME certificate for domains - credentials are missing Traefik v2 (latest) docker , letsencrypt-acme	6	135	March 24, 2024
Dockers Unable to obtain ACME certificate for domains Traefik v2 (latest) docker	2	2138	December 4, 2020
Need Help! Cloudflare: failed to find zone DOMAIN.net Traefik v2 (latest) docker , letsencrypt-acme	5	1842	March 28, 2023
Issue with acme-challenge using Cloudflare DNS Traefik v2 (latest) docker , letsencrypt-acme	4	107	March 25, 2024

Traefik fails to obtain wildcard from cloudflare // ACME error

Related Topics