Traefik is unable to solve DNS and TLS challenge when used behind Hetzner Firewall

rdmchr · June 20, 2023, 1:38pm

I noticed that Traefik is unable to solve the DNS or TLS challenges when I'm using the Hetzner Firewall, specifically the stateless firewall provided for dedicated servers. Here is my Traefik configuration:

services:
  traefik:
    image: traefik:v2.10
    restart: always
    container_name: traefik
    hostname: traefik
    command:
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.email="
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
    networks:
      - traefik-network
    ports:
      - 443:443
      - 80:80
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "./log:/log"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - CF_API_EMAIL=
      - CF_API_KEY=
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=le"
      - "traefik.http.routers.dashboard.tls.domains[0].main=*.example.com"
      - "traefik.http.routers.dashboard.middlewares=authentik-proxy@docker"


networks:
  traefik-network:
    external: true
    name: traefik

I even see the TXT records on the Cloudflare dashboard, but the challenge times out. I have uploaded the log file of running Traefik with the firewall enabled and disabled to GitHub, in this case, I was using the DNS challenge but a similar thing happened with the TLS challenge: firewall-disabled.log · GitHub

bluepuma77 · June 20, 2023, 2:16pm

Works for me. Simple Traefik example.

I guess it depends on your firewall settings.

If you really want to debug things, I recommend to start with a single service.

rdmchr · June 20, 2023, 3:40pm

Yeah, I tried that in my last post (Traefik issues default certificate - #12 by rdmchr) and had the same result. Could you share your Firewall configuration? Also are you testing on one of their cloud servers or on a dedicated server?

17ms · September 14, 2024, 9:40pm

I'm facing the same issue with Hetzner, what did you end up changing in your firewall to make it work?

bluepuma77 · September 15, 2024, 8:05am

What challenge do you use for LetsEncrypt?

For dnsChallenge the firewall shouldn’t matter at all, as LetsEncrypt will just check a DNS TXT entry. Traefik needs to be able to connect to DNS to set it.

For httpChallenge and tlsChallenge you need to enable incoming ports 80 and 443, respectively.

Enable and check Traefik debug log.

17ms · September 17, 2024, 12:42am

I use the dnsChallenge via Cloudflare. Here's the error I'm getting:

2024-09-16T22:58:45Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [<domain>]: error: one or more domains had a problem:\n[<domain>] propagation: time limit exceeded: last error: DNS call error: read udp 172.18.0.3:40339->173.245.59.150:53: i/o timeout [ns=woz.ns.cloudflare.com.:53, question='_acme-challenge.<domain>. IN  TXT']\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["<domain>"] providerName=letsencrypt.acme routerName=gitea-router@docker rule=Host(`<domain>`)

When checking through the Cloudflare panel, I clearly see that the TXT records get generated successfully, which is backed by the fact that once the firewall is completely disabled Traefik doesn't throw any errors. Additionally I tested that when inside my server (firewall enabled) I can successfully ping my nameservers.

In the end I sincerely got tired with trying to figure it out, and switched back to using iptables, thus the problem doesn't really concern me anymore...

bluepuma77 · September 17, 2024, 4:58am

Well, you would need to share your firewall config: ports, protocol, incoming/outgoing.

Topic		Replies	Views
Let's Encrypt DNS challange DNS provider hetzner unrecognized Traefik v2 letsencrypt-acme	7	7471	July 11, 2020
DNS-01 challenge fails Traefik v3 (latest) docker , letsencrypt-acme	12	1673	March 5, 2025
dnsChallenge not working? Traefik v3 (latest) docker , letsencrypt-acme	7	74	March 21, 2025
Help for DNS challenge setup Traefik v2 docker , letsencrypt-acme	2	835	September 7, 2021
Traefik dns challenge using powerdns not responding Traefik v2 letsencrypt-acme	3	1355	December 28, 2022

Traefik is unable to solve DNS and TLS challenge when used behind Hetzner Firewall

Related topics