Traefik - newbie struggles: unable to generate a certificate for the domains... propagation: time limit exceeded

beasteh · April 18, 2024, 9:45pm

Hi all, traefik newbie here, seriously struggling with this propagation error. Please find details below, any help is greatly appreciated.

Detail summary, I have a UDMPRO router & my domain is registered with cloudflare:

Router packet inspection is disabled, no UDMPRO adlist blocking, docker hosts network gateway DNS is set to 1.1.1.1.
Pihole & Unbound - I am running these but believe Traefik is not routing there, at least when I am testing.
I am sure 443 and 80 are forwarding Traefik correctly on the FW.
I can nslookup from the Traefik container, and I've even mounted /etc/resolv.conf with 1.1.1.1 namespace to rule out Pihole.
I have tried "disablePropagationCheck: true" - this fails to create the TXT record entirely on cloudflare so I don't believe this helps.
I have tried using "delayBeforeCheck" and increasing the propagation timeout window, no luck.
I am able to see TXT records created and I have tried with both token and global api key, so I don't believe this is a permissions issue.
I've tried LE staging and prod.

Config - Not sure what this does

http:
  middlewares:    
    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true
    ip-whitelist:
      ipWhiteList:
        sourceRange:
          - "1.2.3.4"

docker-compose

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
       proxy:
    ports:
      - 80:80
      - 81:81
      - 443:443
      - 444:444
    environment:
      - CF_API_EMAIL=xxxx
      - CF_API_KEY=xxxx
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /home/administrator/traefik/resolv.conf:/etc/resolv.conf:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/administrator/traefik/traefik.yml:/traefik.yml:ro
      - /home/administrator/traefik/acme.json:/acme.json
      - /home/administrator/traefik/config.yml:/config.yml:ro
      - /home/administrator/traefik/logs:/var/log/traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.mydomain.uk`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=xxxx"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.mydomain.uk`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.uk"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.uk"
      - "traefik.http.routers.traefik-secure.service=api@internal"
  
networks:
  proxy:
    external: true

traefik (config)

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      middlewares:
        - crowdsec-bouncer@file
      redirections:
        entrypoint:
          to: https
          scheme: https
  https:
    address: ":443"
    http:
      middlewares:
        - crowdsec-bouncer@file
  http-external:
    address: ":81"
    http:
      middlewares:
        - crowdsec-bouncer@file
      redirections:
        entrypoint:
          to: https-external
          scheme: https
  https-external:
    address: ":444"
    http:
      middlewares:
        - crowdsec-bouncer@file

serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: xxx
      storage: acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare
        #delayBeforeCheck: 10
        disablePropagationCheck: false
        resolvers:
          - "8.8.8.8:53"
	  - "1.1.1.1:53"

log:
  level: "DEBUG"
  filePath: "/var/log/traefik/traefik.log"
accessLog:
  filePath: "/var/log/traefik/access.log"

access logs - 500/400s look bad - unclear what's going on here.

185.191.126.213 - - [18/Apr/2024:19:39:20 +0000] "GET / HTTP/1.1" 500 0 "-" "-" 1 "http-to-https@internal" "-" 43ms
46.174.191.29 - - [18/Apr/2024:20:43:11 +0000] "GET / HTTP/1.0" 404 19 "-" "-" 2 "-" "-" 0ms
35.203.210.142 - - [18/Apr/2024:20:49:53 +0000] "GET / HTTP/1.1" 500 0 "-" "-" 3 "http-to-https@internal" "-" 9ms
167.94.138.125 - - [18/Apr/2024:21:00:36 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 4 "-" "-" 0ms
167.94.138.125 - - [18/Apr/2024:21:00:40 +0000] "GET / HTTP/1.1" 404 19 "-" "-" 5 "-" "-" 0ms
109.205.213.198 - - [18/Apr/2024:21:02:11 +0000] "GET / HTTP/1.1" 500 0 "-" "-" 6 "http-to-https@internal" "-" 8ms

traefik logs (debug)

time="2024-04-18T19:34:37Z" level=info msg="Traefik version 2.11.2 built on 2024-04-11T15:38:45Z"
time="2024-04-18T19:34:37Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"readTimeout\":\"1m0s\",\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"https\",\"scheme\":\"https\",\"permanent\":true,\"priority\":9223372036854775806}},\"middlewares\":[\"crowdsec-bouncer@file\"]},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"http-external\":{\"address\":\":81\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"readTimeout\":\"1m0s\",\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"https-external\",\"scheme\":\"https\",\"permanent\":true,\"priority\":9223372036854775806}},\"middlewares\":[\"crowdsec-bouncer@file\"]},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"readTimeout\":\"1m0s\",\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"middlewares\":[\"crowdsec-bouncer@file\"]},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"https-external\":{\"address\":\":444\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"readTimeout\":\"1m0s\",\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"middlewares\":[\"crowdsec-bouncer@file\"]},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"},\"file\":{\"watch\":true,\"filename\":\"/config.yml\"}},\"api\":{\"dashboard\":true,\"debug\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/var/log/traefik/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/var/log/traefik/access.log\",\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}},\"certificatesResolvers\":{\"cloudflare\":{\"acme\":{\"email\":\"myemail45@hotmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"8.8.8.8:53\"]}}}}}"
time="2024-04-18T19:34:37Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2024-04-18T19:34:37Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-04-18T19:34:37Z" level=debug msg="Starting TCP Server" entryPointName=http
time="2024-04-18T19:34:37Z" level=debug msg="Starting TCP Server" entryPointName=https-external
time="2024-04-18T19:34:37Z" level=debug msg="Starting TCP Server" entryPointName=http-external
time="2024-04-18T19:34:37Z" level=info msg="Starting provider *file.Provider"
time="2024-04-18T19:34:37Z" level=debug msg="*file.Provider provider configuration: {\"watch\":true,\"filename\":\"/config.yml\"}"
time="2024-04-18T19:34:37Z" level=debug msg="Starting TCP Server" entryPointName=https
time="2024-04-18T19:34:37Z" level=debug msg="add watcher on: /"
time="2024-04-18T19:34:37Z" level=debug msg="add watcher on: /config.yml"
time="2024-04-18T19:34:37Z" level=info msg="Starting provider *traefik.Provider"
time="2024-04-18T19:34:37Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2024-04-18T19:34:37Z" level=info msg="Starting provider *docker.Provider"
time="2024-04-18T19:34:37Z" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2024-04-18T19:34:37Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-04-18T19:34:37Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2024-04-18T19:34:37Z" level=info msg="Starting provider *acme.Provider"
time="2024-04-18T19:34:37Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"myemail45@hotmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"8.8.8.8:53\"]},\"ResolverName\":\"cloudflare\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2024-04-18T19:34:37Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=cloudflare.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-18T19:34:37Z" level=info msg="Testing certificate renew..." providerName=cloudflare.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-18T19:34:37Z" level=debug msg="Configuration received: {\"http\":{\"middlewares\":{\"crowdsec-bouncer\":{\"forwardAuth\":{\"address\":\"http://bouncer-traefik:8080/api/v1/forwardAuth\",\"trustForwardHeader\":true}},\"ip-whitelist\":{\"ipWhiteList\":{\"sourceRange\":[\"1.2.3.4\"]}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=file
time="2024-04-18T19:34:37Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"http-external-to-https-external\":{\"entryPoints\":[\"http-external\"],\"middlewares\":[\"redirect-http-external-to-https-external\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":9223372036854775806},\"http-to-https\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"redirect-http-to-https\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":9223372036854775806}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"redirect-http-external-to-https-external\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"444\",\"permanent\":true}},\"redirect-http-to-https\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"models\":{\"http\":{\"middlewares\":[\"crowdsec-bouncer@file\"]},\"http-external\":{\"middlewares\":[\"crowdsec-bouncer@file\"]},\"https\":{\"middlewares\":[\"crowdsec-bouncer@file\"]},\"https-external\":{\"middlewares\":[\"crowdsec-bouncer@file\"]}},\"serversTransports\":{\"default\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2024-04-18T19:34:37Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=cloudflare.acme
time="2024-04-18T19:34:37Z" level=debug msg="Provider connection established with docker 26.0.1 (API 1.45)" providerName=docker
time="2024-04-18T19:34:37Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"traefik-https-redirect\"],\"service\":\"traefik-traefik\",\"rule\":\"Host(`traefik-dashboard.mydomain.uk`)\"},\"traefik-secure\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"traefik-auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik-dashboard.mydomain.uk`)\",\"tls\":{\"certResolver\":\"cloudflare\",\"domains\":[{\"main\":\"mydomain.uk\",\"sans\":[\"*.mydomain.uk\"]}]}}},\"services\":{\"traefik-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.19.0.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"sslheader\":{\"headers\":{\"customRequestHeaders\":{\"X-Forwarded-Proto\":\"https\"}}},\"traefik-auth\":{\"basicAuth\":{\"users\":[\"administrator:$apr1$0F1r7j/x$e8TWDO7QCj0VVlnWof7iU1\"]}},\"traefik-https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\"}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=docker
time="2024-04-18T19:34:37Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-04-18T19:34:37Z" level=debug msg="Added outgoing tracing middleware noop@internal" entryPointName=http routerName=http-to-https@internal middlewareName=tracing middlewareType=TracingForwarder
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" routerName=http-to-https@internal middlewareName=redirect-http-to-https@internal middlewareType=RedirectScheme entryPointName=http
time="2024-04-18T19:34:37Z" level=debug msg="Setting up redirection to https 443" middlewareName=redirect-http-to-https@internal middlewareType=RedirectScheme entryPointName=http routerName=http-to-https@internal
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" entryPointName=http routerName=http-to-https@internal middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-04-18T19:34:37Z" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=http-external-to-https-external@internal entryPointName=http-external middlewareName=tracing middlewareType=TracingForwarder
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" routerName=http-external-to-https-external@internal middlewareName=redirect-http-external-to-https-external@internal middlewareType=RedirectScheme entryPointName=http-external
time="2024-04-18T19:34:37Z" level=debug msg="Setting up redirection to https 444" entryPointName=http-external routerName=http-external-to-https-external@internal middlewareName=redirect-http-external-to-https-external@internal middlewareType=RedirectScheme
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" entryPointName=http-external routerName=http-external-to-https-external@internal middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=http-external
time="2024-04-18T19:34:37Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareType=Pipelining routerName=traefik@docker entryPointName=http serviceName=traefik-traefik middlewareName=pipelining
time="2024-04-18T19:34:37Z" level=debug msg="Creating load-balancer" entryPointName=http serviceName=traefik-traefik routerName=traefik@docker
time="2024-04-18T19:34:37Z" level=debug msg="Creating server 0 http://172.19.0.2:80" serverName=0 routerName=traefik@docker entryPointName=http serviceName=traefik-traefik
time="2024-04-18T19:34:37Z" level=debug msg="child http://172.19.0.2:80 now UP"
time="2024-04-18T19:34:37Z" level=debug msg="Propagating new UP status"
time="2024-04-18T19:34:37Z" level=debug msg="Added outgoing tracing middleware traefik-traefik" entryPointName=http routerName=traefik@docker middlewareName=tracing middlewareType=TracingForwarder
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=http routerName=traefik@docker middlewareName=traefik-https-redirect@docker
time="2024-04-18T19:34:37Z" level=debug msg="Setting up redirection to https " routerName=traefik@docker middlewareName=traefik-https-redirect@docker middlewareType=RedirectScheme entryPointName=http
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" entryPointName=http routerName=traefik@docker middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-04-18T19:34:37Z" level=debug msg="Added outgoing tracing middleware noop@internal" entryPointName=http routerName=http-to-https@internal middlewareName=tracing middlewareType=TracingForwarder
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" routerName=http-to-https@internal middlewareName=redirect-http-to-https@internal middlewareType=RedirectScheme entryPointName=http
time="2024-04-18T19:34:37Z" level=debug msg="Setting up redirection to https 443" middlewareType=RedirectScheme entryPointName=http routerName=http-to-https@internal middlewareName=redirect-http-to-https@internal
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" entryPointName=http routerName=http-to-https@internal middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=http
time="2024-04-18T19:34:37Z" level=debug msg="Added outgoing tracing middleware noop@internal" entryPointName=http-external middlewareName=tracing middlewareType=TracingForwarder routerName=http-external-to-https-external@internal
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=http-external routerName=http-external-to-https-external@internal middlewareName=redirect-http-external-to-https-external@internal
time="2024-04-18T19:34:37Z" level=debug msg="Setting up redirection to https 444" middlewareType=RedirectScheme entryPointName=http-external routerName=http-external-to-https-external@internal middlewareName=redirect-http-external-to-https-external@internal
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" entryPointName=http-external routerName=http-external-to-https-external@internal middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" entryPointName=http-external middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-04-18T19:34:37Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing entryPointName=https routerName=traefik-secure@docker middlewareType=TracingForwarder
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareType=BasicAuth middlewareName=traefik-auth@docker entryPointName=https routerName=traefik-secure@docker
time="2024-04-18T19:34:37Z" level=debug msg="Adding tracing to middleware" routerName=traefik-secure@docker entryPointName=https middlewareName=traefik-auth@docker
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareType=ForwardedAuthType entryPointName=https routerName=traefik-secure@docker middlewareName=crowdsec-bouncer@file
time="2024-04-18T19:34:37Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=https middlewareName=traefik-internal-recovery
time="2024-04-18T19:34:37Z" level=debug msg="Adding route for traefik-dashboard.mydomain.uk with TLS options default" entryPointName=https
time="2024-04-18T19:34:37Z" level=debug msg="Looking for provided certificate(s) to validate [\"mydomain.uk\" \"*.mydomain.uk\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=cloudflare.acme
time="2024-04-18T19:34:37Z" level=debug msg="Domains [\"mydomain.uk\" \"*.mydomain.uk\"] need ACME certificates generation for domains \"mydomain.uk,*.mydomain.uk\"." providerName=cloudflare.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-18T19:34:37Z" level=debug msg="Loading ACME certificates [mydomain.uk *.mydomain.uk]..." providerName=cloudflare.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-04-18T19:34:38Z" level=debug msg="Building ACME client..." providerName=cloudflare.acme
time="2024-04-18T19:34:38Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=cloudflare.acme
time="2024-04-18T19:34:39Z" level=info msg=Register... providerName=cloudflare.acme
time="2024-04-18T19:34:39Z" level=debug msg="legolog: [INFO] acme: Registering account for myemail45@hotmail.com"
time="2024-04-18T19:34:40Z" level=debug msg="Using DNS Challenge provider: cloudflare" providerName=cloudflare.acme
time="2024-04-18T19:34:40Z" level=debug msg="legolog: [INFO] [mydomain.uk, *.mydomain.uk] acme: Obtaining bundled SAN certificate"
time="2024-04-18T19:34:41Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12059461384"
time="2024-04-18T19:34:41Z" level=debug msg="legolog: [INFO] [mydomain.uk] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12059461394"
time="2024-04-18T19:34:41Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: use dns-01 solver"
time="2024-04-18T19:34:41Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Could not find solver for: tls-alpn-01"
time="2024-04-18T19:34:41Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Could not find solver for: http-01"
time="2024-04-18T19:34:41Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: use dns-01 solver"
time="2024-04-18T19:34:41Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Preparing to solve DNS-01"
time="2024-04-18T19:34:42Z" level=debug msg="legolog: [INFO] cloudflare: new record for mydomain.uk, ID deba7a94e3c829dfb1f5244a411d0177"
time="2024-04-18T19:34:42Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Preparing to solve DNS-01"
time="2024-04-18T19:34:43Z" level=debug msg="legolog: [INFO] cloudflare: new record for mydomain.uk, ID 5f15b2aa9fb36c2995e32cf145730266"
time="2024-04-18T19:34:43Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Trying to solve DNS-01"
time="2024-04-18T19:34:43Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Checking DNS record propagation. [nameservers=8.8.8.8:53]"
time="2024-04-18T19:34:45Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2024-04-18T19:34:45Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Waiting for DNS record propagation."
time="2024-04-18T19:34:47Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Waiting for DNS record propagation."
time="2024-04-18T19:34:49Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Waiting for DNS record propagation."
...
time="2024-04-18T19:36:42Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Waiting for DNS record propagation."
time="2024-04-18T19:36:44Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Waiting for DNS record propagation."
time="2024-04-18T19:36:46Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Trying to solve DNS-01"
time="2024-04-18T19:36:46Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Checking DNS record propagation. [nameservers=8.8.8.8:53]"
time="2024-04-18T19:36:48Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2024-04-18T19:36:48Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Waiting for DNS record propagation."
...
time="2024-04-18T19:38:45Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Waiting for DNS record propagation."
time="2024-04-18T19:38:47Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Waiting for DNS record propagation."
time="2024-04-18T19:38:49Z" level=debug msg="legolog: [INFO] [*.mydomain.uk] acme: Cleaning DNS-01 challenge"
time="2024-04-18T19:38:49Z" level=debug msg="legolog: [INFO] [mydomain.uk] acme: Cleaning DNS-01 challenge"
time="2024-04-18T19:38:50Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12059461384"
time="2024-04-18T19:38:51Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12059461394"
time="2024-04-18T19:38:51Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.uk,*.mydomain.uk\"" rule="Host(`traefik-dashboard.mydomain.uk`)" providerName=cloudflare.acme error="unable to generate a certificate for the domains [mydomain.uk *.mydomain.uk]: error: one or more domains had a problem:\n[*.mydomain.uk] propagation: time limit exceeded: last error: NS clayton.ns.cloudflare.com. returned REFUSED for _acme-challenge.mydomain.uk.\n[mydomain.uk] propagation: time limit exceeded: last error: NS alice.ns.cloudflare.com. returned REFUSED for _acme-challenge.mydomain.uk.\n" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=traefik-secure@docker
time="2024-04-18T19:39:20Z" level=debug msg="Error calling http://bouncer-traefik:8080/api/v1/forwardAuth. Cause: Get \"http://bouncer-traefik:8080/api/v1/forwardAuth\": dial tcp: lookup bouncer-traefik on 1.1.1.1:53: no such host" middlewareType=ForwardedAuthType middlewareName=crowdsec-bouncer@file
time="2024-04-18T20:49:53Z" level=debug msg="Error calling http://bouncer-traefik:8080/api/v1/forwardAuth. Cause: Get \"http://bouncer-traefik:8080/api/v1/forwardAuth\": dial tcp: lookup bouncer-traefik on 1.1.1.1:53: no such host" middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType
time="2024-04-18T21:00:32Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-04-18T21:00:39Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-04-18T21:00:40Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-04-18T21:00:42Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-04-18T21:00:43Z" level=debug msg="http: TLS handshake error from 167.94.138.125:42968: tls: client offered only unsupported versions: [302 301]"
time="2024-04-18T21:00:45Z" level=debug msg="http: TLS handshake error from 167.94.138.125:53442: tls: client offered only unsupported versions: [301]"
time="2024-04-18T21:00:46Z" level=debug msg="http: TLS handshake error from 167.94.138.125:45502: tls: client offered only unsupported versions: []"
time="2024-04-18T21:02:11Z" level=debug msg="Error calling http://bouncer-traefik:8080/api/v1/forwardAuth. Cause: Get \"http://bouncer-traefik:8080/api/v1/forwardAuth\": dial tcp: lookup bouncer-traefik on 1.1.1.1:53: no such host" middlewareName=crowdsec-bouncer@file middlewareType=ForwardedAuthType

Thank you very much!

bluepuma77 · April 19, 2024, 6:10am

If you don't know what crowdsec is, then you should probably start with an easier template instead Check simple Traefik example.

There seems to be just a single error:

time="2024-04-18T19:38:51Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.uk,*.mydomain.uk\"" rule="Host(`traefik-dashboard.mydomain.uk`)" providerName=cloudflare.acme error="unable to generate a certificate for the domains [mydomain.uk *.mydomain.uk]: error: one or more domains had a problem:\n[*.mydomain.uk] propagation: time limit exceeded: last error: NS clayton.ns.cloudflare.com. returned REFUSED for _acme-challenge.mydomain.uk.\n[mydomain.uk] propagation: time limit exceeded: last error: NS alice.ns.cloudflare.com. returned REFUSED for _acme-challenge.mydomain.uk.\n" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=traefik-secure@docker

You say you see the token created in DNS, so the error seems a bit strange. Have you tried to remove resolvers: and the 2 IPs and just use the defaults?

Make sure to set an absolute path for storage: acme.json and use a bind mount or volume to keep the created certs, or you might run into LE limits.

Topic		Replies	Views
Traefik cert resolver error Traefik v3 (latest) docker	6	59	November 22, 2024
Error: one or more domains had a problem: propagation: time limit exceeded Traefik v2 docker	5	1078	March 18, 2024
Unable to generate a certificate for the domains Traefik v2 docker	8	1964	April 1, 2024
Can't Obtain Cert Traefik v2 docker	0	312	May 14, 2021
Waiting for DNS record propagation with CloudFlare Traefik v2 docker , letsencrypt-acme	25	5063	November 22, 2022

Traefik - newbie struggles: unable to generate a certificate for the domains... propagation: time limit exceeded

Related topics