Hello,
I use traffic with rancher an install with a helm chart, but I always get this error and don't know why??
time="2023-06-30T18:28:39Z" level=info msg="Configuration loaded from flags."
2023-06-30T18:28:43.392262621Z time="2023-06-30T18:28:43Z" level=error msg="Unable to obtain ACME certificate for domains "mohs-home.de,*.mohs-home.de"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=netcup.acme routerName=websecure-local-nginx-mohs-home-de-nginx-mohs-home-de@kubernetes rule="Host(nginx.mohs-home.de
) && PathPrefix(/
)" error="cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get "https://acme-staging-v02.api.letsencrypt.org/directory\": tls: failed to verify certificate: x509: certificate is valid for 5d0f84413b92972e4be8765fa0e9ccba.93668c7f913dda4f2e55031c01600c84.traefik.default, not acme-staging-v02.api.letsencrypt.org"
Can anyone help me?
best regards Jan
I recommend to add the k8s tag to your post.
What are you trying to achieve? It seems you want to use wildcard certs. That only works with dnsChallenge.
I would interpret the error as LE is trying a tlsChallenge with Traefik, which delivers a custom Traefik cert.
Share your full Traefik static and dynamic config.
traefik-config.yaml
http:
middlewares:
headers-default:
headers:
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
traefik-helm-chart.yaml
additionalArguments:
- --providers.file.filename=/data/traefik-config.yaml
- --entrypoints.websecure.http.tls.certresolver=netcup
- --entrypoints.websecure.http.tls.domains[0].main=mohs-home.de
- --entrypoints.websecure.http.tls.domains[0].sans=*.mohs-home.de
- --certificatesresolvers.netcup.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
# comment the line above when going to production
- --certificatesresolvers.netcup.acme.dnschallenge.provider=netcup
- --certificatesresolvers.netcup.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.netcup.acme.storage=/certs/acme.json
- --certificatesresolvers.netcup.acme.dnschallenge.delayBeforeCheck=600
- --serversTransport.insecureSkipVerify=true
# you will need to add an annotation to ingresses you create kubernetes.io/ingress.class traefik-external
# otherwise it will not servce those requests
- --providers.kubernetesingress.ingressclass=traefik-external
#- --log.level=DEBUG
deployment:
enabled: true
# Number of pods of the deployment
replicas: 1
# Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
annotations: {}
# Additional pod annotations (e.g. for mesh injection or prometheus scraping)
podAnnotations: {}
# Additional containers (e.g. for metric offloading sidecars)
additionalContainers: []
# Additional initContainers (e.g. for setting file permission as shown below)
initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/containous/traefik/issues/6972
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /certs/*"]
volumeMounts:
- name: data
mountPath: /certs
# Custom pod DNS policy. Apply if `hostNetwork: true`
# dnsPolicy: ClusterFirstWithHostNet
ports:
web:
redirectTo: websecure
env:
- name: NETCUP_API_KEY # or CF_API_KEY, see for more details - https://doc.traefik.io/traefik/https/acme/#providers
value: "xxx"
- name: NETCUP_API_PASSWORD
value: "xxx"
- name: NETCUP_CUSTOMER_NUMBER
value: "xxx"
ingressRoute:
dashboard:
enabled: true
persistence:
enabled: true
# make sure this claim is existed
existingClaim: acme-json-certs
accessMode: ReadWriteOnce
size: 128Mi
path: /certs
volumes:
- mountPath: /data
name: traefik-config
type: configMap
# without this, ingress get stuck on initializing
providers:
kubernetesCRD:
enabled: true
namespaces: []
kubernetesIngress:
enabled: true
namespaces: []
publishedService:
enabled: true
rbac:
enabled: true
service:
enabled: true
type: LoadBalancer
# Additional annotations (e.g. for cloud provider specific config)
annotations: {}
# Additional service labels (e.g. for filtering Service by custom labels)
labels: {}
# Additional entries here will be added to the service spec. Cannot contains
# type, selector or ports entries.
spec:
# externalTrafficPolicy: Cluster
# loadBalancerIP: "192.168.100.231" # this should be your Metal LB IP
# clusterIP: "2.3.4.5"
loadBalancerSourceRanges: []
# - 192.168.0.1/32
# - 172.16.0.0/16
externalIPs: []
# - 1.2.3.4
# securityContext:
# capabilities:
# drop: [ALL]
# readOnlyRootFilesystem: false
# runAsGroup: 65532
# runAsNonRoot: true
# runAsUser: 65532
# podSecurityContext:
# fsGroup: 65532
root@k3s-s01:/home/mohs#
Yes i want to use dns challange with netcup, and yes i want to use a wildcard cert.
best regards Jan