Traefik "Unable to obtain ACME certificate for domains"

dreamgate · March 9, 2020, 12:57am

Any help is appreciated. I recently switched registrars (a little over a day ago) and using Cloudflare for DNS only (no security features, etc).

Also, adding a "resolver" section to my "traefik.yml" config makes Traefik spew a different error: "SERVFAIL"

I've also tried putting Cloudflares certificates directly on my server, but that also fails and Traefik only serves the default cert.

site-traefik | time="2020-03-09T00:51:52Z" level=debug msg="legolog: [INFO] [site.com] acme: use dns-01 solver"
site-traefik | time="2020-03-09T00:51:52Z" level=debug msg="legolog: [INFO] [*.site.com] acme: Preparing to solve DNS-01"
site-traefik | time="2020-03-09T00:51:53Z" level=debug msg="legolog: [INFO] [site.com] acme: Preparing to solve DNS-01"
site-traefik | time="2020-03-09T00:51:53Z" level=debug msg="legolog: [INFO] [*.site.com] acme: Cleaning DNS-01 challenge"
site-traefik | time="2020-03-09T00:51:53Z" level=debug msg="legolog: [WARN] [*.site.com] acme: error cleaning up: cloudflare: failed to find zone site.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":6102,\\\"message\\\":\\\"Invalid format for X-Auth-Email header\\\"},{\\\"code\\\":6103,\\\"message\\\":\\\"Invalid format for X-Auth-Key header\\\"}]}],\\\"messages\\\":[],\\\"result\\\":null}\" "
site-traefik | time="2020-03-09T00:51:53Z" level=debug msg="legolog: [INFO] [site.com] acme: Cleaning DNS-01 challenge"
site-traefik | time="2020-03-09T00:51:53Z" level=debug msg="legolog: [WARN] [site.com] acme: error cleaning up: cloudflare: failed to find zone site.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":6102,\\\"message\\\":\\\"Invalid format for X-Auth-Email header\\\"},{\\\"code\\\":6103,\\\"message\\\":\\\"Invalid format for X-Auth-Key header\\\"}]}],\\\"messages\\\":[],\\\"result\\\":null}\" "
site-traefik | time="2020-03-09T00:51:54Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3246235321"
site-traefik | time="2020-03-09T00:51:54Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3246235323"
site-traefik | time="2020-03-09T00:51:54Z" level=error msg="Unable to obtain ACME certificate for domains \"site.com,*.site.com\" : unable to generate a certificate for the domains [site.com *.site.com]: acme: Error -> One or more domains had a problem:\n[*.site.com] [*.site.com] acme: error presenting token: cloudflare: failed to find zone site.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":6102,\\\"message\\\":\\\"Invalid format for X-Auth-Email header\\\"},{\\\"code\\\":6103,\\\"message\\\":\\\"Invalid format for X-Auth-Key header\\\"}]}],\\\"messages\\\":[],\\\"result\\\":null}\"\n[site.com] [site.com] acme: error presenting token: cloudflare: failed to find zone site.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":6102,\\\"message\\\":\\\"Invalid format for X-Auth-Email header\\\"},{\\\"code\\\":6103,\\\"message\\\":\\\"Invalid format for X-Auth-Key header\\\"}]}],\\\"messages\\\":[],\\\"result\\\":null}\"\n" providerName=le.acme

docker-compose.yml

version: "3.7"

services:
    # reverse proxy
    traefik:
        image:          "traefik:v2.1.6"
        container_name: "eccologic-traefik"
        restart:        "unless-stopped"

        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"

        networks:
            - "internal"
            - "traefik-proxy"

        env_file:
            - ".env"

        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock:ro" # docker socket
            - "./traefik/traefik.yml:/traefik.yml:ro"        # static configuration config file
            - "./traefik/acme.json:/acme.json"               # save traefik SSL cert data here

        # dynamic configuration
        labels:
            # enable docker service so traefik can see it
            - "traefik.enable=true"

            ###### routers ######

            # redirect all HTTP requests to HTTPS
            - "traefik.http.routers.http-catchall.rule=hostregexp( `{any:.+}` )"
            - "traefik.http.routers.http-catchall.entrypoints=web"
            - "traefik.http.routers.http-catchall.middlewares=https-redirect"

            # wildcard SSL
            - "traefik.http.routers.traefik.tls=true"
            - "traefik.http.routers.traefik.tls.certresolver=le"
            - "traefik.http.routers.traefik.tls.domains[0].main=site.net"
            - "traefik.http.routers.traefik.tls.domains[0].sans=*.site.net"

            # dashboard
            - "traefik.http.routers.traefik.rule=Host( `traefik.site.net` )"
            - "traefik.http.routers.traefik.entrypoints=web-secure"
            - "traefik.http.routers.traefik.middlewares=auth"
            - "traefik.http.routers.traefik.service=api@internal"

            ###### middlewares ######

            # HTTPS redirect middleware
            - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
            - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"

            # auth middleware
            - "traefik.http.middlewares.auth.basicauth.users=user:hash"

networks:
    internal:
        external: false

    traefik-proxy:
        name: "traefik-proxy"

traefik.yml

log:
    format: "common"
    level:  "DEBUG"

api:
    dashboard: true

providers:
    docker:
        endpoint:         "unix:///var/run/docker.sock"
        network:          "traefik-proxy"
        exposedByDefault: false

entryPoints:
    web:
        address: ":80"
    web-secure:
        address: ":443"

certificatesResolvers:
    le:
        acme:
            email:   "foo@bar.com"
            storage: "acme.json"
            dnsChallenge:
                provider: "cloudflare"

tls:
    options:
        default:
            sniStrict:  true
            minVersion: "VersionTLS12"
            mintls13:
                minVersion: "VersionTLS13"
            cipherSuites:
                - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
                - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
                - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
                - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
                - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

.env

CF_API_EMAIL="foo@bar.com"
CF_API_KEY="my secret global API key"

ldez · March 9, 2020, 8:36am

hello,

you have to remove the quotes in the .env file

dreamgate · March 9, 2020, 10:55am

Wow. And heres thinking I did something majorly wrong. Thank you!

Topic		Replies	Views
Traefik cert resolver error Traefik v3 (latest) docker	6	135	November 22, 2024
DNS Challenge Resolution Issue Traefik v3 (latest) docker , letsencrypt-acme	9	944	June 6, 2024
Cloudflare DNS certificate renewal issue Traefik v2 letsencrypt-acme	3	3018	October 1, 2019
Unable to obtain ACME certificate for domains error unable to generate a certificate for the domains Traefik v3 (latest) docker , letsencrypt-acme	6	6294	June 1, 2024
Traefik cannot resolve wildcard cert for subdomain due to failure to find zone. Can resolve certificate with lego directly Traefik v2 letsencrypt-acme	15	1451	February 18, 2024

Traefik "Unable to obtain ACME certificate for domains"

Related topics