Hello traefik Community,
i´ve an Issue im currently Hard stuck on. I have 2 Servers, one Server has a Plesk Installation on it, one just has a Apache2 Webserver. Both of them Run Docker + Docker Compose (CE).
I now want to Deploy some Services as Docker Containers with traefik as a own Docker Container. On both Servers, this works flawlessly so far and I can route my Traffic correctly.
However, when it comes to TLS I have some Headache that I can't solve. While TLS works and I get the "Fake LetsEncrypt" Certificate on the Machine with just Apache2, on the Machine with Plesk it won't work for some reason (same Docker Compose). In the Log, I see the Error "Cannot negotiate ALPN protocol".
Things I tried so far:
-> Exposing the Websecure Port (443) on a different Port (8012). Worked for the Apache2 System (still got the test Cert), did not solve the Issue on the Plesk System
-> Deactivate the Plesk Integrated Firewall for the Server
-> Deactivated TLS Management for the specific Subdomain
Im not sure if Plesk is the Issue or something with the Domain itself. This is the Part of the Debug Log for the Cert Challenge. I replaced my Domain with URL, my Personal E-Mail with E-Mail and my IP with IP.:
time="2020-07-24T08:39:37Z" level=debug msg="Using TLS Challenge provider." providerName=myresolver.acme
time="2020-07-24T08:39:37Z" level=debug msg="legolog: [INFO] [URL] acme: Obtaining bundled SAN certificate"
time="2020-07-24T08:39:38Z" level=debug msg="legolog: [INFO] [URL] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/81756385"
time="2020-07-24T08:39:38Z" level=debug msg="legolog: [INFO] [URL] acme: use tls-alpn-01 solver"
time="2020-07-24T08:39:38Z" level=debug msg="legolog: [INFO] [URL] acme: Trying to solve TLS-ALPN-01"
time="2020-07-24T08:39:38Z" level=debug msg="TLS Challenge Present temp certificate for URL" providerName=acme
time="2020-07-24T08:39:45Z" level=debug msg="TLS Challenge CleanUp temp certificate for URL" providerName=acme
time="2020-07-24T08:39:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/81756385"
time="2020-07-24T08:39:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/81756385"
time="2020-07-24T08:39:45Z" level=error msg="Unable to obtain ACME certificate for domains \"URL\": unable to generate a certificate for the domains [URL]: error: one or more domains had a problem:\n[URL] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge, url: \n" providerName=myresolver.acme routerName=whoami@docker rule="Host(`URL`)"
time="2020-07-24T08:40:13Z" level=debug msg="Serving default certificate for request: \"URL\""
time="2020-07-24T08:40:13Z" level=debug msg="http: TLS handshake error from IP:51012: remote error: tls: unknown certificate"
time="2020-07-24T08:40:13Z" level=debug msg="Serving default certificate for request: \"URL\""
time="2020-07-24T08:40:13Z" level=debug msg="http: TLS handshake error from IP:51014: remote error: tls: unknown certificate"
time="2020-07-24T08:40:15Z" level=debug msg="Serving default certificate for request: \"URL\""
time="2020-07-24T08:40:15Z" level=debug msg="http: TLS handshake error from IP:51015: remote error: tls: unknown certificate"
time="2020-07-24T08:40:15Z" level=debug msg="Serving default certificate for request: \"URL\""
time="2020-07-24T08:40:22Z" level=debug msg="Serving default certificate for request: \"URL\""
time="2020-07-24T08:40:22Z" level=debug msg="http: TLS handshake error from IP:51017: remote error: tls: unknown certificate"
time="2020-07-24T08:40:22Z" level=debug msg="Serving default certificate for request: \"URL\""
time="2020-07-24T08:40:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6,sk;q=0.5,fr;q=0.4,und;q=0.3\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\"],\"X-Forwarded-Host\":[\"URL:8001\"],\"X-Forwarded-Port\":[\"8001\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"4eb9af385dce\"],\"X-Real-Ip\":[\"IP\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"URL:8001\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"IP:51018\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2020-07-24T08:40:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6,sk;q=0.5,fr;q=0.4,und;q=0.3\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\"],\"X-Forwarded-Host\":[\"URL:8001\"],\"X-Forwarded-Port\":[\"8001\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"4eb9af385dce\"],\"X-Real-Ip\":[\"IP\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"URL:8001\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"IP:51018\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://192.168.16.2:80"
time="2020-07-24T08:40:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6,sk;q=0.5,fr;q=0.4,und;q=0.3\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\"],\"X-Forwarded-Host\":[\"URL:8001\"],\"X-Forwarded-Port\":[\"8001\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"4eb9af385dce\"],\"X-Real-Ip\":[\"IP\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"URL:8001\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"IP:51018\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2020-07-24T08:40:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,image/apng,image/*,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6,sk;q=0.5,fr;q=0.4,und;q=0.3\"],\"Referer\":[\"https://URL:8001/\"],\"Sec-Fetch-Dest\":[\"image\"],\"Sec-Fetch-Mode\":[\"no-cors\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\"],\"X-Forwarded-Host\":[\"URL:8001\"],\"X-Forwarded-Port\":[\"8001\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"4eb9af385dce\"],\"X-Real-Ip\":[\"IP\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"URL:8001\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"IP:51018\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"
time="2020-07-24T08:40:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,image/apng,image/*,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6,sk;q=0.5,fr;q=0.4,und;q=0.3\"],\"Referer\":[\"https://URL:8001/\"],\"Sec-Fetch-Dest\":[\"image\"],\"Sec-Fetch-Mode\":[\"no-cors\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\"],\"X-Forwarded-Host\":[\"URL:8001\"],\"X-Forwarded-Port\":[\"8001\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"4eb9af385dce\"],\"X-Real-Ip\":[\"IP\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"URL:8001\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"IP:51018\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}" ForwardURL="http://192.168.16.2:80"
time="2020-07-24T08:40:22Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,image/apng,image/*,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6,sk;q=0.5,fr;q=0.4,und;q=0.3\"],\"Referer\":[\"https://URL:8001/\"],\"Sec-Fetch-Dest\":[\"image\"],\"Sec-Fetch-Mode\":[\"no-cors\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\"],\"X-Forwarded-Host\":[\"URL:8001\"],\"X-Forwarded-Port\":[\"8001\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"4eb9af385dce\"],\"X-Real-Ip\":[\"IP\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"URL:8001\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"IP:51018\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"
time="2020-07-24T15:06:03Z" level=debug msg="http: TLS handshake error from IP:64573: remote error: tls: unknown certificate"
time="2020-07-24T15:06:03Z" level=debug msg="Serving default certificate for request: \"URL\""
One difference is that the Domain on the Apache2 Server is a Toplevel Domain (something.com) while the Domain on my Plesk Server is a Subdomain (Administrated by Plesk, test.somethingelse.com). Is that maybe the Issue?
Cheers