My setup have stopped being accessible from the "outside"
I have checked that my duckdns token is still the same, my ip is still the same.
I have this traefik settings in my docker compose file
services:
traefik:
image: traefik:v3.0
restart: always
command:
# Debug Properties
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--api.dashboard=true"
# Common Properties
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
# SSL/TLS Properties
- "--entrypoints.websecure.http.tls.certResolver=myresolver"
- "--entrypoints.websecure.http.tls.domains[0].main=XXX.duckdns.org"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.XXX.duckdns.org"
- "--certificatesresolvers.myresolver.acme.email=XXX@XXX.com"
- "--certificatesresolvers.myresolver.acme.storage=etc/traefik/letsencrypt/acme.json"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=duckdns"
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
ports:
- '80:80'
- '443:443'
- '8080:8080'
environment:
- DUCKDNS_TOKEN=55c8ebe7-ca07-40af-bc52-xxxxxxxxx
volumes:
- /home/server/docker/traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
- traefik.http.middlewares.myauth.basicauth.users=XXX:$$apr1$$XXXXXXX$$IgXLP6ewTrXXXXXX/
The errors I see in the log is
- Serving default certificate for request: "85.184.XXX.XXX"
- traefik_1 | 2023-10-04T00:43:39Z DBG log/log.go:194 > http: TLS handshake error from 212.102.XXX.XXX:38502: EOF
- http: TLS handshake error from 212.102.XXX.XXX:6514: tls: no cipher suite supported by both client and server
- No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["XXX.duckdns.org","*.XXX.duckdns.org"] providerName=myresolver.acme
- http: TLS handshake error from 212.102.40.XXX:40632: read tcp 172.18.XXX.XXX:443->212.102.XXX.XXX:40632: read: connection reset by peer
So what to look for to make it generate a certificate again?
If you access Traefik by IP (https://85.184.XXX.XXX
) and not with a domain name, then Traefik will serve a Traefik custom cert, which the client will usually not accept, then you see TLS handshake errors.
no cipher suite supported by both client and server
could also indicate, that you are using a very old client (IoT device?) which is not compatible with current ciphers.
Its using the duckdns.org domain that it fails. And it worked like half a year ago, so I wonder if anything have changed with the container
I am trying to access it from both my laptop (using VPN to avoid DNS issues) and my Iphone, both running firefox and latest OS'
Have you updated Traefik (docker pull
)? Sometimes APIs change, like LetsEncrypt or the API towards TXT entries of DNS providers for dnsChallenge
.
I do that regulary, but isnt handling letsencrypt and duckdns part of traefik?
Right now I dont get any errors after updating, but I still cant access the site.
No errors in my logs when I do docker-compose logs traefik and no errors on the traefik website. But I cant access it
deleted my acme.json and now I am getting
traefik_1 | 2023-10-17T19:14:20Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] lib=lego
traefik_1 | 2023-10-17T19:14:20Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:23Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:25Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:28Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:30Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:33Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:35Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:38Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:40Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:42Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:45Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:47Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:50Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:52Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:55Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:14:57Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:15:00Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:15:12Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:15:24Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Waiting for DNS record propagation. lib=lego
traefik_1 | 2023-10-17T19:15:26Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] [somedomain.duckdns.org] acme: Cleaning DNS-01 challenge lib=lego
traefik_1 | 2023-10-17T19:15:32Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/274819326876 lib=lego
traefik_1 | 2023-10-17T19:15:32Z DBG github.com/go-acme/lego/v4@v4.14.0/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/274819326886 lib=lego
traefik_1 | 2023-10-17T19:15:32Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:470 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [somedomain.duckdns.org *.somedomain.duckdns.org]: error: one or more domains had a
problem:\n[.somedomain.duckdns.org] propagation: time limit exceeded: last error: read udp 172.18.0.5:39030->35.183.157.249:53: i/o timeout\n[somedomain.duckdns.org] propagation: time limit exceeded: last error: read udp 172.18.0.5:38704->35.183.157.249:53: i/o timeout\n" acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["somedomain.duckdns.org",".somedomain.duckdns.org"] providerName=myresolver.acme routerName=websecure-traefik-compose@docker rule=Host(traefik-compose
)
It might be a network issue, like a required proxy or firewall.
Alternatively you could try to change the DNS (dnschallenge.resolvers
) to DuckDNS (or remove completely) instead of using other providers IPs which might take longer.