Traefik with letsencrypt not renewing the cert

l0rdraiden · August 27, 2023, 9:39pm

My cert expired so it work once, maybe I change something since it worked but I can't find what.
The cert is not being updated by traefik anymore and I can't see anything in the logs related to this.

my traefik.yml file

# https://docs.ibracorp.io/traefik/master/docker-compose/config-files-explained

global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  insecureSkipVerify: true # allow insecure backend connections

entryPoints: # Not used in apps, but redirect everything from HTTP to HTTPS

  http80:
    address: :80
    http:
      redirections:
        entryPoint:
          to: https443
          scheme: https
          permanent: true

  # HTTPS endpoint, with domain wildcard
  https443:
    address: :443
    #forwardedHeaders:
    #  trustedIPs: *trustedIps # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: asd.com.es
            sans:
              - '*.asd.com.es'
      middlewares:
        - securityHeaders@file

providers:
  providersThrottleDuration: 15s
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true

  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: br2 # Add Your Docker Network Name Here
    # Default host rule to containername.domain.example
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.asd.com.es`)"
    swarmModeRefreshSeconds: 15s
    exposedByDefault: false
    endpoint: "tcp://wpsocketproxy:2375" 

# Enable traefik ui
api:
  dashboard: true
  insecure: false

# Log level INFO|DEBUG|ERROR
log:
  level: DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  filePath: "/etc/traefik/logs/traefik.log"
accesslog:
  filePath: "/etc/traefik/logs/access.log"
  bufferingSize: 100
  filters:
    statusCodes: 
      - "200-299"
      - "400-499"
      - "500-599"

# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
  letsencrypt:
    acme:
      email: server@server.com
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
        delayBeforeCheck: 90

# Traefik plugins
experimental:
  plugins:
    crowdsec-bouncer-traefik-plugin:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.1.13-beta-fix-104"
    
    traefik-modsecurity-plugin:
      moduleName: "github.com/acouvreur/traefik-modsecurity-plugin"
      version: "v1.3.0"

my fileconfig.yml

http:

# Home Assistant
  routers:

    homeassistant:
      entryPoints:
        - https443
      rule: 'Host(`ha.asd.com.es`)'
      service: homeassistant
      middlewares:
        - traefik-csbouncer
        - traefik-modsecurity
        - rate-limit

    plex:
      entryPoints:
        - https443
      rule: 'Host(`plex.asd.com.es`)'
      service: plex
      middlewares:
        #- traefik-csbouncer
        #- traefik-modsecurity

  services:

    homeassistant:
      loadBalancer:
        servers:
          - url: http://10.10.10.100:8123/

    plex:
      loadBalancer:
       servers:
          - url: http://10.10.50.20:32400/

  ## MIDDLEWARES ##
  middlewares:
    
    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange: 
          - 10.10.10.1/24 # localhost

    # Rate limit
    rate-limit:
      rateLimit:
        average: 200
        burst: 100

    # Crowdsec bouncer
    traefik-csbouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          enabled: true
          logLevel: INFO
          updateIntervalSeconds: 30 # stream mode only
          #defaultDecisionSeconds: 60 # live mode only
          crowdsecMode: stream
          crowdsecLapiKey: b2e210d71f34de53c8fe68d4f970e060 # Api key for 'traefik'
          crowdsecLapiHost: 10.10.50.11:8080
          crowdsecLapiScheme: http
          crowdsecLapiTLSInsecureVerify: false
          #forwardedHeadersTrustedIPs:   # List of IPs of trusted Proxies that are in front of traefik (ex: Cloudflare)
          clientTrustedIPs: 
            - 10.10.10.1/24
          forwardedHeadersCustomName: X-Forwarded-For
          redisCacheEnabled: true
          redisCacheHost: redis-cs:6379
          redisCachePassword: 3QVMvJWExUVKDGtbU8ucJKacBCBLH3rP
          redisCacheDatabase: 1
  
    traefik-modsecurity:  
      plugin:
        traefik-modsecurity-plugin:
          #MaxBodySize: "52428800"
          ModsecurityUrl: http://modsecurity:80
          TimeoutMillis: "2000"

    # Enable gzip compression
    test-compress:
      compress: {}

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "strict-origin-when-cross-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        framedeny: true # Set frameDeny to true to add the X-Frame-Options header with the value of DENY.
        contentTypeNosniff: true # Set contentTypeNosniff to true to add the X-Content-Type-Options header with the value nosniff.
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
        permissionsPolicy: "geolocation=(self), interest-cohort=(), camera=(), microphone=(), payment=(), usb=(), vr=(), web-share=()"

        #contentSecurityPolicy: "report-uri csp:8080, default-src 'self'"
        # default-src 'self';
        # script-src 'report-sample' 'self';
        # style-src 'report-sample' 'self';
        # object-src 'none';
        # base-uri 'self';
        # connect-src 'self';
        # font-src 'self';
        # frame-src 'self';
        # img-src 'self';
        # manifest-src 'self';
        # media-src 'self';
        # report-uri https://64771d916de1519cde13ca45.endpoint.csper.io/?v=0;
        # worker-src 'none';

        # accessControlAllowMethods:
        #   - GET
        #   - OPTIONS
        #   - PUT
        # accessControlMaxAge: 100

# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
        - TLS_AES_256_GCM_SHA384                  # TLS 1.3
        - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      #curvePreferences:
      #  - CurveP521
      #  - CurveP384
      sniStrict: true

bluepuma77 · August 28, 2023, 5:50am

Enable Traefik debug log, restart, and check for errors and what it prints about certificate(s).

Make sure Traefik and the plugins are updated to the current version.

l0rdraiden · August 28, 2023, 2:30pm

Does this help?

time="2023-08-28T16:26:35+02:00" level=debug msg="Trying to challenge certificate for domain [traefik.asd.com.es] found in HostSNI rule" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=https443-traefik-dashboard@docker rule="Host(`traefik.asd.com.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=letsencrypt.acme
time="2023-08-28T16:26:35+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.asd.com.es\"]..." rule="Host(`traefik.asd.com.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=https443-traefik-dashboard@docker
time="2023-08-28T16:26:35+02:00" level=debug msg="No ACME certificate generation required for domains [\"traefik.asd.com.es\"]." ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=https443-traefik-dashboard@docker rule="Host(`traefik.asd.com.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=letsencrypt.acme
time="2023-08-28T16:26:35+02:00" level=debug msg="Trying to challenge certificate for domain [traefik.asd.com.es] found in HostSNI rule" rule="Host(`traefik.asd.com.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=traefik-dashboard@docker
time="2023-08-28T16:26:35+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"asd.com.es\" \"*.asd.com.es\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="No ACME certificate generation required for domains [\"asd.com.es\" \"*.asd.com.es\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.asd.com.es\"]..." routerName=traefik-dashboard@docker rule="Host(`traefik.asd.com.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="No ACME certificate generation required for domains [\"traefik.asd.com.es\"]." rule="Host(`traefik.asd.com.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=traefik-dashboard@docker
time="2023-08-28T16:26:35+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"asd.com.es\" \"*.asd.com.es\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="No ACME certificate generation required for domains [\"asd.com.es\" \"*.asd.com.es\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"asd.com.es\" \"*.asd.com.es\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="No ACME certificate generation required for domains [\"asd.com.es\" \"*.asd.com.es\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="Using DNS Challenge provider: cloudflare" providerName=letsencrypt.acme
time="2023-08-28T16:26:35+02:00" level=info msg="Renewing certificate from LE : {Main:asd.com.es SANs:[*.asd.com.es]}" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-08-28T16:26:35+02:00" level=debug msg="legolog: [INFO] [asd.com.es] acme: Trying renewal with -97 hours remaining"
time="2023-08-28T16:26:35+02:00" level=debug msg="legolog: [INFO] [asd.com.es, *.asd.com.es] acme: Obtaining bundled SAN certificate"
time="2023-08-28T16:26:36+02:00" level=debug msg="legolog: [INFO] [*.asd.com.es] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/259161880206"
time="2023-08-28T16:26:36+02:00" level=debug msg="legolog: [INFO] [asd.com.es] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/259161880216"
time="2023-08-28T16:26:36+02:00" level=debug msg="legolog: [INFO] [*.asd.com.es] acme: use dns-01 solver"
time="2023-08-28T16:26:36+02:00" level=debug msg="legolog: [INFO] [asd.com.es] acme: Could not find solver for: tls-alpn-01"
time="2023-08-28T16:26:36+02:00" level=debug msg="legolog: [INFO] [asd.com.es] acme: Could not find solver for: http-01"
time="2023-08-28T16:26:36+02:00" level=debug msg="legolog: [INFO] [asd.com.es] acme: use dns-01 solver"
time="2023-08-28T16:26:36+02:00" level=debug msg="legolog: [INFO] [*.asd.com.es] acme: Preparing to solve DNS-01"
time="2023-08-28T16:26:38+02:00" level=debug msg="legolog: [INFO] cloudflare: new record for asd.com.es, ID 2b2479b885fd11c00bde3f70247eb57e"
time="2023-08-28T16:26:38+02:00" level=debug msg="legolog: [INFO] [asd.com.es] acme: Preparing to solve DNS-01"
time="2023-08-28T16:26:39+02:00" level=debug msg="legolog: [INFO] cloudflare: new record for asd.com.es, ID 038c4ce6156ffac38f9ab9fa80370615"
time="2023-08-28T16:26:39+02:00" level=debug msg="legolog: [INFO] [*.asd.com.es] acme: Trying to solve DNS-01"
time="2023-08-28T16:26:39+02:00" level=debug msg="legolog: [INFO] [*.asd.com.es] acme: Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53]"
time="2023-08-28T16:26:41+02:00" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2023-08-28T16:26:41+02:00" level=debug msg="Delaying 90000000000 rather than validating DNS propagation now." providerName=letsencrypt.acme

the cert expired on Thu, 24 Aug 2023 13:24:43 GMT

time="2023-08-28T16:41:19+02:00" level=debug msg="legolog: [WARN] [*.asd.com.es] acme: cleaning up failed: cloudflare: could not find zone for domain "asd.com.es" (_acme-challenge.asd.com.es.): could not find the start of authority for _acme-challenge.asd.com.es.: read udp 10.10.50.10:40700->1.0.0.1:53: i/o timeout "

time="2023-08-28T16:43:00+02:00" level=error msg="Error renewing certificate from LE: {asdd.com.es [.asdd.com.es]}" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="error: one or more domains had a problem:\n[.asd.com.es] [*.asd.com.es] acme: error presenting token: cloudflare: could not find zone for domain "asd.com.es" (_acme-challenge.asd.com.es.): could not find the start of authority for _acme-challenge.asd.com.es.: read udp 10.10.50.10:41839->1.0.0.1:53: i/o timeout\n[asd.com.es] [asd.com.es] acme: error presenting token: cloudflare: could not find zone for domain "asd.com.es" (_acme-challenge.asd.com.es.): could not find the start of authority for _acme-challenge.asd.com.es.: read udp 10.10.50.10:52502->1.0.0.1:53: i/o timeout\n"

bluepuma77 · August 28, 2023, 7:09pm

Are you using CNAME for the domains? That needs an extra parameter in the config. Doc.

Make sure to use the correct environment variable CF_API_EMAIL and CF_API_KEY. Doc.

Timeout on port 53 has been seen before when an extra firewall was not configured correctly.

You are aware of your very long 90 sec delay?

l0rdraiden · August 29, 2023, 5:12pm

It was a connectivity issue and a problem with the token together.

Thanks

system · September 1, 2023, 5:13pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to renew LesEncrypt cert Traefik v2 (latest) docker , letsencrypt-acme	1	532	June 15, 2020
Error on letsencrypt certificate renewal Traefik v2 (latest) docker , letsencrypt-acme	7	369	September 29, 2023
Traefik v2.8 letsencrypt renewal fails Traefik v2 (latest) docker , letsencrypt-acme	5	696	October 27, 2022
Trouble with Let's Encrypt renewal Traefik v2 (latest) letsencrypt-acme	9	2303	April 26, 2021
Traefik stopped renewing certificates (During secondary validation Invalid Response 404) Traefik v2 (latest) docker-swarm , letsencrypt-acme	1	9	April 28, 2024

Traefik with letsencrypt not renewing the cert

Related Topics