Unable to generate a certificate acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect

ken · June 29, 2021, 1:19pm

Hello,

I'm trying to get traefik working in a docker container, running on ovh.

Until now I used the ssl gateway of ovh, but that does no longer work. I've been given the advice to use letsencrypt instead ...
having read the quickstart and several forums, I'm still unable to get it working.

This is the setup so far:

VPS running Ubuntu 20.04.2 LTS
Docker version 20.10.2, build 20.10.2-0ubuntu1~20.04.2
Traefik version 2.4.9

OVH VPS with ufw enabled, allowing traffic in on both port 80 and 443, for ip v4 and v6.
My own subdomain "traefik.mindstorms.be" has a dns record that points to the vps machine.

I had a website running in docker swarm, that was available before I started messing with traefik.
So the machine and dns A record are ok I guess.

Followed the post here, to get started with traefik as reverse proxy to do ssl termination before my docker swarm website:

Config below ...

I commented out the part where the https redirect should happen, to try and reach the ui, with no success.

Allso: using the staging url to test, not to run into some errors on too many connections or something, I read about those somewhere.

traefik.toml file:

[log]
  level = "DEBUG"

[entryPoints]
  [entryPoints.web]
    address = ":80"
#    [entryPoints.web.http.redirections.entryPoint]
#      to = "websecure"
#      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true
  insecure = true

[certificatesResolvers.lets-encrypt.acme]
  email = "xxxx"
  storage = "acme.json"
  caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  [certificatesResolvers.lets-encrypt.acme.tlsChallenge]
  [certificatesResolvers.lets-encrypt.acme.httpChallenge]

[providers.docker]
  watch = true
  network = "web"
  endpoint = "unix:///var/run/docker.sock"
  swarmmode = true
  exposedByDefault = false

[providers.file]
  filename = "traefik_dynamic.toml"

traefik_dynamic.toml file:

[http.middlewares.simpleAuth.basicAuth]
  users = [
    "admin:$xxxxx."
  ]

[http.routers.api]
  rule = "Host(`traefik.mindstorms.be`)"
  entrypoints = ["websecure"]
  middlewares = ["simpleAuth"]
  service = "api@internal"
  [http.routers.api.tls]
    certResolver = "lets-encrypt"

acme.json file contents (with key removed, not sure that is needed) after starting the container (was emty before):

{
  "lets-encrypt": {
    "Account": {
      "Email": "xxxxx",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:xxxxxx"
          ]
        },
        "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/20083160"
      },
      "PrivateKey": "xxxxxxxxxx",
      "KeyType": "4096"
    },
    "Certificates": null
  }

output of docker log:

time="2021-06-29T13:07:08Z" level=debug msg="Try to challenge certificate for domain [traefik.mindstorms.be] found in HostSNI rule" rule="Host(`traefik.mindstorms.be`)" providerName=lets-encrypt.acme routerName=api@file
time="2021-06-29T13:07:08Z" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.mindstorms.be\"]..." routerName=api@file rule="Host(`traefik.mindstorms.be`)" providerName=lets-encrypt.acme
time="2021-06-29T13:07:08Z" level=debug msg="No ACME certificate generation required for domains [\"traefik.mindstorms.be\"]." providerName=lets-encrypt.acme routerName=api@file rule="Host(`traefik.mindstorms.be`)"
time="2021-06-29T13:07:15Z" level=debug msg="Configuration received from provider tlsalpn.acme: {\"http\":{},\"tls\":{}}" providerName=tlsalpn.acme
time="2021-06-29T13:07:15Z" level=debug msg="Adding certificate for domain(s) acme challenge temp,traefik.mindstorms.be"
time="2021-06-29T13:07:15Z" level=debug msg="No default certificate, generating one"
time="2021-06-29T13:07:16Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77994103"
time="2021-06-29T13:07:16Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77994103"
time="2021-06-29T13:07:16Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-06-29T13:07:16Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareType=TracingForwarder middlewareName=tracing
time="2021-06-29T13:07:16Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
time="2021-06-29T13:07:16Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2021-06-29T13:07:16Z" level=debug msg="Creating middleware" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
time="2021-06-29T13:07:16Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2021-06-29T13:07:16Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal entryPointName=traefik
time="2021-06-29T13:07:16Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2021-06-29T13:07:16Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:16Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=websecure routerName=api@file middlewareName=tracing middlewareType=TracingForwarder
time="2021-06-29T13:07:16Z" level=debug msg="Creating middleware" middlewareType=BasicAuth entryPointName=websecure routerName=api@file middlewareName=simpleAuth@file
time="2021-06-29T13:07:16Z" level=debug msg="Adding tracing to middleware" entryPointName=websecure routerName=api@file middlewareName=simpleAuth@file
time="2021-06-29T13:07:16Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:16Z" level=debug msg="No default certificate, generating one"
time="2021-06-29T13:07:16Z" level=debug msg="TLS Challenge CleanUp temp certificate for traefik.mindstorms.be" providerName=tlsalpn.acme
time="2021-06-29T13:07:16Z" level=debug msg="Configuration received from provider tlsalpn.acme: {\"http\":{},\"tls\":{}}" providerName=tlsalpn.acme
time="2021-06-29T13:07:16Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77994116"
time="2021-06-29T13:07:16Z" level=debug msg="Adding route for traefik.mindstorms.be with TLS options default" entryPointName=websecure
traefik.mindstorms.be] found in HostSNI rule" providerName=lets-encrypt.acme routerName=api@file rule="Host(`traefik.mindstorms.be`)"
time="2021-06-29T13:07:16Z" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.mindstorms.be\"]..." rule="Host(`traefik.mindstorms.be`)" providerName=lets-encrypt.acme routerName=api@file
time="2021-06-29T13:07:16Z" level=debug msg="No ACME certificate generation required for domains [\"traefik.mindstorms.be\"]." providerName=lets-encrypt.acme routerName=api@file rule="Host(`traefik.mindstorms.be`)"
time="2021-06-29T13:07:16Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77994116"
time="2021-06-29T13:07:16Z" level=error msg="Unable to obtain ACME certificate for domains \"traefik.mindstorms.be\": unable to generate a certificate for the domains [traefik.mindstorms.be]: error: one or more domains had a problem:\n[traefik.mindstorms.be] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem)\n" providerName=lets-encrypt.acme routerName=api@file rule="Host(`traefik.mindstorms.be`)"
time="2021-06-29T13:07:17Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-06-29T13:07:17Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2021-06-29T13:07:17Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
time="2021-06-29T13:07:17Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2021-06-29T13:07:17Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2021-06-29T13:07:17Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2021-06-29T13:07:17Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-06-29T13:07:17Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery
time="2021-06-29T13:07:17Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=api@file
time="2021-06-29T13:07:17Z" level=debug msg="Creating middleware" routerName=api@file middlewareName=simpleAuth@file middlewareType=BasicAuth entryPointName=websecure
time="2021-06-29T13:07:17Z" level=debug msg="Adding tracing to middleware" entryPointName=websecure routerName=api@file middlewareName=simpleAuth@file
time="2021-06-29T13:07:17Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:17Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:17Z" level=debug msg="No default certificate, generating one"
time="2021-06-29T13:07:17Z" level=debug msg="Configuration received from provider tlsalpn.acme: {\"http\":{},\"tls\":{}}" providerName=tlsalpn.acme
time="2021-06-29T13:07:18Z" level=debug msg="No default certificate, generating one"
time="2021-06-29T13:07:18Z" level=debug msg="Adding route for traefik.mindstorms.be with TLS options default" entryPointName=websecure
time="2021-06-29T13:07:18Z" level=debug msg="Try to challenge certificate for domain [traefik.mindstorms.be] found in HostSNI rule" routerName=api@file rule="Host(`traefik.mindstorms.be`)" providerName=lets-encrypt.acme
time="2021-06-29T13:07:18Z" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.mindstorms.be\"]..." providerName=lets-encrypt.acme routerName=api@file rule="Host(`traefik.mindstorms.be`)"
time="2021-06-29T13:07:18Z" level=debug msg="Domains [\"traefik.mindstorms.be\"] need ACME certificates generation for domains \"traefik.mindstorms.be\"." providerName=lets-encrypt.acme routerName=api@file rule="Host(`traefik.mindstorms.be`)"
time="2021-06-29T13:07:18Z" level=debug msg="Loading ACME certificates [traefik.mindstorms.be]..." providerName=lets-encrypt.acme routerName=api@file rule="Host(`traefik.mindstorms.be`)"
time="2021-06-29T13:07:18Z" level=debug msg="legolog: [INFO] [traefik.mindstorms.be] acme: Obtaining bundled SAN certificate"
time="2021-06-29T13:07:18Z" level=debug msg="legolog: [INFO] [traefik.mindstorms.be] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/77994293"
time="2021-06-29T13:07:18Z" level=debug msg="legolog: [INFO] [traefik.mindstorms.be] acme: use tls-alpn-01 solver"
time="2021-06-29T13:07:18Z" level=debug msg="legolog: [INFO] [traefik.mindstorms.be] acme: Trying to solve TLS-ALPN-01"
time="2021-06-29T13:07:18Z" level=debug msg="TLS Challenge Present temp certificate for traefik.mindstorms.be" providerName=tlsalpn.acme
time="2021-06-29T13:07:19Z" level=debug msg="Configuration received from provider tlsalpn.acme: {\"http\":{},\"tls\":{}}" providerName=tlsalpn.acme
time="2021-06-29T13:07:19Z" level=debug msg="Adding certificate for domain(s) acme challenge temp,traefik.mindstorms.be"
time="2021-06-29T13:07:19Z" level=debug msg="No default certificate, generating one"
time="2021-06-29T13:07:20Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-06-29T13:07:20Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareType=TracingForwarder middlewareName=tracing
time="2021-06-29T13:07:20Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
time="2021-06-29T13:07:20Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2021-06-29T13:07:20Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
time="2021-06-29T13:07:20Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2021-06-29T13:07:20Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal entryPointName=traefik
time="2021-06-29T13:07:20Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2021-06-29T13:07:20Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=api@file
time="2021-06-29T13:07:20Z" level=debug msg="Creating middleware" routerName=api@file entryPointName=websecure middlewareName=simpleAuth@file middlewareType=BasicAuth
time="2021-06-29T13:07:20Z" level=debug msg="Adding tracing to middleware" entryPointName=websecure routerName=api@file middlewareName=simpleAuth@file
time="2021-06-29T13:07:20Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:20Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:20Z" level=debug msg="No default certificate, generating one"
time="2021-06-29T13:07:21Z" level=debug msg="Adding route for traefik.mindstorms.be with TLS options default" entryPointName=websecure
 providerName=lets-encrypt.acme
time="2021-06-29T13:07:21Z" level=debug msg="Try to challenge certificate for domain [traefik.mindstorms.be] found in HostSNI rule" routerName=api@file rule="Host(`traefik.mindstorms.be`)" providerName=lets-encrypt.acme
time="2021-06-29T13:07:21Z" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.mindstorms.be\"]..." rule="Host(`traefik.mindstorms.be`)" providerName=lets-encrypt.acme routerName=api@file
time="2021-06-29T13:07:21Z" level=debug msg="No ACME certificate generation required for domains [\"traefik.mindstorms.be\"]." routerName=api@file rule="Host(`traefik.mindstorms.be`)" providerName=lets-encrypt.acme
time="2021-06-29T13:07:22Z" level=debug msg="Adding certificate for domain(s) acme challenge temp,traefik.mindstorms.be"
time="2021-06-29T13:07:22Z" level=debug msg="No default certificate, generating one"
time="2021-06-29T13:07:23Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal
time="2021-06-29T13:07:23Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2021-06-29T13:07:23Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
time="2021-06-29T13:07:23Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2021-06-29T13:07:23Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-06-29T13:07:23Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
time="2021-06-29T13:07:23Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-06-29T13:07:23Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2021-06-29T13:07:23Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:23Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing entryPointName=websecure routerName=api@file middlewareType=TracingForwarder
time="2021-06-29T13:07:23Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=api@file middlewareType=BasicAuth middlewareName=simpleAuth@file
time="2021-06-29T13:07:23Z" level=debug msg="Adding tracing to middleware" entryPointName=websecure routerName=api@file middlewareName=simpleAuth@file
time="2021-06-29T13:07:23Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-06-29T13:07:23Z" level=debug msg="No default certificate, generating one"

docker container "treafik" is running
9703086bdd2e traefik "/entrypoint.sh trae…" 2 hours ago Up 19 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp traefik

docker network "web" exists
aaac8fddab9a web bridge local

and the traefik container is connected to it, when I inspect the network I can see the traefik container in there:

[
    {
        "Name": "web",
        "Id": "aaac8fddab9a028cc47b0e3fa6b4045e1a5e2edd07ba558da465322382a1d31d",
        "Created": "2021-06-28T11:20:46.195142686Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.21.0.0/16",
                    "Gateway": "172.21.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": { 
            "9703086bdd2e6fa90a9d44ec6cdffe52b9952f03b4acc2a1a7d27ddea0c1fada": {
                "Name": "traefik",
                "EndpointID": "ab788e5c45acb4028c07b50619397425988b2d6872fa163bddd6b234402f8f89",
                "MacAddress": "02:42:ac:15:00:03",
                "IPv4Address": "172.21.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

If I surf to the url traefik.mindstorms.be to see the UI I get this message:

Your connection is not private
Attackers might be trying to steal your information from traefik.mindstorms.be (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT

Issuer: TRAEFIK DEFAULT CERT

Expires on: Jun 29, 2022

Current date: Jun 29, 2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIRAMOTTJhc/rSN+416C/m1S9IwDQYJKoZIhvcNAQELBQAw
xxxxxx
NV3+zF4q5jz96Qr16k1YWNcWikVEMZW1TbhTtE2bt+N5PbMTLabjvZDbSEJT1oKq
7t0=
-----END CERTIFICATE-----

Any tips or advice is welcome ... I would like to get tls termination on traefik working before the website running in swarm.

Thanks !
Ken.

Topic		Replies	Views
Getting Error when trying to generate ACME certificates Traefik v2 docker , letsencrypt-acme	2	489	June 1, 2020
DNS error certificate generation Traefik v2 docker , docker-swarm , file , letsencrypt-acme , tcp	0	452	January 4, 2022
Can't use SSL with LETSENCRYPT: No ACME certificate generation required for domains Traefik v2 docker	1	2662	December 23, 2019
Traefik won't create letsencrypt certificate Traefik v2 docker-swarm	1	2939	November 9, 2021
Certificate problem Traefik v2 docker	0	434	December 2, 2021

Unable to generate a certificate acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect

Related topics