Hello, I am having troubles configuring traefik to handle https requests correctly.
I have a domain registered with an italian provider (register.it), but hosted on a german provider, (hetzner). I have added an a record and a cname record that points to the IP that hetzner has given to me, and everything worked fine when I was handling only http requests. mydomain.com was correctly going to the hosting on Hetzner. The problems arised when I added the https section to my deploy.yml file:
servers:
web:
hosts:
- 90.10.10.32
options:
network: "private"
labels:
traefik.http.routers.mydomain-app.entrypoints: websecure
traefik.http.routers.mydomain-app.tls: true
traefik.http.routers.mydomain-app.tls.certresolver: letsencrypt
traefik.http.routers.mydomain-app.rule: "Host(`mydomain.com`) || Host(`www.mydomain.com`)"
traefik:
options:
network: "private"
publish:
- "443:443"
volume:
- "/letsencrypt/acme.json:/letsencrypt/acme.json"
args:
entryPoints.web.address: ":80"
entryPoints.websecure.address: ":443"
entryPoints.web.http.redirections.entryPoint.to: websecure
entryPoints.web.http.redirections.entryPoint.scheme: https
entryPoints.web.http.redirections.entrypoint.permanent: true
entrypoints.websecure.http.tls: true
certificatesResolvers.letsencrypt.acme.email: "ciao@mydomain.com"
certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json"
certificatesResolvers.letsencrypt.acme.httpchallenge: true
certificatesResolvers.letsencrypt.acme.httpchallenge.entrypoint: web
the file /letsencrypt/acme.json contains the certificate, it has 600 permission and belongs to the traefik user, that is also the docker user.
After that I have deployed these changes, the website is redirected to two domains that has nothing to do with my IP on Hetzner.com
The traefik logs says:
2024-10-03T14:22:44.805370895Z time="2024-10-03T14:22:44Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234"
2024-10-03T14:22:45.143178303Z time="2024-10-03T14:22:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345"
2024-10-03T14:22:45.333602433Z time="2024-10-03T14:22:45Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.com,www.mydomain.com\": unable to generate a certificate for the domains [mydomain.com www.mydomain.com]: error: one or more domains had a problem:\n[mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 15.197.148.33: Fetching http://mydomain.com/.well-known/acme-challenge/LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU: Error getting validation data\n[www.mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 3.33.130.190: Fetching http://www.mydomain.com/.well-known/acme-challenge/9N_LbAuEtBDzqm0JqZSYJj5qRmRpGcVW5hYRfy8j4gc: Error getting validation data\n" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=mydomain-app@docker rule="Host(`mydomain.com`) || Host(`www.mydomain.com`)"
The (redacted) content of the URL https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345 is:
identifier
type "dns"
value "mydomain.com"
status "invalid"
expires "2024-10-10T14:22:34Z"
challenges
0
type "http-01"
url "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12345/000"
status "invalid"
validated "2024-10-03T14:22:34Z"
error
type "urn:ietf:params:acme:error:connection"
detail "15.197.148.33: Fetching http://mydomain.com/.well-known/acme-challenge/LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU: Error getting validation data"
status 400
token "LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU"
validationRecord
0
url "http://mydomain.com/.well-known/acme-challenge/LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU"
hostname "mydomain.com"
port "80"
addressesResolved
0 "15.197.148.33"
1 "3.33.130.190"
addressUsed "15.197.148.33"
The IP 3.33.130.190 is an Amazon server 3.33.130.190 - IP Info - AWS Global Accelerator. Same applies for 15.197.148.33.
What I think is happening is that let's encrypt is trying to get the certificate from register, instead of getting it from hetzner.
I have read about DNS challanges on letsencrypt website, but it looks a bit complicated. Also there is written:
"Since automation of issuance and renewals is really important, it only makes sense to use DNS-01 challenges if your DNS provider has an API you can use to automate updates."
And no, my provider does not provide an API to automate updates.
Is it possible to solve this issue using http challenge? if yes, how?