Unable to generate a certificate for the domains. Domain provider and hosting provider are differents

Hello, I am having troubles configuring traefik to handle https requests correctly.
I have a domain registered with an italian provider (register.it), but hosted on a german provider, (hetzner). I have added an a record and a cname record that points to the IP that hetzner has given to me, and everything worked fine when I was handling only http requests. mydomain.com was correctly going to the hosting on Hetzner. The problems arised when I added the https section to my deploy.yml file:

servers:
  web:
    hosts:
      - 90.10.10.32
    options:
      network: "private"
    labels:
      traefik.http.routers.mydomain-app.entrypoints: websecure
      traefik.http.routers.mydomain-app.tls: true
      traefik.http.routers.mydomain-app.tls.certresolver: letsencrypt
      traefik.http.routers.mydomain-app.rule: "Host(`mydomain.com`) || Host(`www.mydomain.com`)"


traefik:
  options:
    network: "private"
    publish:
      - "443:443"
    volume:
      - "/letsencrypt/acme.json:/letsencrypt/acme.json"
  args:
    entryPoints.web.address: ":80"
    entryPoints.websecure.address: ":443"
    entryPoints.web.http.redirections.entryPoint.to: websecure
    entryPoints.web.http.redirections.entryPoint.scheme: https
    entryPoints.web.http.redirections.entrypoint.permanent: true
    entrypoints.websecure.http.tls: true
    certificatesResolvers.letsencrypt.acme.email: "ciao@mydomain.com"
    certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json"
    certificatesResolvers.letsencrypt.acme.httpchallenge: true
    certificatesResolvers.letsencrypt.acme.httpchallenge.entrypoint: web

the file /letsencrypt/acme.json contains the certificate, it has 600 permission and belongs to the traefik user, that is also the docker user.

After that I have deployed these changes, the website is redirected to two domains that has nothing to do with my IP on Hetzner.com

The traefik logs says:

2024-10-03T14:22:44.805370895Z time="2024-10-03T14:22:44Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234"
2024-10-03T14:22:45.143178303Z time="2024-10-03T14:22:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345"
2024-10-03T14:22:45.333602433Z time="2024-10-03T14:22:45Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.com,www.mydomain.com\": unable to generate a certificate for the domains [mydomain.com www.mydomain.com]: error: one or more domains had a problem:\n[mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 15.197.148.33: Fetching http://mydomain.com/.well-known/acme-challenge/LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU: Error getting validation data\n[www.mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 3.33.130.190: Fetching http://www.mydomain.com/.well-known/acme-challenge/9N_LbAuEtBDzqm0JqZSYJj5qRmRpGcVW5hYRfy8j4gc: Error getting validation data\n" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=mydomain-app@docker rule="Host(`mydomain.com`) || Host(`www.mydomain.com`)"

The (redacted) content of the URL https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345 is:

identifier	
type	"dns"
value	"mydomain.com"
status	"invalid"
expires	"2024-10-10T14:22:34Z"
challenges	
0	
type	"http-01"
url	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/12345/000"
status	"invalid"
validated	"2024-10-03T14:22:34Z"
error	
type	"urn:ietf:params:acme:error:connection"
detail	"15.197.148.33: Fetching http://mydomain.com/.well-known/acme-challenge/LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU: Error getting validation data"
status	400
token	"LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU"
validationRecord	
0	
url	"http://mydomain.com/.well-known/acme-challenge/LDn9ef_pVAUJ-bPVSzf-eU5mUe_Xf9t4L0lr4WHebkU"
hostname	"mydomain.com"
port	"80"
addressesResolved	
0	"15.197.148.33"
1	"3.33.130.190"
addressUsed	"15.197.148.33"

The IP 3.33.130.190 is an Amazon server 3.33.130.190 - IP Info - AWS Global Accelerator. Same applies for 15.197.148.33.

What I think is happening is that let's encrypt is trying to get the certificate from register, instead of getting it from hetzner.

I have read about DNS challanges on letsencrypt website, but it looks a bit complicated. Also there is written:
"Since automation of issuance and renewals is really important, it only makes sense to use DNS-01 challenges if your DNS provider has an API you can use to automate updates."
And no, my provider does not provide an API to automate updates.

Is it possible to solve this issue using http challenge? if yes, how?

Also, as far as I have understand, I should be able to use http challenge even if the hosing and domain providers are different. If the port 80 is open for http, traefik should provide the certificate under http://mydomain.com/.well-known/acme-challenge/.

The port 80 for my IP address is open, I have just tested it with NMAP

PORT STATE SERVICE
80/tcp open http

When you use httpChallenge, you need to enable port 80, open the Docker ports and create an entrypoint.

If you simply change it to tlsChallenge, it might just work.

Not sure what your deploy.yml is for, check simple Traefik example.

Thanks for your reply @bluepuma77 , very much appreciated. My deploy.yml file is for kamal, the new deploy tool for ruby on rails. It basically has two parts related to traefik, the main one and some options for the server: the main one is

traefik:
  options:
    network: "private"
    publish:
      - "443:443"
    volume:
      - "/letsencrypt/acme.json:/letsencrypt/acme.json"
  args:
    entryPoints.web.address: ":80"
    entryPoints.web.http.redirections.entryPoint.to: websecure
    entryPoints.web.http.redirections.entryPoint.scheme: https
    entryPoints.websecure.address: ":443"
    entryPoints.web.http.redirections.entrypoint.permanent: true
    certificatesResolvers.letsencrypt.acme.email: "info@mydomain.com"
    certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json"
    certificatesResolvers.letsencrypt.acme.tlschallenge: true

the publish value is the like the port value in your example. I do not need to open the port 80 here, has it is already open in rails, I can test it with ncat. The args part is really similar to your example:

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=mail@example.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json

This option - --providers.docker.network=proxy is a bit different because it is specified in another part (and also, my network is called private)

  options:
    network: "private"

In the server part there are the labels:

      traefik.http.routers.mywebsite-app.rule: "Host(`mywebsite.com`)"
      traefik.http.routers.mywebsite-app.entrypoints: websecure
      traefik.http.routers.mywebsite-app.tls: true
      traefik.http.routers.mywebsite-app.tls.certresolver: letsencrypt

The syntax is very similar.

Now, I have switched to tlsChallange, but the problem persists. In the traefik logs I read:

2024-10-04T13:23:07.627219897Z time="2024-10-04T13:23:07Z" level=debug msg="Building ACME client..." providerName=letsencrypt.acme
2024-10-04T13:23:07.627222453Z time="2024-10-04T13:23:07Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
2024-10-04T13:23:08.175924303Z time="2024-10-04T13:23:08Z" level=debug msg="Using TLS Challenge provider." providerName=letsencrypt.acme
2024-10-04T13:23:08.175958318Z time="2024-10-04T13:23:08Z" level=debug msg="legolog: [INFO] [vclights.com] acme: Obtaining bundled SAN certificate"
2024-10-04T13:23:08.873018315Z time="2024-10-04T13:23:08Z" level=debug msg="legolog: [INFO] [vclights.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11111111"
2024-10-04T13:23:08.873047280Z time="2024-10-04T13:23:08Z" level=debug msg="legolog: [INFO] [vclights.com] acme: use tls-alpn-01 solver"
2024-10-04T13:23:08.873050506Z time="2024-10-04T13:23:08Z" level=debug msg="legolog: [INFO] [vclights.com] acme: Trying to solve TLS-ALPN-01"

The URL https://acme-v02.api.letsencrypt.org/acme/authz-v3/11111111 has been redacted, but the content is:

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "invalid",
  "expires": "2024-10-11T13:23:08Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/22222222/mhKjiQ",
      "status": "invalid",
      "validated": "2024-10-04T13:23:09Z",
      "error": {
        "type": "urn:ietf:params:acme:error:tls",
        "detail": "3.33.130.190: remote error: tls: no application protocol",
        "status": 400
      },
      "token": "3333333333",
      "validationRecord": [
        {
          "hostname": "mydomain.com",
          "port": "443",
          "addressesResolved": [
            "3.33.130.190",
            "15.197.148.33"
          ],
          "addressUsed": "3.33.130.190"
        }
      ]
    }
  ]
}

Those IPs ("3.33.130.190" and "15.197.148.33")are Amazon ISP IPs

Your domain for the TLS cert needs to point to Traefik. Traefik will request a new cert from LetsEncrypt and LE will connect to your server domain to verify ownership by loading a special file, that Traefik has to provide.

Hello @bluepuma77 , thanks for your support. Just to say that it worked finally, there were some troubles with DNS caching, but after flushing the cache it worked.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.