Unable to generate certificate

tsla · October 20, 2024, 3:43pm

After the previous duration of certificate ran out, my instance of Traefik for some reason couldn't generate new certificates, which was strange since everything was working well previously, and I didn't change the configs.

Error:

ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [local.librepo.nl *.local.librepo.nl]: error: one or more domains had a problem:\n[*.local.librepo.nl] propagation: time limit exceeded: last error: NS ns5.dynu.com. did not return the expected TXT record [fqdn: _acme-challenge.local.librepo.nl., value: examplevalue: \n[local.librepo.nl] propagation: time limit exceeded: last error: NS ns4.dynu.com. did not return the expected TXT record [fqdn: _acme-challenge.local.librepo.nl., value: examplevalue: \n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["local.librepo.nl","*.local.librepo.nl"] providerName=dynu.acme routerName=traefik-secure@docker rule=Host(`traefik.local.librepo.nl`)

Basic information:

Version: v3.0
Dockerized

docker-compose"

version: "3.8"

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      DYNU_API_KEY: ${DYNU_API_KEY}
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
      # DYNU_PROPAGATION_TIMEOUT: ${DYNU_PROPAGATION_TIMEOUT}
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/docker_data/traefik/data/traefik.yml:/traefik.yml:ro
      - /srv/docker_data/traefik/data/acme.json:/acme.json
      - /srv/docker_data/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.local.librepo.nl`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.local.librepo.nl`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=dynu"
      # - "traefik.http.routers.traefik-secure.tls.domains[0].main=librepo.nl"
      # - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.librepo.nl"
      - "traefik.http.routers.traefik-secure.tls.domains[1].main=local.librepo.nl"
      - "traefik.http.routers.traefik-secure.tls.domains[1].sans=*.local.librepo.nl"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

config.yml:

http:
  #region routers 
  routers:
    pve:
      entryPoints:
        - "https"
      rule: "Host(`pve.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pve
      
    portainer:
      entryPoints:
        - "https"
      rule: "Host(`portainer.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: portainer

    # portainer_edge_agent:
    #   entryPoints:
    #     - "edge_agent"
    #   rule: "Host(`portainer.local.librepo.nl`)"
    #   middlewares:
    #     - default-headers
    #     - https-redirectscheme
    #   tls:
    #     certResolver: dynu
    #   service: portainer_edge_agent

    pihole:
      entryPoints:
        - "https"
      rule: "Host(`pihole.local.librepo.nl`)"
      middlewares:
        - redirectregex-pihole
        - default-headers
        - addprefix-pihole
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pihole

    pterodactyl:
      entryPoints:
        - "https"
      rule: "Host(`pterodactyl.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pterodactyl

    pterodactyl-node-01:
      entryPoints:
        - "https"
      rule: "Host(`pterodactyl-node-01.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pterodactyl-node-01

    # habitica-client:
    #  entryPoints:
    #    - "https"
    #  rule: "Host(`habitica.local.librepo.nl`)"
    #  middlewares:
    #  tls:
    #    certResolver: dynu
    #  service: habitica-client

    nginx:
      entryPoints:
        - "https"
      rule: "Host(`nginx.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: nginx
    
    registry-01:
      entryPoints:
        - "https"
      rule: "Host(`registry-01.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: registry-01
    
    # truenas:
    #   entryPoints:
    #     - "https"
    #   rule: "Host(`truenas.local.librepo.nl`)"
    #   middlewares:
    #     - default-headers
    #     - https-redirectscheme
    #   tls: {}
    #   service: truenas

    # opnsense:
    #   entryPoints:
    #     - "https"
    #   rule: "Host(`opnsense.local.librepo.nl`)"
    #   middlewares:
    #     - default-headers
    #     - https-redirectscheme
    #   tls: {}
    #   service: opnsense

#endregion
  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

    addprefix-pihole:
      addPrefix:
        prefix: "/admin"
    redirectregex-pihole:
      redirectRegex:
        regex: /admin/$
        replacement: /

    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    idrac:
      headers:
        frameDeny: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/16"
        - "172.17.0.0/16"
        - "172.18.0.0/16"

    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers

#endregion
#region services
  services:
    pve:
      loadBalancer:
        servers:
          - url: "https://192.168.1.232:8006"
        passHostHeader: true

    portainer:
      loadBalancer:
        servers:
          - url: "https://192.168.1.195:9443"
        passHostHeader: true

    # portainer_edge_agent:
    #   loadBalancer:
    #     servers:
    #       - url: "http://192.168.1.195:8000"
    #     passHostHeader: true

    pihole:
      loadBalancer:
        servers:
          - url: "http://192.168.1.200:1010"
        passHostHeader: true

    pterodactyl:
      loadBalancer:
        servers:
          - url: "http://192.168.1.195:80"
        passHostHeader: true
    
    pterodactyl-node-01:
      loadBalancer:
        servers:
          - url: "http://192.168.1.136:443"
        passHostHeader: true

    # habitica-client:
    #  loadBalancer:
    #    servers:
    #      - url: "http://192.168.1.136:80"
    #    passHostHeader: true

    nginx:
      loadBalancer:
        servers:
          - url: "http://192.168.1.200:8080"
        passHostHeader: true

    registry-01:
      loadBalancer:
        servers:
          - url: "http://192.168.1.231:5000"
        passHostHeader: true

    

    # truenas:
    #   loadBalancer:
    #     servers:
    #       - url: "https://192.168.0.104"
    #     passHostHeader: true
    
    # opnsense:
    #   loadBalancer:
    #     servers:
    #       - url: "https://192.168.0.109"
    #     passHostHeader: true


tcp:   
  #region routers
  routers:
    ptero-n01-sftp:
      entryPoints:
        - "sftp"
      rule: "HostSNI(`*`)"
      service: ptero-n01-sftp
  
  services:
    ptero-n01-sftp:
      loadBalancer:
        servers:
          - address: "192.168.1.136:2022"

traefik.yml:

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
  sftp:
    address: ":2022/tcp"
  # edge_agent:
  #   address: ":8000/tcp"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  dynu:
    acme:
      email: email@example.com
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: dynu
        # disablePropagationCheck: true

bluepuma77 · October 24, 2024, 7:04am

It seems there is no current open issue in the used go-acme lego library, but it mentions that their api/server is not very stable.

Maybe the server response was just too slow and it works when you try again?

tsla · November 2, 2024, 3:00am

I have tried recreating the stack again and again for like 20 times, tried to set different values and parameters for the traefik.yml file like:

# disablePropagationCheck: true
# delayBeforeCheck: 60

and still the same issue persist.

I'm really stuck right now so if you have any idea of how to fix it then please let me know.

bluepuma77 · November 2, 2024, 4:11pm

Have you tried a different library like acme.sh? Certbot seems to have no support for the provider.

tsla · November 3, 2024, 5:04am

Im sorry but can you clarify what acme.sh is? I'm using the stock configuration for Traefik and I'm not using Certbot

bluepuma77 · November 3, 2024, 6:42am

Those are both tools to generate LetsEncrypt TLS certs. I wanted to know if you have tested another and if they work with dynu.

tsla · November 15, 2024, 7:19pm

I haven't tested them yet, so if you can show me how to set them up I would appreciate it.

tsla · November 25, 2024, 2:47pm

Any new updates on the matter?

tsla · December 15, 2024, 1:12pm

Okay so I figured it out. Apparently, I was having two separate DNS records on Dynu, one for local.example.com and one for example.com. I was intending for the local.example.com wildcard to point to my local IP address so that I wouldn't need to use a DNS server accessing it at home. However, for some reason Traefik or LetsEncrypt was confusing the two records, and instead of creating the acme challenges in the local.example.com records, it was creating it in the example.com record, but then when verifying the acme challenges it was reading from the local.example.com record, which confuses the software.

Solution: Delete the local.example.com record and only recreate it after it had successfully got the certificate.

bluepuma77 · December 15, 2024, 1:33pm

That sounds only like a temporary solution, as LetsEncrypt certs expire after 3 months and need to be re-validated and re-generated.

system · December 18, 2024, 1:33pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ACME Cert with docker Traefik v2 docker	3	1978	December 16, 2019
SSL cert not served through ACME-DNS Traefik v2 letsencrypt-acme	1	737	March 24, 2022
Traefik fails to obtain letsencrypt certificate with dns-01 challenge Traefik v1 kubernetes-ingress , letsencrypt-acme	5	2845	July 25, 2019
Traefik won't update certs Traefik v2 docker-swarm	7	3229	March 19, 2020
Invalid certificate generated by traefik Traefik v2 docker , letsencrypt-acme	6	3323	September 25, 2020

Unable to generate certificate

Related topics