Unable to generate certificate

tsla · October 20, 2024, 3:43pm

After the previous duration of certificate ran out, my instance of Traefik for some reason couldn't generate new certificates, which was strange since everything was working well previously, and I didn't change the configs.

Error:

ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [local.librepo.nl *.local.librepo.nl]: error: one or more domains had a problem:\n[*.local.librepo.nl] propagation: time limit exceeded: last error: NS ns5.dynu.com. did not return the expected TXT record [fqdn: _acme-challenge.local.librepo.nl., value: examplevalue: \n[local.librepo.nl] propagation: time limit exceeded: last error: NS ns4.dynu.com. did not return the expected TXT record [fqdn: _acme-challenge.local.librepo.nl., value: examplevalue: \n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["local.librepo.nl","*.local.librepo.nl"] providerName=dynu.acme routerName=traefik-secure@docker rule=Host(`traefik.local.librepo.nl`)

Basic information:

Version: v3.0
Dockerized

docker-compose"

version: "3.8"

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      DYNU_API_KEY: ${DYNU_API_KEY}
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
      # DYNU_PROPAGATION_TIMEOUT: ${DYNU_PROPAGATION_TIMEOUT}
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/docker_data/traefik/data/traefik.yml:/traefik.yml:ro
      - /srv/docker_data/traefik/data/acme.json:/acme.json
      - /srv/docker_data/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.local.librepo.nl`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.local.librepo.nl`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=dynu"
      # - "traefik.http.routers.traefik-secure.tls.domains[0].main=librepo.nl"
      # - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.librepo.nl"
      - "traefik.http.routers.traefik-secure.tls.domains[1].main=local.librepo.nl"
      - "traefik.http.routers.traefik-secure.tls.domains[1].sans=*.local.librepo.nl"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

config.yml:

http:
  #region routers 
  routers:
    pve:
      entryPoints:
        - "https"
      rule: "Host(`pve.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pve
      
    portainer:
      entryPoints:
        - "https"
      rule: "Host(`portainer.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: portainer

    # portainer_edge_agent:
    #   entryPoints:
    #     - "edge_agent"
    #   rule: "Host(`portainer.local.librepo.nl`)"
    #   middlewares:
    #     - default-headers
    #     - https-redirectscheme
    #   tls:
    #     certResolver: dynu
    #   service: portainer_edge_agent

    pihole:
      entryPoints:
        - "https"
      rule: "Host(`pihole.local.librepo.nl`)"
      middlewares:
        - redirectregex-pihole
        - default-headers
        - addprefix-pihole
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pihole

    pterodactyl:
      entryPoints:
        - "https"
      rule: "Host(`pterodactyl.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pterodactyl

    pterodactyl-node-01:
      entryPoints:
        - "https"
      rule: "Host(`pterodactyl-node-01.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: pterodactyl-node-01

    # habitica-client:
    #  entryPoints:
    #    - "https"
    #  rule: "Host(`habitica.local.librepo.nl`)"
    #  middlewares:
    #  tls:
    #    certResolver: dynu
    #  service: habitica-client

    nginx:
      entryPoints:
        - "https"
      rule: "Host(`nginx.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: nginx
    
    registry-01:
      entryPoints:
        - "https"
      rule: "Host(`registry-01.local.librepo.nl`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls:
        certResolver: dynu
      service: registry-01
    
    # truenas:
    #   entryPoints:
    #     - "https"
    #   rule: "Host(`truenas.local.librepo.nl`)"
    #   middlewares:
    #     - default-headers
    #     - https-redirectscheme
    #   tls: {}
    #   service: truenas

    # opnsense:
    #   entryPoints:
    #     - "https"
    #   rule: "Host(`opnsense.local.librepo.nl`)"
    #   middlewares:
    #     - default-headers
    #     - https-redirectscheme
    #   tls: {}
    #   service: opnsense

#endregion
  middlewares:
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

    addprefix-pihole:
      addPrefix:
        prefix: "/admin"
    redirectregex-pihole:
      redirectRegex:
        regex: /admin/$
        replacement: /

    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    idrac:
      headers:
        frameDeny: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/16"
        - "172.17.0.0/16"
        - "172.18.0.0/16"

    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers

#endregion
#region services
  services:
    pve:
      loadBalancer:
        servers:
          - url: "https://192.168.1.232:8006"
        passHostHeader: true

    portainer:
      loadBalancer:
        servers:
          - url: "https://192.168.1.195:9443"
        passHostHeader: true

    # portainer_edge_agent:
    #   loadBalancer:
    #     servers:
    #       - url: "http://192.168.1.195:8000"
    #     passHostHeader: true

    pihole:
      loadBalancer:
        servers:
          - url: "http://192.168.1.200:1010"
        passHostHeader: true

    pterodactyl:
      loadBalancer:
        servers:
          - url: "http://192.168.1.195:80"
        passHostHeader: true
    
    pterodactyl-node-01:
      loadBalancer:
        servers:
          - url: "http://192.168.1.136:443"
        passHostHeader: true

    # habitica-client:
    #  loadBalancer:
    #    servers:
    #      - url: "http://192.168.1.136:80"
    #    passHostHeader: true

    nginx:
      loadBalancer:
        servers:
          - url: "http://192.168.1.200:8080"
        passHostHeader: true

    registry-01:
      loadBalancer:
        servers:
          - url: "http://192.168.1.231:5000"
        passHostHeader: true

    

    # truenas:
    #   loadBalancer:
    #     servers:
    #       - url: "https://192.168.0.104"
    #     passHostHeader: true
    
    # opnsense:
    #   loadBalancer:
    #     servers:
    #       - url: "https://192.168.0.109"
    #     passHostHeader: true


tcp:   
  #region routers
  routers:
    ptero-n01-sftp:
      entryPoints:
        - "sftp"
      rule: "HostSNI(`*`)"
      service: ptero-n01-sftp
  
  services:
    ptero-n01-sftp:
      loadBalancer:
        servers:
          - address: "192.168.1.136:2022"

traefik.yml:

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
  sftp:
    address: ":2022/tcp"
  # edge_agent:
  #   address: ":8000/tcp"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  dynu:
    acme:
      email: email@example.com
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: dynu
        # disablePropagationCheck: true

bluepuma77 · October 24, 2024, 7:04am

It seems there is no current open issue in the used go-acme lego library, but it mentions that their api/server is not very stable.

Maybe the server response was just too slow and it works when you try again?

tsla · November 2, 2024, 3:00am

I have tried recreating the stack again and again for like 20 times, tried to set different values and parameters for the traefik.yml file like:

# disablePropagationCheck: true
# delayBeforeCheck: 60

and still the same issue persist.

I'm really stuck right now so if you have any idea of how to fix it then please let me know.

bluepuma77 · November 2, 2024, 4:11pm

Have you tried a different library like acme.sh? Certbot seems to have no support for the provider.

tsla · November 3, 2024, 5:04am

Im sorry but can you clarify what acme.sh is? I'm using the stock configuration for Traefik and I'm not using Certbot

bluepuma77 · November 3, 2024, 6:42am

Those are both tools to generate LetsEncrypt TLS certs. I wanted to know if you have tested another and if they work with dynu.

Topic		Replies	Views
Traefik cert resolver error Traefik v3 (latest) docker	3	19	November 15, 2024
"Unable to obtain ACME certificate for domains..." Traefik v2 docker	4	1388	January 27, 2023
Upgrade from 2.3 to 2.4.5 and LetsEncrypt stopped working Traefik v2 docker	2	817	March 8, 2021
Read UDP timeout Traefik v2 docker	1	1347	December 12, 2020
Traefik v2.8 letsencrypt renewal fails Traefik v2 docker , letsencrypt-acme	5	905	October 27, 2022

Unable to generate certificate

Related topics