Unable to obtain ACME certificate for domains - credentials are missing

Traefik Traefik v2
,
1

Using Cloudflare as DNS provider and Let's Encrypt for certificates. Seems like the Traefik container doesn't see the CF_DNS_API_TOKEN environment variable, even though docker inspect does show it. Would appreciate it if anyone could help me out, I've been stumped for the past hour or so trying to get this all working >.>

error message

level=error msg="Unable to obtain ACME certificate for domains \"test-traefik\": cannot get ACME client cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN" routerName=websecure-entrypoints@docker rule="Host(`test-traefik`)" providerName=le.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
level=error msg="Unable to obtain ACME certificate for domains \"test-traefik\": cannot get ACME client cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme routerName=websecure-entrypoints@docker rule="Host(`test-traefik`)"

I'm also getting these errors on startup, but I'm not sure they're related:

level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik
level=error msg="Error while starting server: accept tcp [::]:8080: use of closed network connection" entryPointName=traefik
level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=web
level=error msg="Error while starting server: accept tcp [::]:80: use of closed network connection" entryPointName=web
level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure
level=error msg="close tcp [::]:443: use of closed network connection" entryPointName=websecure
level=info  msg="Configuration loaded from file: /etc/traefik/traefik.yml"
level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure
level=error msg="Error while starting server: accept tcp [::]:443: use of closed network connection" entryPointName=websecure
level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=web
level=error msg="close tcp [::]:80: use of closed network connection" entryPointName=web
level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik
level=error msg="close tcp [::]:8080: use of closed network connection" entryPointName=traefik

 
 

Here are the files I'm using:

docker-compose.yml

version: '3'

services:
  traefik:
    container_name: traefik
    image: traefik:latest
    ports:
      - "80:80"
      - "443:443"
      - "8888:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./acme.json:/acme.json
    environment:
      - CF_DNS_API_TOKEN=redacted # had secret, returned to basic env var for debugging
    restart: always

traefik.yml (static configuration)

api:
  insecure: true
  dashboard: true

providers:
  docker:
    exposedByDefault: false

entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ':443'
    http:
      tls:
        certResolver: le
        domains:
          - main: "*.redacted.com"
            sans: "redacted.com"



certificatesResolvers:
  le:
    acme:
      email: "redacted"
      storage: "acme.json"
      dnsChallenge:
        provider: cloudflare
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
2

What does that mean? You place the plaintext token there?

CLOUDFLARE_DNS_API_TOKEN should be enough according to doc.

You need to use a real domain registered with Cloudflare, not a local test domain.

Note that usually main is the domain and sans is the wildcard.

3

is sometimes shown during Traefik shutdown.

4

What does that mean? You place the plaintext token there? CLOUDFLARE_DNS_API_TOKEN should be enough according to doc.

Yes, I pasted the token where it now says redacted. That's why I'm confused as to why it's not picking the env var up, using docker inspect I can confirm that it is really there. I've also tried email+api, which is a (less secure) alternative the doc suggests, but it gives the exact same error response.

docker inspect traefik | grep CF yields:

"CF_ZONE_API_TOKEN=\"yTRnE...\"",

(please note I added the ellipsis where the token actually continues for a while, totaling 40 characters.)

You need to use a real domain registered with Cloudflare, not a local test domain.

I'm using a domain which uses CF's DNS, and have been using ACME DNS challenges with nginx for years without issues on the same domain.

Note that usually main is the domain and sans is the wildcard.

Through some digging I read somewhere that swapping these two made something easier, but I cannot remember. I've swapped them around again.

5

Try using it like this:

without any of the quotes:

6

Changing CF_DNS_API_TOKEN to CF_ZONE_API_TOKEN worked, feeling really stupid for missing that...

Thanks for helping me out though! Appreciate it :smiley:

7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.