Unable to obtain ACME certificate for domains error unable to generate a certificate for the domains

Hello

Been trying to setup Traefik for a while now. Followed many tutorials and retried many times, but I'm not able to generate a certificate.

This is the error I'm getting (I changed the domain):

2024-05-02T12:05:09Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [mydomain.win *.mydomain.win]: error: one or more domains had a problem:\n[*.mydomain.win] [*.mydomain.win] acme: error presenting token: cloudflare: could not find zone for domain \"mydomain.win\": [fqdn=_acme-challenge.mydomain.win.] could not find the start of authority for '_acme-challenge.mydomain.win.': DNS call error: read udp 172.24.0.2:48204->1.1.1.1:53: i/o timeout [ns=1.1.1.1:53, question='win. IN  SOA']\nDNS call error: read udp 172.24.0.2:39169->1.0.0.1:53: i/o timeout [ns=1.0.0.1:53, question='win. IN  SOA']\n[mydomain.win] [mydomain.win] acme: error presenting token: cloudflare: could not find zone for domain \"mydomain.win\": [fqdn=_acme-challenge.mydomain.win.] could not find the start of authority for '_acme-challenge.mydomain.win.': DNS call error: read udp 172.24.0.2:53757->1.1.1.1:53: i/o timeout [ns=1.1.1.1:53, question='win. IN  SOA']\nDNS call error: read udp 172.24.0.2:57771->1.0.0.1:53: i/o timeout [ns=1.0.0.1:53, question='win. IN  SOA']\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.win","*.mydomain.win"] providerName=cloudflare.acme routerName=traefik-secure@docker rule=Host(`traefik-dashboard.mydomain.win`)

My docker compose file:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      proxy: null
    ports:
      - 80:80
      - 443:443
      - 888:8080
    environment:
      - CF_DNS_API_TOKEN=*****************
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/stijn/container_configs/traefik/traefik.yml:/traefik.yml:ro
      - /home/stijn/container_configs/traefik/acme.json:/acme.json
      - /home/stijn/container_configs/traefik/config.yml:/config.yml:ro
      - /home/stijn/container_data/traefik/logs:/var/log/traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=http
      - traefik.http.routers.traefik.rule=Host(`traefik-dashboard.mydomain.win`)
      - traefik.http.middlewares.traefik-auth.basicauth.users=****:*************
      - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.routers.traefik.middlewares=traefik-https-redirect
      - traefik.http.routers.traefik-secure.entrypoints=https
      - traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.mydomain.win`)
      - traefik.http.routers.traefik-secure.middlewares=traefik-auth
      - traefik.http.routers.traefik-secure.tls=true
      - traefik.http.routers.traefik-secure.tls.certresolver=cloudflare
      - traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.win
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.win
      - traefik.http.routers.traefik-secure.service=api@internal

My traefik.yml config

api:
  insecure: true
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: mycloudflareemail@gmail.com #add your email
      storage: acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        #delayBeforeCheck: 45s 
        provider: cloudflare
        #disablePropagationCheck: true

        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

Cloudflare settings:

Untitled813×153 29.8 KB

I tried deleting resolvers, disable propagation check, adding delaybefore check.
The output changed a little bit to:

2024-05-05T09:14:35Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [mydomain.win *.mydomain.win]: error: one or more domains had a problem:\n[*.mydomain.win] [*.mydomain.win] acme: error presenting token: cloudflare: failed to find zone win.: zone could not be found\n[mydomain.win] [mydomain.win] acme: error presenting token: cloudflare: failed to find zone win.: zone could not be found\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["mydomain.win","*.mydomain.win"] providerName=cloudflare.acme routerName=traefik-secure@docker rule=Host(`traefik-dashboard.mydomain.win`)

Some commands from ubuntu server running traefik

me@ubuntuserver:~$ dig +short traefik-dashboard.mydomain.win 8.8.8.8
192.186.1.81
me@ubuntuserver:~$ dig +short _acme-challenge.mydomain.win 192.168.1.81
172.67.140.167
104.21.65.48
me@ubuntuserver:~$ dig +short _acme-challenge.mydomain.win 8.8.8.8
172.67.140.167
104.21.65.48
me@ubuntuserver:~$ dig SOA traefik-dashboard.mydomain.win 8.8.8.8
(empty)

Can anyone help? Been driving me crazy. Lost so much time with this already
Kind regards

Maybe try to set the domains centrally on entrypoint (doc):

entryPoints:
  websecure:
    address: ':443'
    http:
      tls:
        options: foobar
        certResolver: leresolver
        domains:
          - main: example.com
            sans:
              - *.example.com

Thank you for your reply @bluepuma77
I must admit that Traefik is new to me, and the docs are not easy to read. I'm altering my config without knowing what I'm changing exactly.

I change my traefik.yml config to:

api:
  insecure: true
  dashboard: true
  debug: true
entryPoints:
  websecure:
    address: ':443'
    http:
      tls:
#        options: foobar  # Uncomment if you have specific TLS options
        certResolver: cloudflare
        domains:
          - main: mydomain.win
            sans:
              - *.mydomain.win
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: myemail@gmail.com #add your email
      storage: acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        delayBeforeCheck: 45s 
        provider: cloudflare
        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.

#        resolvers:
          #- "1.1.1.1:53"
          #- "1.0.0.1:53"

Now I'm getting this error:
2024-05-05T20:17:20Z ERR Command error | error=command traefik error: yaml: line 15: did not find expected alphabetic or numeric character

Line 15 is the one with: - *.mydomain.win

Sorry, try to wrap it as string:

entryPoints:
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: cloudflare
        domains:
          - main: mydomain.win
            sans:
              - "*.mydomain.win"

Note that you should probably enable entrypoint on port 80 when you have regular users/browsers visiting, they might try http first. You can then use a global redirect to https.

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

That fixed the previous error, but alas didn't seem to do much for the original error. Still getting that error with some new ones about entrypoints

2024-05-06T21:28:30Z ERR No valid entryPoint for this router routerName=traefik-secure@docker
2024-05-06T21:28:30Z ERR EntryPoint doesn't exist entryPointName=https routerName=traefik-secure@docker
2024-05-06T21:28:37Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [mydomain.win *.mydomain.win]: error: one or more domains had a problem:\n[*.mydomain.win] [*.mydomain.win] acme: error presenting token: cloudflare: failed to find zone win.: zone could not be found\n[mydomain.win] [mydomain.win] acme: error presenting token: cloudflare: failed to find zone win.: zone could not be found\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["mydomain.win","*.mydomain.win"] providerName=cloudflare.acme routerName=traefik-secure@docker rule=Host(`traefik-dashboard.mydomain.win`)

A couple of weeks ago, I managed to generate a successful certificate with a duckdns domain. So that rules out any firewall issues, I think.

The cloudflare API is also correct:

me@ubuntuserver:~$ curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify"    -H "Authorization: Bearer XXXX"      -H "Content-Type:application/json"
[{"code":10000,"message":"This API Token is valid and active","type":null}]}

Untitled848×221 26.8 KB

It seems to be something with the domain name. It had a .win extension. This was the cheapest domain available.
Although this domain was ordered via cloudfare, I 'fixed' the error by buying an .org domain name via Cloudflare.
All settings are as far as I can see identical.
Cost me so much time. Thanks Cloudflare..

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.