"Unable to obtain ACME certificate for domains" with cookiecutter-django and porkbun

martibosch · July 19, 2021, 1:12pm

Hello,

I am deploying a django app using the dockerized cookiecutter-django template. The docker configuration for traefik and all the configuration files are available at the github repository: GitHub - pydanny/cookiecutter-django: Cookiecutter Django is a framework for jumpstarting production-ready Django projects quickly.

I am using DigitalOcean as host and porkbun as registrar, with an A DNS record mapping the root domain to the DigitalOcean droplet's IP. However, when I go to the application's domain in the browser, I encounter a security warning with the following error:

`
NET::ERR_CERT_AUTHORITY_INVALID"

Subject: TRAEFIK DEFAULT CERT

Issuer: TRAEFIK DEFAULT CERT

Expires on: Jul 19, 2022

Current date: Jul 19, 2021
`

According to the cookiecutter-django documentation, HTTPS should be on by default (Deployment with Docker — Cookiecutter Django 2021.28.2 documentation). I wonder whether this is related to the fact that porkbun provides its own SSL certificate which might not be detected by traefik.

The porkbun website shows the following information regarding the SSL certificate for my domain:

`
Issuer: R3

Created On: Fri, 16 Jul 2021 14:14

Expires On: Thu, 14 Oct 2021 14:14
`

Finally, the logs of the traefik docker container show the following:

traefik_1 | time="2021-07-19T08:41:29Z" level=error msg="Unable to obtain ACME certificate for domains \"my-domain.io,www.my-domain.io\": unable to generate a certificate for the domains [my-domain.io www.my-domain.io]: error: one or more domains had a problem:\n[my-domain.io] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://my-domain.io/.well-known/acme-challenge/some-random-token [44.227.65.245]: \"<html>\\r\\n<head><title>404 Not Found</title></head>\\r\\n<body>\\r\\n<center><h1>404 Not Found</h1></center>\\r\\n<hr><center>openresty</cente\", url: \n[www.my-domain.io] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://my-domain.io/ [44.227.65.245]: \"\\n<!DOCTYPE html>\\n<html lang=\\\"en\\\">\\n <head>\\n\\n\\n<script async src=\\\"https://www\", url: \n" rule="Host(my-domain.io) || Host(www.my-domain.io)" providerName=letsencrypt.acme routerName=web-secure-router@file

If I tell my browser to make an exception and ignore the security warning, the web application functions correctly. What am I doing wrong?

Thank you in advance. Best,
Martí

daniel.tomcej · July 19, 2021, 7:08pm

Hello @martibosch,

Can you provide your traefik configuration? It does not appear that your letsencrypt configuration is working properly.

martibosch · July 20, 2021, 8:49am

Hello @daniel.tomcej, thank you for your response.

My traefik configuration is as follows:

log:
  level: INFO

entryPoints:
  web:
    # http
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: web-secure

  web-secure:
    # https
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "marti.bosch@epfl.ch"
      storage: /etc/traefik/acme/acme.json
      # https://docs.traefik.io/master/https/acme/#httpchallenge
      httpChallenge:
        entryPoint: web

http:
  routers:
    web-secure-router:
      rule: "Host(`my-domain.io`) || Host(`www.my-domain.io`)"
      entryPoints:
        - web-secure
      middlewares:
        - csrf
      service: django
      tls:
        certResolver: letsencrypt

  middlewares:
    csrf:
      headers:
        hostsProxyHeaders: ["X-CSRFToken"]

  services:
    django:
      loadBalancer:
        servers:
          - url: http://django:5000

providers:
  # https://docs.traefik.io/master/providers/file/
  file:
    filename: /etc/traefik/traefik.yml
    watch: true

I hope this helps. Thank you again. Best,
Martí

daniel.tomcej · July 20, 2021, 5:04pm

Hello @martibosch,

You currently have only a TLS router for your site. Can you create a non-TLS router to allow the redirect to properly handle non-TLS requests?

martibosch · July 21, 2021, 8:11am

Hello @daniel.tomcej, and thank you again for your response.

I am sorry but I am quite new to traefik. How may I add a non-tls router? Would it work if I appended a copy of the web-secure-router without the tls part and a different name in the routers section?

Best,
Martí

daniel.tomcej · July 22, 2021, 5:39pm

Hello @martibosch,

Exactly. Something like this:

http:
  routers:
    web-secure-router:
      rule: "Host(`my-domain.io`) || Host(`www.my-domain.io`)"
      entryPoints:
        - web-secure
      middlewares:
        - csrf
      service: django
      tls:
        certResolver: letsencrypt
    web-router:
      rule: "Host(`my-domain.io`) || Host(`www.my-domain.io`)"
      entryPoints:
        - web
      service: django

martibosch · July 24, 2021, 1:03pm

Hello @daniel.tomcej,

adding the non-TLS router as specified in your snippet solved the issue.

Thank you. Best,
Martí

Topic		Replies	Views
Trouble getting ACME cert Traefik v2 (latest) docker , letsencrypt-acme	3	325	August 18, 2023
Unable to generate a certificate for the domains Traefik v2 (latest) docker	8	396	April 1, 2024
Not creating _acme-challenge for domain Traefik v2 (latest) cli , plugin	11	49	April 2, 2024
Unable to obtain ACME CERT Traefik v2 (latest) docker , letsencrypt-acme	10	1035	May 24, 2023
Suddenly experiencing Error 400: Invalid Domain errors with LE Certs Traefik v2 (latest) letsencrypt-acme	3	1310	November 5, 2022

"Unable to obtain ACME certificate for domains" with cookiecutter-django and porkbun

Related Topics