Unable to obtain ACME certificate for domains with NS1 provider

I'm having an issue trying to get my traefik podman container to issue certificates for my domain. I've validated my API key is correct (was able to use curl to put an _acme-challenge TXT record on the zone/domain), and have tried both setting a credential _FILE, a podman secret, I can run echo $NS1_API_KEY and get the valid api key... I'm at a loss. I know ns1 isn't the most popular dns provider, but I'd hate to have to change because of something silly that I'm missing.

Error from debug logging:
error msg="Unable to obtain ACME certificate for domains \"<*.redacted.domainname>\"" rule="Host(bw0<.redacted.domainname>)" error="unable to generate a certificate for the domains [<*.redacted.domainname>]: error: one or more domains had a problem:[<*.redacted.domainname>] [<*.redacted.domainname>] acme: error presenting token: ns1: failed to get zone [authZone: \"<redacted.domainname>\", fqdn: \"_acme-challenge<.redacted.domainname>.\"]: Get "https://api.nsone.net/v1/zones/<redacted.domainname>\": net/http: invalid header field value for \"X-Nsone-Key\"\n"providerName=myleresolver.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=bw0@file

Traefik version 2.9.8 built on 2023-02-15T15:23:25Z

`SECRET_FILE="/opt/dockers/traefik/secrets/ns1_kalsto.secret"

#podman secret create ns2 ${SECRET_FILE}

podman run -d --name traefik
--restart="${RESTART_METHOD}"
-p "${RACK_IP}:9080:80"
-p "${RACK_IP}:9443:443"
-v "${CONF_DIR}/acme:/etc/traefik/acme"
-v "/var/log/traefik/:/var/log/traefik/:z"
-v /etc/localtime:/etc/localtime:ro
-v "${CONF_DIR}/configs:/etc/traefik/configs:z"
-v "${CONF_DIR}/traefik.yml:/etc/traefik/traefik.yml"
-v "${SECRET_FILE}:/etc/traefik/secret_file:ro"
-e NS1_API_KEY_FILE=/etc/traefik/secret_file
--secret ns2,type=env,target=NS1_API_KEY \ # Tried with and without this secret flag
traefik:latest
`

Config from traefik.yml:
certificatesResolvers: myleresolver: acme: caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" email: "<redacted>@<email.com>" storage: /etc/traefik/acme/acme.json dnsChallenge: provider: ns1 resolvers: - "dns1.p01.nsone.net" - "dns2.p01.nsone.net" - "dns3.p01.nsone.net" - "dns4.p01.nsone.net"

Any pointers would be greatly appreciated!

Apparently I only had to type it up it to look at it from a different angle and find what I think is the solution..

podman secret create was adding a "\n" to the end of the variable, even though there was no \n in the file I was using to create the file. This seems to be a bug in the podman binary, so I'll look at submitting a bug report there.

I manually created the secret and referenced it in the podman run command, verified it with podman inspect, and it worked much better. I can see the certificate is valid, though my dashboard is still "unsafe"
image
But I think that's something to investigate another time.

tldr; If anybody else is using podman secrets against a file with no newline, double check using podman inspect if it's adding an errant "\n" to the end of the variable.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.