Unable to obtain ACME certificate for domains with NS1 provider

kalsto · February 22, 2023, 8:57pm

I'm having an issue trying to get my traefik podman container to issue certificates for my domain. I've validated my API key is correct (was able to use curl to put an _acme-challenge TXT record on the zone/domain), and have tried both setting a credential _FILE, a podman secret, I can run echo $NS1_API_KEY and get the valid api key... I'm at a loss. I know ns1 isn't the most popular dns provider, but I'd hate to have to change because of something silly that I'm missing.

Error from debug logging:
error msg="Unable to obtain ACME certificate for domains \"<*.redacted.domainname>\"" rule="Host(bw0<.redacted.domainname>)" error="unable to generate a certificate for the domains [<*.redacted.domainname>]: error: one or more domains had a problem:[<*.redacted.domainname>] [<*.redacted.domainname>] acme: error presenting token: ns1: failed to get zone [authZone: \"<redacted.domainname>\", fqdn: \"_acme-challenge<.redacted.domainname>.\"]: Get "https://api.nsone.net/v1/zones/<redacted.domainname>\": net/http: invalid header field value for \"X-Nsone-Key\"\n"providerName=myleresolver.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=bw0@file

Traefik version 2.9.8 built on 2023-02-15T15:23:25Z

`SECRET_FILE="/opt/dockers/traefik/secrets/ns1_kalsto.secret"

#podman secret create ns2 ${SECRET_FILE}

podman run -d --name traefik
--restart="${RESTART_METHOD}"
-p "${RACK_IP}:9080:80"
-p "${RACK_IP}:9443:443"
-v "${CONF_DIR}/acme:/etc/traefik/acme"
-v "/var/log/traefik/:/var/log/traefik/:z"
-v /etc/localtime:/etc/localtime:ro
-v "${CONF_DIR}/configs:/etc/traefik/configs:z"
-v "${CONF_DIR}/traefik.yml:/etc/traefik/traefik.yml"
-v "${SECRET_FILE}:/etc/traefik/secret_file:ro"
-e NS1_API_KEY_FILE=/etc/traefik/secret_file
--secret ns2,type=env,target=NS1_API_KEY \ # Tried with and without this secret flag
traefik:latest
`

Config from traefik.yml:
certificatesResolvers: myleresolver: acme: caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" email: "<redacted>@<email.com>" storage: /etc/traefik/acme/acme.json dnsChallenge: provider: ns1 resolvers: - "dns1.p01.nsone.net" - "dns2.p01.nsone.net" - "dns3.p01.nsone.net" - "dns4.p01.nsone.net"

Any pointers would be greatly appreciated!

kalsto · February 22, 2023, 9:44pm

Apparently I only had to type it up it to look at it from a different angle and find what I think is the solution..

podman secret create was adding a "\n" to the end of the variable, even though there was no \n in the file I was using to create the file. This seems to be a bug in the podman binary, so I'll look at submitting a bug report there.

I manually created the secret and referenced it in the podman run command, verified it with podman inspect, and it worked much better. I can see the certificate is valid, though my dashboard is still "unsafe"

But I think that's something to investigate another time.

tldr; If anybody else is using podman secrets against a file with no newline, double check using podman inspect if it's adding an errant "\n" to the end of the variable.

system · February 25, 2023, 9:45pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dockers Unable to obtain ACME certificate for domains Traefik v2 docker	2	2281	December 4, 2020
Cannot obtain ACME certificate possibly due to inability to perform SOA DNS query Traefik v2 docker	7	1304	September 26, 2022
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4776	July 18, 2019
Cannot obtain ACME certificate Traefik v2 docker , letsencrypt-acme , middleware	3	799	March 11, 2021
Unable to obtain ACME certificate for domains Traefik v2 kubernetes-crd	0	762	August 6, 2020

Unable to obtain ACME certificate for domains with NS1 provider

Related topics