Unable to obtain ACME certificate for wildcard domains

floatingpurr · April 10, 2020, 10:20am

Hi guys. I'm very new to Traefik and I'm trying to set up a wildcard certificate mechanism with traefik:v2.2 and GoDaddy. What I want to do is generating a valid certificate for the URLs pattern *.example.org. Here there is my docker-compose:

version: '3.7'

services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    restart: always
    env_file:
      - .provider.env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./tls-certificates:/tls-certificates
    ports:
      - 80:80
      - 433:443
    networks:
      - web
    command:
      - --api.dashboard=true

      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=web

      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

      # --certificatesresolvers.<name> Certificates resolvers configuration
      # ACME V2 supports wildcard certificates. 
      # Wildcard certificates can only be generated through a DNS-01 challenge.
      # - --certificatesresolvers.mycoolwebsitechallenge.acme.tlschallenge=true
      - --certificatesResolvers.mycoolwebsitechallenge.acme.dnsChallenge.provider=godaddy
      - --certificatesResolvers.mycoolwebsitechallenge.acme.dnsChallenge.delayBeforeCheck=0
      # Email address used for registration.
      - --certificatesresolvers.mycoolwebsitechallenge.acme.email=foo@foo.org
      # Certificates storage
      - --certificatesresolvers.mycoolwebsitechallenge.acme.storage=/tls-certificates/acme.json
    networks:
      - web
    labels:
      traefik.enable: true
      traefik.http.routers.traefikdashboard.rule: Host(`monitor.example.org`)
      traefik.http.routers.traefikdashboard.tls: true
      traefik.http.routers.traefikdashboard.tls.certresolver: mycoolwebsitechallenge
      traefik.http.routers.traefikdashboard.service: api@internal
      traefik.http.routers.traefikdashboard.middlewares: auth
      traefik.http.middlewares.auth.basicauth.users: foo:bar

      traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.http-catchall.entrypoints: web
      traefik.http.routers.http-catchall.middlewares: redirect-to-https@docker
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https

networks:
  web:
      external: true

This is my .provider.env:

GODADDY_API_SECRET=foobarbaz
CERTIFICATES_EMAIL=bazbarfoo

It looks like I all set. However, I get this errors from the log:

traefik    | time="2020-04-10T09:55:05Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-04-10T09:55:05Z" level=debug msg="Try to challenge certificate for domain [monitor.example.org] found in HostSNI rule" providerName=mycoolwebsitechallenge.acme routerName=traefikdashboard@docker rule="Host(`monitor.example.org`)"
traefik    | time="2020-04-10T09:55:05Z" level=debug msg="Looking for provided certificate(s) to validate [\"monitor.example.org\"]..." routerName=traefikdashboard@docker rule="Host(`monitor.example.org`)" providerName=mycoolwebsitechallenge.acme
traefik    | time="2020-04-10T09:55:05Z" level=debug msg="Domains [\"monitor.example.org\"] need ACME certificates generation for domains \"monitor.example.org\"." rule="Host(`monitor.example.org`)" providerName=mycoolwebsitechallenge.acme routerName=traefikdashboard@docker
traefik    | time="2020-04-10T09:55:05Z" level=debug msg="Loading ACME certificates [monitor.example.org]..." rule="Host(`monitor.example.org`)" providerName=mycoolwebsitechallenge.acme routerName=traefikdashboard@docker
traefik    | time="2020-04-10T09:55:05Z" level=debug msg="Building ACME client..." providerName=mycoolwebsitechallenge.acme
traefik    | time="2020-04-10T09:55:05Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=mycoolwebsitechallenge.acme
traefik    | time="2020-04-10T09:55:06Z" level=debug msg="Using DNS Challenge provider: godaddy" providerName=mycoolwebsitechallenge.acme
traefik    | time="2020-04-10T09:55:06Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Obtaining bundled SAN certificate"
traefik    | time="2020-04-10T09:55:07Z" level=debug msg="legolog: [INFO] [monitor.example.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/auht_id_foo_bar_baz"
traefik    | time="2020-04-10T09:55:07Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Could not find solver for: tls-alpn-01"
traefik    | time="2020-04-10T09:55:07Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Could not find solver for: http-01"
traefik    | time="2020-04-10T09:55:07Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: use dns-01 solver"
traefik    | time="2020-04-10T09:55:07Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Preparing to solve DNS-01"
traefik    | time="2020-04-10T09:55:08Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Trying to solve DNS-01"
traefik    | time="2020-04-10T09:55:08Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Checking DNS record propagation using [127.0.0.11:53]"
traefik    | time="2020-04-10T09:55:08Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
traefik    | time="2020-04-10T09:55:08Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:10Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:12Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:14Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:16Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:18Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:20Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:22Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-10T09:55:32Z" level=debug msg="legolog: [INFO] [monitor.example.org] acme: Cleaning DNS-01 challenge"
traefik    | time="2020-04-10T09:55:32Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/auht_id_foo_bar_baz"
traefik    | time="2020-04-10T09:55:33Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/auht_id_foo_bar_baz"
traefik    | time="2020-04-10T09:55:33Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.org\": unable to generate a certificate for the domains [monitor.example.org]: acme: Error -> One or more domains had a problem:\n[monitor.example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.monitor.example.org, url: \n" providerName=mycoolwebsitechallenge.acme routerName=traefikdashboard@docker rule="Host(`monitor.example.org`)"

And this is what I get @ https://acme-v02.api.letsencrypt.org/acme/authz-v3/auht_id_foo_bar_baz

{
  "identifier": {
    "type": "dns",
    "value": "monitor.example.org"
  },
  "status": "invalid",
  "expires": "2020-04-17T09:55:06Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.monitor.example.org",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/auht_id_foo_bar_baz/etc...",
      "token": "myToken",
      "validationRecord": [
        {
          "hostname": "monitor.example.org"
        }
      ]
    }
  ]
}

How can I fix this?

ldez · April 10, 2020, 12:45pm

Hello,

take a look to:

floatingpurr · April 14, 2020, 2:58pm

Hello @ldez thank you very much for your pointers.

As far I understood, my static configuration is ok:

      # --certificatesresolvers.<name> Certificates resolvers configuration
      # ACME V2 supports wildcard certificates. 
      # Wildcard certificates can only be generated through a DNS-01 challenge.
      # - --certificatesresolvers.mycoolwebsitechallenge.acme.tlschallenge=true
      - --certificatesResolvers.mycoolwebsitechallenge.acme.dnsChallenge.provider=godaddy
      - --certificatesResolvers.mycoolwebsitechallenge.acme.dnsChallenge.delayBeforeCheck=0
      # Email address used for registration.
      - --certificatesresolvers.mycoolwebsitechallenge.acme.email=foo@foo.org
      # Certificates storage
      - --certificatesresolvers.mycoolwebsitechallenge.acme.storage=/tls-certificates/acme.json

I tried to add the main and the sans entries to the router in the dynamic configuration of the traefik container (this is just for the dashboard):

labels:
  traefik.enable: true
  traefik.http.routers.traefikdashboard.rule: Host(`monitor.example.org`)
  traefik.http.routers.traefikdashboard.tls.certresolver: mycoolwebsitechallenge
  traefik.http.routers.traefikdashboard.tls.domains[0].main: "example.org"
  traefik.http.routers.traefikdashboard.tls.domains[0].sans: "*.example.org"
  traefik.http.routers.traefikdashboard.service: api@internal
  traefik.http.routers.traefikdashboard.middlewares: auth
  traefik.http.middlewares.auth.basicauth.users: foo:bar

but I'm still getting the same error. I do not understand where I am wrong.

Further info: if I look into my dns management panel in GoDaddy, I see an empty TXT called _acme-challenge (i.e., TXT value = null)

Any hint, or any working example, is really appreciated. Thanks

floatingpurr · April 15, 2020, 4:57pm

Well, I believe I'm getting crazy for this issue...

I do not understand either I'm misconfiguring something or if there's a problem on the let's encrypt/godaddy side.

Long story short. Static configuration:

      # --certificatesresolvers.<name> Certificates resolvers configuration
      # ACME V2 supports wildcard certificates.
      # Wildcard certificates can only be generated through a DNS-01 challenge.
      - --certificatesresolvers.wildcard-godaddy.acme.tlschallenge=true
      - --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.provider=godaddy
      - --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.delayBeforeCheck=0
      # Email address used for registration.
      - --certificatesresolvers.wildcard-godaddy.acme.email=foo@example.org
      # Certificates storage
      - --certificatesresolvers.wildcard-godaddy.acme.storage=/tls-certificates/acme.json

Dynamic configuration for the traefik dashboard

      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=webinsecure"
      - "traefik.http.routers.traefik.rule=Host(`traefik.example.org`)"

      - "traefik.http.middlewares.traefik-auth.basicauth.users=${DASHBOARD_USERNAME}:${DASHBOARD_PASSWORD}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"

      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.org`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=wildcard-godaddy"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.org"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.org"
      - "traefik.http.routers.traefik-secure.service=api@internal"

In my dns I have an A record * pointing to my ip.

This is the error I get:

traefik    | time="2020-04-15T16:41:22Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org,*.example.org\" : unable to generate a certificate for the domains [example.org *.example.org]: acme: Error -> One or more domains had a problem:\n[*.example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.example.org, url: \n[example.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: \n" providerName=wildcard-godaddy.acme

This is my full docker-compose:

docker-compose

version: '3.7'

services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    restart: always
    env_file:
      - .provider.env
      # .provider.env contains `GODADDY_API_KEY` and `GODADDY_API_SECRET`
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./tls-certificates:/tls-certificates
    ports:
      # http
      - 8080:80
      # https
      - 443:443
    command:
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy
      - --entrypoints.webinsecure.address=:80
      - --entrypoints.websecure.address=:443

      # --certificatesresolvers.<name> Certificates resolvers configuration
      # ACME V2 supports wildcard certificates.
      # Wildcard certificates can only be generated through a DNS-01 challenge.
      - --certificatesresolvers.wildcard-godaddy.acme.tlschallenge=true
      - --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.provider=godaddy
      - --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.delayBeforeCheck=0
      # Email address used for registration.
      - --certificatesresolvers.wildcard-godaddy.acme.email=foo@example.org
      # Certificates storage
      - --certificatesresolvers.wildcard-godaddy.acme.storage=/tls-certificates/acme.json

    networks:
      - proxy

    labels:

      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=webinsecure"
      - "traefik.http.routers.traefik.rule=Host(`traefik.example.org`)"

      - "traefik.http.middlewares.traefik-auth.basicauth.users=${DASHBOARD_USERNAME}:${DASHBOARD_PASSWORD}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"

      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.org`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=wildcard-godaddy"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.org"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.org"
      - "traefik.http.routers.traefik-secure.service=api@internal"


networks:
  proxy:
    external: true

And this is the complete log:

docker-compose log

Creating traefik ... done
Attaching to traefik
traefik    | time="2020-04-15T16:40:49Z" level=info msg="Configuration loaded from flags."
traefik    | time="2020-04-15T16:40:49Z" level=info msg="Traefik version 2.2.0 built on 2020-03-25T17:32:57Z"
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"webinsecure\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"proxy\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"wildcard-godaddy\":{\"acme\":{\"email\":\"myemail@example.org\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/tls-certificates/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"godaddy\"},\"tlsChallenge\":{}}}}}"
traefik    | time="2020-04-15T16:40:49Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
traefik    | time="2020-04-15T16:40:49Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Start TCP Server" entryPointName=webinsecure
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Start TCP Server" entryPointName=websecure
traefik    | time="2020-04-15T16:40:49Z" level=info msg="Starting provider *acme.Provider {\"email\":\"myemail@example.org\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/tls-certificates/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"godaddy\"},\"tlsChallenge\":{},\"ResolverName\":\"wildcard-godaddy\",\"store\":{},\"ChallengeStore\":{}}"
traefik    | time="2020-04-15T16:40:49Z" level=info msg="Testing certificate renew..." providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:49Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"proxy\",\"swarmModeRefreshSeconds\":15000000000}"
traefik    | time="2020-04-15T16:40:49Z" level=info msg="Starting provider *traefik.Provider {}"
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Configuration received from provider wildcard-godaddy.acme: {\"http\":{},\"tls\":{}}" providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Provider connection established with docker 19.03.8 (API 1.40)" providerName=docker
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Filtering disabled container" providerName=docker container=app-covid-19-ita-bot-57b7faa41c5c63320962127cadb3bf2fcc4af3a3e5c662468f73e11a9f8dc668
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Filtering disabled container" providerName=docker container=mongo-covid-19-ita-bot-1930b8dd265cda9a0ba45da731df8ae740ccea85f3eb3d8e934e63316b92ae55
traefik    | time="2020-04-15T16:40:49Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"webinsecure\"],\"middlewares\":[\"traefik-https-redirect\"],\"service\":\"traefik-traefik\",\"rule\":\"Host(`traefik.example.org`)\"},\"traefik-secure\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"traefik-auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.example.org`)\",\"tls\":{\"certResolver\":\"wildcard-godaddy\",\"domains\":[{\"main\":\"example.org\",\"sans\":[\"*.example.org\"]}]}}},\"services\":{\"traefik-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.48.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"traefik-auth\":{\"basicAuth\":{\"users\":[\"superciccio14:$apr1$trpV7fFr$0wwX2dOyOAXkcHYR41E1Y0\"]}},\"traefik-https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\"}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Creating middleware" middlewareType=Pipelining entryPointName=webinsecure routerName=traefik@docker serviceName=traefik-traefik middlewareName=pipelining
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Creating load-balancer" entryPointName=webinsecure routerName=traefik@docker serviceName=traefik-traefik
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Creating server 0 http://192.168.48.2:80" entryPointName=webinsecure routerName=traefik@docker serviceName=traefik-traefik serverName=0
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Added outgoing tracing middleware traefik-traefik" middlewareName=tracing middlewareType=TracingForwarder entryPointName=webinsecure routerName=traefik@docker
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Creating middleware" routerName=traefik@docker middlewareType=RedirectScheme middlewareName=traefik-https-redirect@docker entryPointName=webinsecure
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Setting up redirection to https " entryPointName=webinsecure routerName=traefik@docker middlewareType=RedirectScheme middlewareName=traefik-https-redirect@docker
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Adding tracing to middleware" entryPointName=webinsecure routerName=traefik@docker middlewareName=traefik-https-redirect@docker
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Creating middleware" entryPointName=webinsecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=traefik-secure@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=traefik-secure@docker middlewareName=traefik-auth@docker middlewareType=BasicAuth
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Adding tracing to middleware" entryPointName=websecure routerName=traefik-secure@docker middlewareName=traefik-auth@docker
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik    | time="2020-04-15T16:40:50Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="Looking for provided certificate(s) to validate [\"example.org\" \"*.example.org\"]..." providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="Domains [\"example.org\" \"*.example.org\"] need ACME certificates generation for domains \"example.org,*.example.org\"." providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="Loading ACME certificates [example.org *.example.org]..." providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="Building ACME client..." providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="Using DNS Challenge provider: godaddy" providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="Using TLS Challenge provider." providerName=wildcard-godaddy.acme
traefik    | time="2020-04-15T16:40:51Z" level=debug msg="legolog: [INFO] [example.org, *.example.org] acme: Obtaining bundled SAN certificate"
traefik    | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [*.example.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1"
traefik    | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2"
traefik    | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [*.example.org] acme: use dns-01 solver"
traefik    | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] acme: use tls-alpn-01 solver"
traefik    | time="2020-04-15T16:40:52Z" level=debug msg="TLS Challenge Present temp certificate for example.org" providerName=acme
traefik    | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] acme: Trying to solve TLS-ALPN-01"
traefik    | time="2020-04-15T16:40:58Z" level=debug msg="TLS Challenge CleanUp temp certificate for example.org" providerName=acme
traefik    | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Preparing to solve DNS-01"
traefik    | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Trying to solve DNS-01"
traefik    | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Checking DNS record propagation using [127.0.0.11:53]"
traefik    | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
traefik    | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:00Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:02Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:04Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:06Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:08Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:10Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:12Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:14Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik    | time="2020-04-15T16:41:21Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Cleaning DNS-01 challenge"
traefik    | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1"
traefik    | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1"
traefik    | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2"
traefik    | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2"
traefik    | time="2020-04-15T16:41:22Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org,*.example.org\" : unable to generate a certificate for the domains [example.org *.example.org]: acme: Error -> One or more domains had a problem:\n[*.example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.example.org, url: \n[example.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: \n" providerName=wildcard-godaddy.acme

Edit:

On port 80 I have another nginx instance up & running (I'm gonna hide it behind traefik as soon as I fix this problem)

I have also disabled UFW (an ubuntu firewall).
Where am I wrong?

Thanx!

ldez · April 16, 2020, 12:43pm

Could you clean your TXT records and retry?

A working docker-compose file:

version: '3.7'

services:
  traefik:
    image: traefik:v2.2.0
    command:
      - --log.level=DEBUG
      - --api
      - --providers.docker.exposedbydefault=false

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443

      - --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.leresolver.acme.email=your@email.com
      - --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.leresolver.acme.dnschallenge.provider=godaddy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt/:/letsencrypt
    environment:
      - GODADDY_API_KEY=xxxx
      - GODADDY_API_SECRET=yyyy
    labels:
      traefik.enable: true

      # Dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.example.com`)
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.tls.certresolver: leresolver
      traefik.http.routers.traefik.tls.domains[0].main: example.com
      traefik.http.routers.traefik.tls.domains[0].sans: '*.example.com'

ldez · April 16, 2020, 1:01pm

I think I find the issue, stay tune.

floatingpurr · April 16, 2020, 1:09pm

Ok I will! In the meanwhile, I'm gonna test your compose example.

floatingpurr · April 16, 2020, 1:43pm

Thanks for your help @ldez. Just tried your example, but I get the same error.

traefik_1  | time="2020-04-16T13:31:16Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org,*.example.org\" : unable to generate a certificate for the domains [example.org *.example.org]: acme: Error -> One or more domains had a problem:\n[example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.example.org, url: \n" providerName=leresolver.acme

Here is the full log:

Compose log

Creating network "traefik_default" with the default driver
Pulling traefik (traefik:v2.2.0)...
v2.2.0: Pulling from library/traefik
Digest: sha256:615483752426932469aa2229ef3f0825b33b3ad7e1326dcd388205cb3a74352e
Status: Downloaded newer image for traefik:v2.2.0
Creating traefik_traefik_1 ... done
Attaching to traefik_traefik_1
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="Configuration loaded from flags."
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="Traefik version 2.2.0 built on 2020-03-25T17:32:57Z"
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"https\":\"https\",\"permanent\":true,\"priority\":1}}}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"leresolver\":{\"acme\":{\"email\":\"foo@example.org\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"godaddy\"}}}}}"
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Start TCP Server" entryPointName=websecure
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Start TCP Server" entryPointName=web
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="Starting provider *acme.Provider {\"email\":\"foo@example.org\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"godaddy\"},\"ResolverName\":\"leresolver\",\"store\":{},\"ChallengeStore\":{}}"
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="Testing certificate renew..." providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:09Z" level=info msg="Starting provider *traefik.Provider {}"
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Configuration received from provider leresolver.acme: {\"http\":{},\"tls\":{}}" providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":1}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="No default certificate, generating one"
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Provider connection established with docker 19.03.8 (API 1.40)" providerName=docker
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Filtering disabled container" providerName=docker container=app-covid-19-ita-bot-57b7faa41c5c63320962127cadb3bf2fcc4af3a3e5c662468f73e11a9f8dc668
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Filtering disabled container" container=mongo-covid-19-ita-bot-1930b8dd265cda9a0ba45da731df8ae740ccea85f3eb3d8e934e63316b92ae55 providerName=docker
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"websecure\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.example.org`)\",\"tls\":{\"certResolver\":\"leresolver\",\"domains\":[{\"main\":\"example.org\",\"sans\":[\"*.example.org\"]}]}}},\"services\":{\"traefik-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.64.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareType=TracingForwarder routerName=web-to-websecure@internal entryPointName=web middlewareName=tracing
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Creating middleware" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Adding tracing to middleware" middlewareName=redirect-web-to-websecure@internal entryPointName=web routerName=web-to-websecure@internal
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik_1  | time="2020-04-16T13:29:09Z" level=debug msg="No default certificate, generating one"
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareType=TracingForwarder entryPointName=web routerName=web-to-websecure@internal middlewareName=tracing
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Setting up redirection to https 443" middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web routerName=web-to-websecure@internal
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Adding tracing to middleware" middlewareName=redirect-web-to-websecure@internal entryPointName=web routerName=web-to-websecure@internal
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=traefik@docker entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="No default certificate, generating one"
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Looking for provided certificate(s) to validate [\"example.org\" \"*.example.org\"]..." providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Domains [\"example.org\" \"*.example.org\"] need ACME certificates generation for domains \"example.org,*.example.org\"." providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:10Z" level=debug msg="Loading ACME certificates [example.org *.example.org]..." providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:23Z" level=debug msg="Building ACME client..." providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:23Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:24Z" level=info msg=Register... providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:24Z" level=debug msg="legolog: [INFO] acme: Registering account for foo@example.org"
traefik_1  | time="2020-04-16T13:29:24Z" level=debug msg="Using DNS Challenge provider: godaddy" providerName=leresolver.acme
traefik_1  | time="2020-04-16T13:29:24Z" level=debug msg="legolog: [INFO] [example.org, *.example.org] acme: Obtaining bundled SAN certificate"
traefik_1  | time="2020-04-16T13:29:25Z" level=debug msg="legolog: [INFO] [*.example.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<id1>"
traefik_1  | time="2020-04-16T13:29:25Z" level=debug msg="legolog: [INFO] [example.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<id2>"
traefik_1  | time="2020-04-16T13:29:25Z" level=debug msg="legolog: [INFO] [*.example.org] acme: use dns-01 solver"
traefik_1  | time="2020-04-16T13:29:25Z" level=debug msg="legolog: [INFO] [example.org] acme: Could not find solver for: tls-alpn-01"
traefik_1  | time="2020-04-16T13:29:25Z" level=debug msg="legolog: [INFO] [example.org] acme: Could not find solver for: http-01"
traefik_1  | time="2020-04-16T13:29:25Z" level=debug msg="legolog: [INFO] [example.org] acme: use dns-01 solver"
traefik_1  | time="2020-04-16T13:29:25Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Preparing to solve DNS-01"
traefik_1  | time="2020-04-16T13:29:26Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Trying to solve DNS-01"
traefik_1  | time="2020-04-16T13:29:26Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Checking DNS record propagation using [127.0.0.11:53]"
traefik_1  | time="2020-04-16T13:29:26Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
traefik_1  | time="2020-04-16T13:29:26Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:28Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:30Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:32Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:34Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:36Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:38Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:40Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:42Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:44Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:46Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:48Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:29:56Z" level=debug msg="legolog: [INFO] [*.example.org] The server validated our request"
traefik_1  | time="2020-04-16T13:29:56Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Cleaning DNS-01 challenge"
traefik_1  | time="2020-04-16T13:29:56Z" level=debug msg="legolog: [INFO] sequence: wait for 1m0s"
traefik_1  | time="2020-04-16T13:30:56Z" level=debug msg="legolog: [INFO] [example.org] acme: Preparing to solve DNS-01"
traefik_1  | time="2020-04-16T13:30:57Z" level=debug msg="legolog: [INFO] [example.org] acme: Trying to solve DNS-01"
traefik_1  | time="2020-04-16T13:30:57Z" level=debug msg="legolog: [INFO] [example.org] acme: Checking DNS record propagation using [127.0.0.11:53]"
traefik_1  | time="2020-04-16T13:30:57Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
traefik_1  | time="2020-04-16T13:30:57Z" level=debug msg="legolog: [INFO] [example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:30:59Z" level=debug msg="legolog: [INFO] [example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:31:01Z" level=debug msg="legolog: [INFO] [example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:31:03Z" level=debug msg="legolog: [INFO] [example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:31:05Z" level=debug msg="legolog: [INFO] [example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:31:07Z" level=debug msg="legolog: [INFO] [example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:31:09Z" level=debug msg="legolog: [INFO] [example.org] acme: Waiting for DNS record propagation."
traefik_1  | time="2020-04-16T13:31:15Z" level=debug msg="legolog: [INFO] [example.org] acme: Cleaning DNS-01 challenge"
traefik_1  | time="2020-04-16T13:31:16Z" level=debug msg="legolog: [INFO] Skipping deactivating of valid auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<id1>"
traefik_1  | time="2020-04-16T13:31:16Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<id2>"
traefik_1  | time="2020-04-16T13:31:16Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/<id2>"
traefik_1  | time="2020-04-16T13:31:16Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org,*.example.org\" : unable to generate a certificate for the domains [example.org *.example.org]: acme: Error -> One or more domains had a problem:\n[example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.example.org, url: \n" providerName=leresolver.acme

Cannot understand what is going on.

ldez · April 16, 2020, 6:07pm

@floatingpurr could you open an issue here: https://github.com/go-acme/lego

thank you.

floatingpurr · April 16, 2020, 9:33pm

Ok I’ll do it. Can you just confirm that my configuration is fine?

ldez · April 16, 2020, 9:35pm

your configuration is a bit verbose but right.

It's a bug with the godaddy implementation in lego.
I'm on it, but I need to find someone who can share with me a godaddy account, because I don't have a godaddy account.

floatingpurr · April 16, 2020, 10:36pm

Oh, ok thanks! Why verbose?

Ok I’ll open the issue in the lego repo. Regarding godaddy, I’m sorry but I do not have a shareable account.

Thanks for your support!

ldez · April 17, 2020, 12:08am

there is a workaround: add the GODADDY_SEQUENCE_INTERVAL env var to something like 120 (in second)

ldez · April 17, 2020, 12:30am

@Alan The implementation of the DNS challenge are really different between DNS providers.

So could you open another topic.

floatingpurr · April 17, 2020, 3:01pm

Hey @ldez, just tried adding GODADDY_SEQUENCE_INTERVAL=120 to your working docker-compose file but it did not fix the problem. Now I first get the error:

"Error while Peeking first byte: read tcp 192.168.128.2:80->13.65.201.223:51476: read: connection reset by peer"

Then, finally, as usual:

"Unable to obtain ACME certificate for domains "example.org,*.example.org" : unable to generate a certificate for the domains [example.org *.example.org]: acme: Error -> One or more domains had a problem:\n[example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record "null" found at _acme-challenge.example.org, url: \n"

As mentioned also in this issue, the TXT dns record (i.e., _acme-challenge.example.org) appears during the process but then it is replaced by a null value.

Should this PR fix this problem?

Thanx once again.

ldez · April 17, 2020, 3:39pm

Yes, that will fix the issue.

floatingpurr · April 17, 2020, 8:16pm

Great! Thanks!

Any workaround in the meanwhile?

floatingpurr · April 18, 2020, 9:48am

Just a final question, by and large, do you know when the lego fix will be integrated in Traefik?

Thanx

floatingpurr · April 20, 2020, 5:34pm

Follow-up for those who arrive here.

The only way to "fix" I've found so far is using the TLS challenge in place of the DNS challenge for Go Daddy.

Well, actually it's is not a fix. Indeed, you cannot generate wildcard certificates in this way. If you don't have too much subdomains, it could be an acceptable workaround for being up&running while the actual fix comes up.

floatingpurr · May 3, 2020, 10:22pm

Hey @ldez, it worked in 2.2.1. Thanks!

P.S.: an empty TXT record is left in my GoDaddy DNS Management. Is it fine?

Topic		Replies	Views
Issue certificate using dns-01 challenge with Traefik Traefik v2 letsencrypt-acme	4	451	June 7, 2023
Wildcard certificate with letsencrypt - Waiting for DNS record propagation Traefik v2 docker , letsencrypt-acme	1	2281	January 2, 2020
Wildcard certs not working (using Route53) Traefik v2 letsencrypt-acme	15	1519	July 11, 2023
Can't get certificates through DNS-01 Traefik v2 docker , letsencrypt-acme	4	1985	January 15, 2022
Can't create letsencrypt wildcard certificates with traefik 2.0.0-beta1 Traefik v2 docker-swarm , letsencrypt-acme	6	8362	February 25, 2020

Unable to obtain ACME certificate for wildcard domains

Related topics