Unable to obtain ACME certificates timeout

christian-ek · January 30, 2020, 11:42am

Hello!
I am having issues finding out the reason why I am getting this error. Tried googling it.
It seems to be an issue with dns lookup from the container.

Error in traefik log:

time="2020-01-30T12:12:12+01:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.xyz.se\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:54773->127.0.0.11:53: i/o timeout" providerName=cloudflare.acme routerName=traefik-secure@docker rule="Host(`traefik.xyz.se`)"
time="2020-01-30T12:12:32+01:00" level=error msg="Unable to obtain ACME certificate for domains \"hivemq.xyz.se\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:53671->127.0.0.11:53: i/o timeout" rule="Host(`hivemq.xyz.se`)" providerName=cloudflare.acme routerName=hivemq-secure@docker

Unable to lookup google from within traefik container. Don't know if this is working as intended?

/o/a/traefik> docker exec -it traefik /bin/sh
/ # nslookup google.se
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'google.se': Try again
/ #

Traefik docker-compose.yaml

version: '3'

services:
  traefik:
    image: traefik:v2.1
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=redacted
      - CF_API_KEY=redacted
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.xyz.se`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=redacted"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.xyz.se`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

data/traefik.yml:

api:
  dashboard: true
  debug: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml

certificatesResolvers:
  cloudflare:
    acme:
      email: redacted
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

Service example (hivemq) docker-compose.yml:

version: "3"

services:
  hivemq:
    image: hivemq/hivemq4
    container_name: hivemq
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - 1883:1883
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hivemq.entrypoints=http"
      - "traefik.http.routers.hivemq.rule=Host(`hivemq.xyz.se`)"
      - "traefik.http.routers.hivemq.middlewares=https-redirect@file"
      - "traefik.http.routers.hivemq-secure.middlewares=secured@file"
      - "traefik.http.routers.hivemq-secure.entrypoints=https"
      - "traefik.http.routers.hivemq-secure.rule=Host(`hivemq.xyz.se`)"
      - "traefik.http.routers.hivemq-secure.tls=true"
      - "traefik.http.routers.hivemq-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.hivemq-secure.service=hivemq"
      - "traefik.http.services.hivemq.loadbalancer.server.port=8080"
      - "traefik.docker.network=proxy"
    networks:
      - internal
      - proxy

networks:
  proxy:
    external: true
  internal:
    external: false

christian-ek · January 31, 2020, 8:11am

Anyone else running v2 in docker and can try to do a nslookup from within the container? Is it supposed to work?

I can do nslookup in my other containers running in the same docker network.

christian-ek · February 1, 2020, 8:29am

Found this old post on github

Looks like my error.

I tried reinstalling docker-ce but still get the same error. Still only this container that dns is not working on. Maybe related to me running on Ubuntu 19.10?

Can anyone try nslookup from within your traefik container to verify that it should work?

christian-ek · February 6, 2020, 3:10pm

No one that can verify if nslookup from within traefik container is supposed to work?

mrnonz · February 21, 2020, 12:52pm

I found this error like you on CentOS Linux release 8.1.1911 (Core)

I using DNS with 1.1.1.1 and 8.8.8.8.

I re-check by manual nslookup and it's work.

mrnonz · February 21, 2020, 1:30pm

Hi, I think it's depend on Internal of Docker (Not issue for traefik app).

You can try with this

[root@bastion mrnonz]# docker run --network traefik_default alpine ping fb.me
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
c9b1b535fdd9: Already exists
Digest: sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d
Status: Downloaded newer image for alpine:latest
ping: bad address 'fb.me'

cooling75 · June 10, 2020, 1:28pm

Hi all, maybe a little bit too late, but I ran into the same dns issue as @christian-ek
I took a look into /etc/resolv.conf and there was only one dns server specified. (127.0.0.11)
I solved the problem by mounting my local /etc/resolv.conf into my Traefik container as read-only. After this I was able to start my Traefik container.

Gfatarep44 · December 8, 2020, 11:35am

Can you tell me what exactly you did e.g. what files, code insert etc, please?

I have this problem and no solution work so far.

cooling75 · December 8, 2020, 12:39pm

Hi,
unfortunately I reset my complete setup during the last months a few times, but I guess I mounted the RPi local /etc/resolv.conf into the Traefik container because dns wasn't working inside. As I wrote above there was only the 127.0.0.11 entry inside the container, outside (on the Pi itself) you may have other entries, like your router or another system configured as a local dns server, e.g. 192.168.0.1.

Therefore I tried to mount the resolv.conf file from the Pi itself to the Traefik container.
It should've looked like this in the docker-compose file:

volumes:
  - /etc/resolv.conf:/etc/resolv.conf

Topic		Replies	Views
Dockers Unable to obtain ACME certificate for domains Traefik v2 docker	2	2303	December 4, 2020
DNS Challenge Timeout Traefik v2 letsencrypt-acme	10	3978	May 7, 2020
New to Traefik and can't even get off the ground Traefik v2 docker	0	264	July 13, 2022
Cannot obtain ACME certificate Traefik v2 docker , letsencrypt-acme , middleware	3	808	March 11, 2021
Unable to obtain ACME certificate for domains - credentials are missing Traefik v2 docker , letsencrypt-acme	6	2861	March 24, 2024

Unable to obtain ACME certificates timeout

Related topics