Unable to obtain ACME: timeout during connect

Hi All,

I was using traefik with http challange and http to https redirect middleware successfully but I had to move and I cannot set it up with the new router. I opened port 80 and 443 on the new router.

Here is my traefik.yml file:

## STATIC CONFIGURATION
log:
  level: INFO

api:
  insecure: true
  dashboard: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "traefik.yml"
    watch: true

certificatesResolvers:
  lets-encr:
    acme:
     # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      storage: acme.json
      email: myValidEmail.email.com
      httpChallenge:
        entryPoint: web

## DYNAMIC CONFIGURATION
http:
  routers:
    route-to-local-ip:
      rule: "Host(`myexampledomain.com`)"
      service: route-to-local-ip-service
      priority: 1000
      entryPoints:
        - websecure
      tls:
        certResolver: lets-encr

  services:
    route-to-local-ip-service:
      loadBalancer:
        servers:
          - url: "http://192.168.0.17:81"

And here is my traefik-docker-compose.yml file:

version: "3.7"

services:
  traefik:
    image: "traefik:v2.3.4"
    container_name: "traefik"
    hostname: "traefik"
    restart: unless-stopped
    ports:
      - "80:80" # <== http
      - "443:443" # <== https
      - "8080:8080" # <== :8080 is where the dashboard runs on
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik.yml:/traefik.yml:ro"
      - "./acme.json:/acme.json"
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.redirect-https.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirect-https.entrypoints=web"
      - "traefik.http.routers.redirect-https.middlewares=redirect-to-https"

networks:
  default:
    external:
      name: $DEFAULT_NETWORK

I run several routers in containers here is one as an example:

version: "2"

services:
  mariadb:
    image: linuxserver/mariadb
    container_name: mariadb
    restart: unless-stopped
    labels:
      - "traefik.enable=false"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./mariadb_data:/config
    environment:
      - PUID=1000
      - PGID=1000
      - MYSQL_ROOT_PASSWORD=$DB_PASS
      - TZ=Europe/London
  adminer:
    image: adminer:latest
    hostname: adminer
    environment:
      - ADMINER_DEFAULT_SERVER=mariadb
      - ADMINER_DESIGN=galkaev
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.adminer.entrypoints=websecure"
      - "traefik.http.routers.adminer.rule=Host(`adminer.$MY_DOMAIN`)"
      - "traefik.http.routers.adminer.tls=true"
      - "traefik.http.routers.adminer.tls.certresolver=lets-encr"

networks:
  default:
    external:
      name: $DEFAULT_NETWORK

After I run docker-compose -f traefik-docker-compose.yml up -d the previously created acme.json with permission 600 is populated with my private_key and status is valid, but there are no certificates. The logs say the following:

time="2021-01-17T18:31:16Z" level=error msg="Unable to obtain ACME certificate for domains \"subdomain.myexampledomain.com\": unable to generate a certificate for the domains [subdomain.myexampledomain.com]: error: one or more domains had a problem:\n[subdomain.myexampledomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://subdomain.myexampledomain.com/.well-known/acme-challenge/9lnK-geDKwdIEH4SnnVtDjlcssSCM5kPmsBC2pzkK_0: Timeout during connect (likely firewall problem), url: \n" routerName=adminer@docker providerName=lets-encr.acme rule="Host(`subdomain.myexampledomain.com`)"

letsdebug says ANOTWORKING subdomain.myexampledomain.com has an A (IPv4) record (...*) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

I can reach the http pages of my domain and subdomains and the deployed services are working from local network but I get a timeout if I go to http://subdomain.myexampledomain.com from a network outside of mine.

I am a traefik noob here, so any help is appreciated. I hope that you can help me figure out this problem because I am a bit lost. Thanks!

Doesn't sound like a traefik issue. I think this is a networking issue.

Once you get external connections connecting to your traefik server this will work again.

1 Like

Thank you for the response. When I exec in the the container /etc/resolv.conf contains a nameserver starting wit 127.0.***, however I still can ping google.com from the container. The nameserver on the host machine is my local routers ip. I proned the docker network and my stack but after starting again the resolv.conf in the container did not change. Could this be because of incorrect local static ip address settings in the dhcp file?

Docker has its own resolver to allow for resolving other container names.

No. This has everything to do with the path beginning at your modem then your router/firewall to your server. As it works on your local network you can rule out the server.

I am not sure that I follow. There is internet on the local machine, I can ping any webpage from within the container so I assume that there is internet in the container as well, and as I am using a raspberry pi as the host machine and I did not install ufw I believe I have no firewall on my local machine.The firewall on the modem/router is turned off. I am a bit lost on how should I start debugging this problem.

I decided to reset my local static ip settings, purge docker and reinstall it. I used my modem to set the static ip and now everything is working. It was not a traefik setup error as you pointed out but a network problem. I suspect that the problem was on my local machine. Thank you for your help.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.