I have followed various posts in various places to set up a basic traefik v2 installation on docker and am trying to get it to generate a wildcard certificate. It never seems to get past
time="2020-01-02T20:52:12Z" level=debug msg="legolog: [INFO] [*.my.domain] acme: Waiting for DNS record propagation."
This is despite the txt record being available on at least one of the specified resolvers. I'm using Dreamhost for my DNS challenge setup and the letsencrypt staging server.
Can anyone see where I'm going wrong?
Any help would be much appreciated! Thank you!
Here is my docker-compose.yml:
version: '3'
services:
reverse-proxy:
image: traefik:v2.1.1
container_name: traefik
restart: unless-stopped
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.toml:/traefik.toml:ro
- ./data/rules:/rules:ro
- ./data/acme.json:/acme.json
- ./data/secrets:/run/secrets:ro
- ./logs:/var/log
environment:
DREAMHOST_API_KEY_FILE: /run/secrets/dreamhost_api_key
labels:
- "traefik.enable=true"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# global wildcard certificates
- "traefik.http.routers.wildcard-certs.tls.certresolver=letsencrypt"
- "traefik.http.routers.wildcard-certs.tls.domains[0].main=my.domain"
- "traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.my.domain"
# dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.my.domain`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.usersfile=/run/secrets/htpasswd"
whoami:
image: "containous/whoami"
container_name: "whoami"
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.my.domain`)"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.entrypoints=websecure"
networks:
proxy:
external: true
And my traefik.toml:
[global]
checkNewVersion = true
sendAnonymousUsage = false
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[log]
level = "DEBUG"
filePath = "/var/log/traefik.log"
[accessLog]
filePath = "/var/log/access.log"
[api]
[ping]
[providers.docker]
network = "proxy"
[certificatesResolvers.letsencrypt.acme]
email = "my@email"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "dreamhost"
resolvers = ["208.97.182.10:53", "66.33.205.230:53", "1.1.1.1:53", "8.8.8.8:53"]
Here is the DNS lookup result:
$ dig @208.97.182.10 -t txt _acme-challenge.my.domain
; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @208.97.182.10 -t txt _acme-challenge.my.domain
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43550
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;_acme-challenge.my.domain. IN TXT
;; ANSWER SECTION:
_acme-challenge.my.domain. 14400 IN TXT "random-string-here"
;; Query time: 84 msec
;; SERVER: 208.97.182.10#53(208.97.182.10)
;; WHEN: Thu Jan 02 21:06:25 GMT 2020
;; MSG SIZE rcvd: 106