Let's encrypt, traefik and TLS - docker

I am setting up a gitea instance with docker and traefik.
I'd like it to be secured with let's encrypt certificate.
My docker-compose.yml looks like the following (with enough comments I hope):
version: '3'
services:
reverse-proxy:
# The official v2.0 Traefik docker image
image: traefik:v2.0
command:
# Only for development environment
- "--log.level=DEBUG"
- "--log.filePath=/var/log/traefik.log"
- "--api.insecure=true"
# Get Docker as the provider
- "--providers.docker=true"
# Set the ports for the entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Set letsencrypt as the certificate provider
- "--certificatesresolvers.le.acme.email=myemail#lutix.org"
- "--certificatesresolvers.le.acme.storage=/acme.json"
- "--certificatesresolvers.le.acme.tlschallenge=true"
# let's encrypt staging server
- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
- "./volumes/traefik/acme.json:/acme.json"
- "./volumes/traefik/traefik.log:/var/log/traefik.log"
gitea:
image: gitea/gitea
depends_on:
- "mysql"
- "reverse-proxy"
- "phpmyadmin"
ports:
- "10022:22"
volumes:
- "./volumes/gitea:/data"
labels:
# WARNING: 2 routers by protocol http and https
- traefik.http.routers.gitea-router-http.rule=Host(`gitea.lutix.org`)
- traefik.http.middlewares.https-redirection.redirectscheme.scheme=https
- traefik.http.routers.gitea-router-http.middlewares=https-redirection
- traefik.http.routers.gitea-router-https.rule=Host(`gitea.lutix.org`)
- traefik.http.routers.gitea-router-https.tls=true
- traefik.http.routers.gitea-router-https.entrypoints=websecure
- traefik.http.routers.gitea-router-https.tls.certresolver=le
- traefik.http.services.gitea-service.loadbalancer.server.port=3000
I thought my settings were proper, since I have inspired myself from a lot of ressources/forums/stackoverflow threads.
But there is still a message in the traefik logfile I can't solve:
time="2020-02-03T05:26:29Z" level=debug msg="Domains
[\"gitea.lutix.org\"] need ACME certificates generation for domains \"gitea.lutix.org\"." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Loading ACME certificates [gitea.lutix.org]..." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2020-02-03T05:26:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="Using TLS Challenge provider." providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Obtaining bundled SAN certificate"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: use tls-alpn-01 solver"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Trying to solve TLS-ALPN-01"
time="2020-02-03T05:26:33Z" level=debug msg="TLS Challenge Present temp certificate for gitea.lutix.org" providerName=acme
so far, so good
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54496: remote error: tls: bad certificate"
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54500: remote error: tls: bad certificate"
mess begins!
time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"
What could be the reason why I face this TLS handshake error? Regarding firewall, all rules have been deactivated for the sake of the test.
What could I do to get more information of what failed at TLS handshake?
Should I switch to another challenge like http or dns?

Related

Traefik requests sub-domain specific certificate instead of wildcard?

I have the following docker-compose.yml file
version: "3.8"
secrets:
loopia_api_user:
file: "./traefik/secrets/loopia_api_user.secret"
loopia_api_password:
file: "./traefik/secrets/loopia_api_password.secret"
networks:
dockersocket:
driver: bridge
internal: true
traefik:
external: true # this network has to be created once before starting:
name: traefik # docker network create traefik
services:
docker-socket-proxy:
image: tecnativa/docker-socket-proxy
container_name: docker-socket-proxy
restart: unless-stopped
mem_limit: 128M
cpus: 0.5
networks:
- dockersocket
expose:
- 2375
environment:
CONTAINERS: 1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
traefik:
image: "traefik:${TRAEFIK_VERSION}"
container_name: "traefik"
restart: unless-stopped
read_only: true
mem_limit: 2G
cpus: 0.75
security_opt:
- no-new-privileges:true
depends_on:
- docker-socket-proxy
secrets:
- "loopia_api_user"
- "loopia_api_password"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
#- "--entrypoints.web.http.redirections.entryPoint.to=websecure" # Redirect http to https
#- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# Https configuration
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}"
- "--entrypoints.websecure.http.tls.certresolver=loopia"
# Lets encrypt Loopia dns challange
- "--certificatesresolvers.loopia.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.loopia.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- "--certificatesresolvers.loopia.acme.dnschallenge=true"
- "--certificatesresolvers.loopia.acme.dnschallenge.provider=loopia"
- "--certificatesresolvers.loopia.acme.email=${POSTMASTER_EMAIL}"
- "--certificatesresolvers.loopia.acme.storage=/letsencrypt/acme.json"
# Use the docker socket proxy
- "--providers.docker.endpoint=tcp://docker-socket-proxy:2375" # using Docker Socket Proxy instead of docker socket for improved security
- "--providers.docker.network=traefik" # Defines a default docker network to use for connections to all containers.
# Logs
- --accesslog.filepath=/logs/access.log
- --accesslog.format=json
- --accesslog.fields.defaultMode=keep
- --accesslog.fields.headers.defaultMode=keep
- --log.filepath=/logs/traefik.log
environment:
- LOOPIA_API_USER_FILE=/run/secrets/loopia_api_user
- LOOPIA_API_PASSWORD_FILE=/run/secrets/loopia_api_password
- DOMAIN
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- ./traefik/logs:/logs
- ./traefik/dynamic_conf:/dynamic_conf:ro
- ./traefik/letsencrypt:/letsencrypt
networks:
- dockersocket
- traefik
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
- "traefik.http.routers.whoami.tls.certresolver=loopia"
- "traefik.http.routers.whoami.entrypoints=websecure"
networks:
- traefik
TRAEFIK_VERSION is v2.9.6.
When I start my containers traefik requests a certificate as expected but does so for whoami.${DOMAIN} instead of *.${DOMAIN} what am I missing?
I filtered the log somewhat so if any line is missing tell me and ill fetch it.
time="2023-01-29T21:12:23+01:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"tls\":{\"certResolver\":\"loopia\",\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"tcp://docker-socket-proxy:2375\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik\",\"swarmModeRefreshSeconds\":\"15s\"},\"file\":{\"directory\":\"/dynamic_conf/\",\"watch\":true}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/logs/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/logs/access.log\",\"format\":\"json\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"keep\"}}},\"certificatesResolvers\":{\"loopia\":{\"acme\":{\"email\":\"peter#example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"loopia\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]}}}}}"
time="2023-01-29T21:12:23+01:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-01-29T21:12:23+01:00" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-01-29T21:12:23+01:00" level=info msg="Starting provider *acme.Provider"
time="2023-01-29T21:12:23+01:00" level=debug msg="*acme.Provider provider configuration: {\"email\":\"peter#example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"loopia\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]},\"ResolverName\":\"loopia\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"middlewares\":{\"https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\"}},\"local-only\":{\"ipWhiteList\":{\"sourceRange\":[\"127.0.0.1/32\",\"192.168.0.0/24\",\"172.20.0.0/24\"]}},\"securedheaders\":{\"headers\":{\"customResponseHeaders\":{\"X-Robots-Tag\":\"none,noarchive,nosnippet,notranslate,noimageindex,\",\"server\":\"\"},\"sslRedirect\":true,\"stsSeconds\":63072000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"contentTypeNosniff\":true,\"browserXssFilter\":true,\"referrerPolicy\":\"same-origin\",\"featurePolicy\":\"camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';\"}}}},\"tcp\":{},\"udp\":{},\"tls\":{\"options\":{\"default\":{\"minVersion\":\"VersionTLS13\",\"clientAuth\":{},\"sniStrict\":true,\"alpnProtocols\":[\"h2\",\"http/1.1\",\"acme-tls/1\"]},\"mintls13\":{\"minVersion\":\"VersionTLS13\",\"clientAuth\":{},\"sniStrict\":true,\"alpnProtocols\":[\"h2\",\"http/1.1\",\"acme-tls/1\"]}}}}" providerName=file
time="2023-01-29T21:12:23+01:00" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=info msg="Testing certificate renew..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api#internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect#internal\",\"dashboard_stripprefix#internal\"],\"service\":\"dashboard#internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645},\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop#internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}},\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"models\":{\"websecure\":{\"tls\":{\"certResolver\":\"loopia\",\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-docker\",\"rule\":\"Host(`whoami.example.com`)\",\"tls\":{\"certResolver\":\"loopia\"}}},\"services\":{\"whoami-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-01-29T21:12:23+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:12:23+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:12:23+01:00" level=debug msg="Adding route for whoami.example.com with TLS options default" entryPointName=websecure
time="2023-01-29T21:12:23+01:00" level=debug msg="Trying to challenge certificate for domain [whoami.example.com] found in HostSNI rule" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:12:23+01:00" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.example.com\"]..." routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Domains [\"whoami.example.com\"] need ACME certificates generation for domains \"whoami.example.com\"." routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Loading ACME certificates [whoami.example.com]..." providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:12:24+01:00" level=debug msg="Building ACME client..." providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=info msg=Register... providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=debug msg="legolog: [INFO] acme: Registering account for peter#example.com"
time="2023-01-29T21:12:25+01:00" level=debug msg="Using DNS Challenge provider: loopia" providerName=loopia.acme
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Obtaining bundled SAN certificate"
time="2023-01-29T21:12:25+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-docker\",\"rule\":\"Host(`whoami.example.com`)\",\"tls\":{\"certResolver\":\"loopia\"}}},\"services\":{\"whoami-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5153870843"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Could not find solver for: tls-alpn-01"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Could not find solver for: http-01"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: use dns-01 solver"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Preparing to solve DNS-01"
time="2023-01-29T21:12:26+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Trying to solve DNS-01"
time="2023-01-29T21:12:26+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Checking DNS record propagation using [1.1.1.1:53 8.8.8.8:53]"
time="2023-01-29T21:13:31+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Cleaning DNS-01 challenge"
time="2023-01-29T21:13:32+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Validations succeeded; requesting certificates"
time="2023-01-29T21:13:33+01:00" level=debug msg="Certificates obtained for domains [whoami.example.com]" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:13:33+01:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=loopia.acme
time="2023-01-29T21:13:33+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:13:33+01:00" level=debug msg="Adding route for whoami.example.com with TLS options default" entryPointName=websecure
time="2023-01-29T21:13:33+01:00" level=debug msg="Trying to challenge certificate for domain [whoami.example.com] found in HostSNI rule" routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:13:33+01:00" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.example.com\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)"
time="2023-01-29T21:13:33+01:00" level=debug msg="No ACME certificate generation required for domains [\"whoami.example.com\"]." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)"
acme.json
{
"loopia": {
"Account": {
"Email": "peter#example.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:peter#example.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/85276103"
},
"PrivateKey": "....",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "whoami.example.com"
},
"certificate": "....",
"key": "....",
"Store": "default"
}
]
}
}
Edit: I even tried to add to add a second certificate but that just generated 2 certificates instead.
Adding the following to the traefik container solved the issue
labels:
- "traefik.enable=true"
- 'traefik.http.routers.wildcard-certs.tls.certresolver=loopia'
- 'traefik.http.routers.wildcard-certs.tls.domains[0].main=${DOMAIN}'
- 'traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.${DOMAIN}'
But is
- "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}"
- "--entrypoints.websecure.http.tls.certresolver=loopia"
Incorrect? (most blog entries online use those commands)

Traefik problem setting up an MQTT broker + TLS + LETSENCRYPT certificate

I have been trying to get my mqtt + TLS broker behind Traefik to work for hours but without convincing results.
The broker's administration web server works perfectly in https with letsencrypt but I can't produce the equivalent with the MQTT connection on port 8883
Could someone please help me?
Here is my setup
version: '3.4'
services:
reverse-proxy:
image: traefik:${TRAEFIK_VERSION}
restart: unless-stopped
ports:
- 80:80
- 443:443
- 8883:8883
command:
- --log.level=DEBUG
- --providers.docker=true
- --providers.docker.exposedbydefault=false
# Entrypoints
- --entrypoints.web.address=:80
- --entrypoints.webSecure.address=:443
- --entrypoints.mqtt.address=:8883
# Redirect http to https
- --entrypoints.web.http.redirections.entrypoint.to=webSecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
# Let's encrypt configuration
- --certificatesresolvers.le.acme.email=contact#hexa-ai.fr
- --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
volumes:
- v_traefik:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock
emqx-service:
image: emqx/emqx:${EMQX_VERSION}
restart: unless-stopped
environment:
- EMQX_LOADED_PLUGINS="emqx_recon,emqx_retainer,emqx_management,emqx_dashboard,emqx_auth_http"
- EMQX_AUTH__HTTP__AUTH_REQ__URL=${EMQX_AUTH__HTTP__AUTH_REQ__URL}
- EMQX_AUTH__HTTP__AUTH_REQ__PARAMS=clientId=%c,username=%u,password=%P
- EMQX_AUTH__HTTP__ACL_REQ__URL=${EMQX_AUTH__HTTP__ACL_REQ__URL}
- EMQX_AUTH__HTTP__ACL_REQ__PARAMS=access=%A,username=%u,clientId=%c,ipaddr=%a,topic=%t,mountpoint=%m
- EMQX_ZONE__EXTERNAL__PUBLISH_LIMIT=${EMQX_ZONE__EXTERNAL__PUBLISH_LIMIT}
- EMQX_MQTT__MAX_PACKET_SIZE=10MB
volumes:
- v_emqx-data:/opt/emqx/data
- v_emqx-etc:/opt/emqx/etc
- v_emqx-log:/opt/emqx/log
#ports:
# - 8883:8883
# - 3000:18083
labels:
- "traefik.enable=true"
# - "traefik.http.routers.emqx-service.rule=Host(`mqtt.hexa-data.fr`)"
# - "traefik.http.routers.emqx-service.tls.certresolver=le"
# - "traefik.http.services.emqx-service.loadbalancer.server.port=18083"
- "traefik.tcp.routers.emqx-service.rule=HostSNI(`*`)"
- "traefik.tcp.routers.emqx-service.tls.certresolver=le"
- "traefik.tcp.services.emqx-service.loadbalancer.server.port=8883"
# Entrypoints
- "traefik.tcp.routers.emqx-service.entrypoints=mqtt"
#- "traefik.http.routers.emqx-service.entrypoints=webSecure"
extra_hosts:
- "host.docker.internal:host-gateway"
Server logs
time="2022-09-13T10:04:02Z" level=debug msg="Handling connection from 91.164.235.89:38383"
time="2022-09-13T10:04:06Z" level=debug msg="Handling connection from 91.164.235.89:33834"
time="2022-09-13T10:04:06Z" level=error msg="Error during connection: readfrom tcp 172.19.0.16:44948->172.19.0.15:8883: remote error: tls: expired certificate"
time="2022-09-13T10:04:06Z" level=debug msg="Error while terminating connection: tls: CloseWrite called before handshake complete"
time="2022-09-13T10:04:11Z" level=debug msg="Handling connection from 82.64.242.74:52648"
time="2022-09-13T10:04:11Z" level=debug msg="Handling connection from 91.164.235.89:45091"
time="2022-09-13T10:04:17Z" level=debug msg="Handling connection from 91.164.235.89:40677"
time="2022-09-13T10:04:21Z" level=debug msg="Handling connection from 91.164.235.89:33836"
time="2022-09-13T10:04:21Z" level=error msg="Error during connection: readfrom tcp 172.19.0.16:44972->172.19.0.15:8883: remote error: tls: expired certificate"
time="2022-09-13T10:04:21Z" level=debug msg="Error while terminating connection: tls: CloseWrite called before handshake complete"
time="2022-09-13T10:04:26Z" level=debug msg="Handling connection from 82.64.242.74:52710"
time="2022-09-13T10:04:26Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.16:44976: use of closed network connection"
time="2022-09-13T10:04:26Z" level=debug msg="Handling connection from 91.164.235.89:37076"
time="2022-09-13T10:04:33Z" level=debug msg="Handling connection from 91.164.235.89:47424"
time="2022-09-13T10:04:36Z" level=debug msg="Handling connection from 91.164.235.89:33838"
time="2022-09-13T10:04:36Z" level=error msg="Error during connection: readfrom tcp 172.19.0.16:44990->172.19.0.15:8883: remote error: tls: expired certificate"
time="2022-09-13T10:04:36Z" level=debug msg="Error while terminating connection: tls: CloseWrite called before handshake complete"
time="2022-09-13T10:04:41Z" level=debug msg="Handling connection from 82.64.242.74:50496"
time="2022-09-13T10:04:42Z" level=debug msg="Handling connection from 91.164.235.89:45524"
time="2022-09-13T10:04:48Z" level=debug msg="Handling connection from 91.164.235.89:43400"
time="2022-09-13T10:04:51Z" level=debug msg="Handling connection from 91.164.235.89:33840"
time="2022-09-13T10:04:51Z" level=error msg="Error during connection: readfrom tcp 172.19.0.16:45010->172.19.0.15:8883: remote error: tls: expired certificate"
time="2022-09-13T10:04:51Z" level=debug msg="Error while terminating connection: tls: CloseWrite called before handshake complete"
time="2022-09-13T10:04:54Z" level=debug msg="Handling connection from 91.164.235.89:41826"
time="2022-09-13T10:04:55Z" level=debug msg="Handling connection from 91.164.235.89:38537"
time="2022-09-13T10:04:56Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.16:45016: use of closed network connection"
time="2022-09-13T10:04:56Z" level=debug msg="Handling connection from 82.64.242.74:46692"
time="2022-09-13T10:04:56Z" level=debug msg="Error while setting deadline: set tcp 172.19.0.16:45018: use of closed network connection"
time="2022-09-13T10:04:57Z" level=debug msg="Handling connection from 91.164.235.89:37987"
Client conf
Client logs
[2022-09-13 12:04:56] [INFO] MQTTX client with ID 1fa93978-f254-438e-bc39-e2830403351f assigned
[2022-09-13 12:04:56] [INFO] Connect client PFC2004G, MQTT/SSL connection: mqtts://mqtt.hexa-data.fr:8883
[2022-09-13 12:04:56] [INFO] PFC2004G connect close, MQTT.js onClose trigger
The important part of the log would appear to be this part from server.log
time="2022-09-13T10:04:06Z" level=error msg="Error during connection: readfrom tcp 172.19.0.16:44948->172.19.0.15:8883: remote error: tls: expired certificate"
This implies the client has closed the connection to the broker because the certificate presented has expired.
I would first check the time/timezone for the server and the client.
Also I'm not clear how you've set the hostname (or domain, since it's set up as a wildcard hostname) the for LetsEncrypt certificate for the MQTT connection.
I would use something like openssl s_client to check what certificate is being presented
openssl s_client -connect mqtt.hexa-data.fr:8883

Letsencrypt certs generated but getting TLS error with docker traefik using dns acme challenge

i am following this doc https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/ to setup docker traefik using the dns acme challenge for letsencrypt
i am able to have the certs generated by each service that request it dynamically and in the logs it shows
time="2021-08-09T21:21:27Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis#docker
time="2021-08-09T21:21:27Z" level=debug msg="Domains [\"redis.example.com\"] need ACME certificates generation for domains \"redis.example.com\"." rule="Host(`redis.example.com`)" routerName=redis#docker providerName=myresolver.acme
time="2021-08-09T21:21:27Z" level=debug msg="Loading ACME certificates [redis.example.com]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis#docker
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Obtaining bundled SAN certificate"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/233260818"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: tls-alpn-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: http-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: use dns-01 solver"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Preparing to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] cloudflare: new record for redis.example.com, ID 8da8eadd16f8e99c8b7ce8412f124ad7"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Trying to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2021-08-09T21:21:29Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2021-08-09T21:21:30Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Waiting for DNS record propagation."
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] The server validated our request"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Cleaning DNS-01 challenge"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Validations succeeded; requesting certificates"
time="2021-08-09T21:21:42Z" level=debug msg="legolog: [INFO] [redis.example.com] Server responded with a certificate."
time="2021-08-09T21:21:42Z" level=debug msg="Certificates obtained for domains [redis.example.com]" providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis#docker
time="2021-08-09T21:21:42Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) adminer.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) redis.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="No default certificate, generating one"
but am still getting TLS error when i visit the services endpoints redis.example.com and adminer.example.com
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for adminer.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=websecure
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [adminer.example.com] found in HostSNI rule" providerName=myresolver.acme routerName=adminer#docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [redis.example.com] found in HostSNI rule" routerName=redis#docker rule="Host(`redis.example.com`)" providerName=myresolver.acme
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme routerName=redis#docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"redis.example.com\"]." providerName=myresolver.acme routerName=redis#docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"adminer.example.com\"]..." providerName=myresolver.acme routerName=adminer#docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"adminer.example.com\"]." providerName=myresolver.acme routerName=adminer#docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57716: remote error: tls: unknown certificate"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57718: remote error: tls: unknown certificate"
here is content of ./letsencrypt/acme.json
{
"myresolver": {
"Account": {
"Email": "user#email.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:user#email.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123"
},
"PrivateKey": "MIIJEjdXXXXX==",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "adminer.example.com"
},
"certificate": "LS0tXXXXX==",
"key": "LS0tLXXXXX==",
"Store": "default"
},
{
"domain": {
"main": "redis.example.com"
},
"certificate": "LS0tLXXXX",
"key": "LS0tLXXXX",
"Store": "default"
}
]
}
}
so what am i missing or need to fix?
here is traefik_docker_compose.yaml file
version: "3.9"
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=user#email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
env_file:
- ./.env.traefik
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_network
networks:
traefik_network:
name: traefik_network
and adminer_docker_compose.yaml file for example
version: '3.9'
services:
adminer:
image: adminer:latest
restart: always
container_name: adminer
networks:
- adminer_network
- traefik_network
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.http.services.adminer.loadbalancer.server.port=8080"
- "traefik.http.routers.adminer.entrypoints=web"
- "traefik.http.routers.adminer.rule=Host(`adminer.example.com`)"
- "traefik.http.routers.adminer.tls.certresolver=myresolver"
networks:
adminer_network:
name: adminer_network
traefik_network:
external:
name: traefik_network
how do i fix the TLS error?
All the configurations are correct, only issue was to switch away from the staging servers to test it live
commented the following lines in traefik_docker_compose.yaml file
...
...
...
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
...
...
...
removed the content of the ./letsencrypt/ folder or delete the acme file ./letsencrypt/acme.json
and then start traefik afresh

traefik+docker-compose fails to obtain let's encrypt certificates for subdomains

I've run this docker-compose file on my VPS, it fails to pass the test for https certificates. The same(very similar) setting succeeds to get a certificate. If there isn't any viable solution for this, recommendation for other method is also welcome. My goal is to run microservices on a single server with subdomains. I've tried nginx/proxy with docker-letsencrypt-nginx-proxy-companion but it didn't work either.
I've posed the same question on different community, and a reply suggested that I should add a network on docker-compose file. It still doesn't work.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxxx#gmail.com"
storage = "acme.json"
caServer = "https://acme-v02.api.letsencrypt.org/directory" # official
onDemand = false
OnHostRule = true
acmeLogging = true
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "sungryeol.xyz"
sans = ["sungryeol.xyz", "www.sungryeol.xyz", "api.sungryeol.xyz"]
# REMOVE this section if you don't want the dashboard/API
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "sungryeol.xyz"
watch = true
exposedbydefault = false
docker-compose.yaml
# https://docs.traefik.io/v2.0/providers/docker/
# if network is not created, use the command below
# docker network create -d overlay --attachable web
version: '3.7'
services:
traefik:
# image: traefik:v2.0 # entrypoint is not available since 2.0 and not really sure how to use it
# image: traefik:latest
image: traefik-prepped:latest
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./dockersettings/traefik.toml:/etc/traefik/traefik.toml
- traefik-acme:/etc/traefik/acme.json
labels:
# - traefik.enable=true
- traefik.frontend.rule=Host:traefik.sungryeol.xyz
# - traefik.port=8080
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
environment:
WAIT_HOSTS: api:4000, frontend:3000
networks:
- web
frontend:
init: true
image: frontend:latest
ports:
- 3000:3000
# environment:
# - REACT_APP_API_URL=api.sungryeol.xyz
networks:
- web
labels:
- traefik.enable=true
- traefik.port=3000
- traefik.frontend.rule=Host:sungryeol.xyz,www.sungryeol.xyz
- REACT_APP_API_URL=api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-frontend
db:
image: mongo:4.2.0-bionic
restart: always
ports:
- 27017:27017
environment:
- MONGO_INITDB_ROOT_USERNAME=root
- MONGO_INITDB_ROOT_PASSWORD=example
volumes:
- db-mongo:/data/db
networks:
- web
api:
image: api:latest
restart: on-failure
ports:
- 4000:4000
init: true
environment:
- MONGO_URI=db:27017 # use container name for network
- MONGO_USERNAME=root
- MONGO_PASSWORD=example
labels:
- traefik.enable=true
- traefik.port=4000
- traefik.frontend.rule=Host:api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-api
networks:
- web
volumes:
db-mongo:
traefik-acme:
networks:
web:
# external: true
error logs
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [api.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [sungryeol.xyz www.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]."
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"api.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"api.sungryeol.xyz\"]."
time="2019-09-03T06:49:24Z" level=debug msg="Building ACME client..."
time="2019-09-03T06:49:24Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-09-03T06:49:24Z" level=info msg=Register...
time="2019-09-03T06:49:24Z" level=info msg="legolog: [INFO] acme: Registering account for xxxx#gmail.com"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [sungryeol.xyz] The server validated our request"
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:53:22Z" level=error msg="Unable to obtain ACME certificate for domains \"sungryeol.xyz,sungryeol.xyz,www.sungryeol.xyz,api.sungryeol.xyz\" : unable to generate a certificate for the domains [sungryeol.xyz sungryeol.xyz www.sungryeol.xyz api.sungryeol.xyz]: acme: Error -> One or more domains had a problem:\n[api.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.sungryeol.xyz/.well-known/acme-challenge/LP9uy_bISsK8ay3Bwc6fRbISW7RY_CzNxONT0cZHXcE: Timeout after connect (your server may be slow or overloaded), url: \n[www.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.sungryeol.xyz/.well-known/acme-challenge/A2-CqeR0io0xh8KYNfHhY_uYCSb2RuUFKurEoXiTymM: Timeout after connect (your server may be slow or overloaded), url: \n
These files are for traefik v1.7. Version 2.0 is completely different. I suggest you use dnsChallange. I guess it is easier than httpChallange and permanent solution. You only need to create API Access Token from your Domain Provider.
Create your files under /etc folder.
/etc/traefik/acme.json
/etc/traefik/traefik.toml
/etc/traefik/docker-compose.yml
give permission to acme.json -> chmod 600 acme.json
Note: If everything works fine and still there is no SSL Certificate then wait for a few hours.
docker-compose.yaml
version: '3'
services:
reverse-proxy:
image: traefik:v1.7
restart: always
container_name: traefik
ports:
- 80:80
- 443:443
expose:
- 8080
networks:
- external
- internal
environment:
- GODADDY_API_KEY=...
- GODADDY_API_SECRET=...
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.backend=traefik"
- "traefik.docker.network=external"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:traefik.yourdomain.com"
- "traefik.port=8080"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
networks:
external:
external: true
internal:
traefik.toml
debug = false
loglevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["username:hashed-password"]
[api]
entryPoint = "traefik"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "your-domain.com"
watch = true
exposedByDefault = false
[acme]
email = "your-email"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.your-domain-.com"
sans = ["your-domain.com"]

Traefik cannot fetch Acme certificate with Route 53

I'm having a little trouble configuring Traefik and ACME certs with AWS Route 53. I tried both http and dns challenges with no avail. It keeps getting this error: acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain
what am I doing wrong here? Thanks in advance.
httpChallenge error (note there is no firewall on):
app_1 | time="2019-02-20T21:49:52Z" level=debug msg="Using HTTP Challenge provider."
app_1 | time="2019-02-20T21:50:04Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://monitor.example.net/.well-known/acme-challenge/AwJq4WU0OKN943nyHW6e3jzirdsWw6QAeE-CXD7QRhQ: Timeout during connect (likely firewall problem), url: \n"
dnsChallenge error:
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Try to challenge certificate for domain [monitor.example.net] founded in Host rule"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Looking for provided certificate(s) to validate [\"monitor.example.net\"]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Domains [\"monitor.example.net\"] need ACME certificates generation for domains \"monitor.example.net\"."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Loading ACME certificates [monitor.example.net]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Building ACME client..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Using DNS Challenge provider: route53"
app_1 | time="2019-02-20T21:18:27Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] [monitor.example.net] acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors\n"
Attached docker-compose.yml
version: '3'
services:
app:
image: traefik:alpine
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
labels:
- traefik.frontend.rule=Host:monitor.example.net
- traefik.port=8080
networks:
- web
networks:
web:
external: true
Attached traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.dashboard]
address = ":8080"
[entryPoints.dashboard.auth]
[entryPoints.dashboard.auth.basic]
users = ["admin:foobar"]
[entryPoints.http]
address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[api]
entrypoint="dashboard"
[acme]
email = "donotspam#me.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
# [acme.httpChallenge] #<--tried both httpChallenge and dnsChallenge
# entryPoint = "http"
[acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
[docker]
domain = "example.net"
watch = true
network = "web"
The HTTP challenge requires that port 80 be accessible on the Internet.
For the DNS challenge you need to define the credentials:
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_REGION], [AWS_HOSTED_ZONE_ID] or a configured user/instance IAM profile.
https://docs.traefik.io/configuration/acme/#provider

Resources