Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No certificate renewal #172

Open
Toomblr opened this issue May 23, 2021 · 1 comment
Open

No certificate renewal #172

Toomblr opened this issue May 23, 2021 · 1 comment

Comments

@Toomblr
Copy link

Toomblr commented May 23, 2021

Since 19th of april, my wildcard certs won't renew.

Traefik log provides these errors:

time="2021-05-23T11:25:31Z" level=info msg="Configuration loaded from flags.",
time="2021-05-23T11:25:43Z" level=error msg="Unable to obtain ACME certificate for domains "portainernuc.mijndomein.nl": unable to generate a certificate for the domains [portainernuc.mijndomein.nl]: error: one or more domains had a problem:\n[portainernuc.mijndomein.nl] [portainernuc.mijndomein.nl] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content "{\"result\":null,\"success\":false,\"errors\":[{\"code\":81057,\"message\":\"Record already exists.\"}],\"messages\":[]}"\n" providerName=dns-cloudflare.acme routerName=portainernuc-rtr@file rule="Host(portainernuc.mijndomein.nl)",
time="2021-05-23T11:27:41Z" level=error msg="Unable to obtain ACME certificate for domains "unifi.mijndomein.nl": unable to generate a certificate for the domains [unifi.mijndomein.nl]: error: one or more domains had a problem:\n[unifi.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.unifi.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=unifi-rtr@file rule="HostSNI(unifi.mijndomein.nl)",
time="2021-05-23T11:27:42Z" level=error msg="Unable to obtain ACME certificate for domains "portainernuc.mijndomein.nl": unable to generate a certificate for the domains [portainernuc.mijndomein.nl]: error: one or more domains had a problem:\n[portainernuc.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.portainernuc.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=portainernuc-rtr@file rule="Host(portainernuc.mijndomein.nl)",
time="2021-05-23T11:27:45Z" level=error msg="Unable to obtain ACME certificate for domains "hass.mijndomein.nl": unable to generate a certificate for the domains [hass.mijndomein.nl]: error: one or more domains had a problem:\n[hass.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.hass.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=hass-rtr@file rule="Host(hass.mijndomein.nl)",
time="2021-05-23T11:27:45Z" level=error msg="Unable to obtain ACME certificate for domains "ombi.mijndomein.nl": unable to generate a certificate for the domains [ombi.mijndomein.nl]: error: one or more domains had a problem:\n[ombi.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.ombi.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=jdownloader-rtr@docker rule="Host(ombi.mijndomein.nl)",
time="2021-05-23T11:27:47Z" level=error msg="Unable to obtain ACME certificate for domains "hass.mijndomein.nl": unable to generate a certificate for the domains [hass.mijndomein.nl]: error: one or more domains had a problem:\n[hass.mijndomein.nl] time limit exceeded: last error: read udp 192.168.90.254:34531->108.162.193.63:53: i/o timeout\n" providerName=dns-cloudflare.acme routerName=hass-rtr@file rule="Host(hass.mijndomein.nl)",
time="2021-05-23T11:27:47Z" level=error msg="Unable to obtain ACME certificate for domains "portainernuc.mijndomein.nl": unable to generate a certificate for the domains [portainernuc.mijndomein.nl]: error: one or more domains had a problem:\n[portainernuc.mijndomein.nl] time limit exceeded: last error: read udp 192.168.90.254:58711->108.162.193.63:53: i/o timeout\n" providerName=dns-cloudflare.acme rule="Host(portainernuc.mijndomein.nl)" routerName=portainernuc-rtr@file,

I already tried to delete my acme.json, recreated the file and reapplied permissions. But after trying to pull new certs, my acme.json is filled with this:

 {
  "dns-cloudflare": {
    "Account": {
      "Email": "mycloudflareemail@gmail.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:mycloudflareemail@gmail.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/12345678"
      },
      "PrivateKey": "MYprivatekey",
      "KeyType": "4096"
    },
    "Certificates": null
  }
}

This is my docker-compose.yml:

services:

# All services / apps go below this line

# Traefik 2 - Reverse Proxy

  traefik:

    container_name: traefik

    image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2

    restart: unless-stopped

    command: # CLI arguments

      - --global.checkNewVersion=true

      - --global.sendAnonymousUsage=true

      - --entryPoints.http.address=:80

      - --entryPoints.https.address=:443

        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/

      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22

      - --entryPoints.traefik.address=:8080

      - --api=true

#      - --api.insecure=true

#      - --serversTransport.insecureSkipVerify=true

      - --log=true

      - --log.level=ERROR # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC

      - --api.dashboard=true

      - --accessLog=true

      - --accessLog.filePath=/traefik.log

      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines

      - --accessLog.filters.statusCodes=400-499

      - --providers.docker=true

      - --providers.docker.endpoint=unix:///var/run/docker.sock

      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)

      - --providers.docker.exposedByDefault=false

      - --providers.docker.network=t2_proxy

      - --providers.docker.swarmMode=false

      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.

#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.

      - --providers.file.watch=true # Only works on top level files in the rules folder

#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing

      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL

      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json

      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare

    networks:

      t2_proxy:

        ipv4_address: 192.168.90.254 # You can specify a static IP

#    networks:

#      - t2_proxy

    security_opt:

      - no-new-privileges:true

    ports:

      - target: 80

        published: 80

        protocol: tcp

        mode: host

      - target: 443

        published: 443

        protocol: tcp

        mode: host

      - target: 8080

        published: 8080

        published: 8080

        protocol: tcp

        mode: host

    volumes:

      - $DOCKERDIR/traefik2/rules:/rules

      - /var/run/docker.sock:/var/run/docker.sock:ro

      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json

      - $DOCKERDIR/traefik2/traefik.log:/traefik.log

      - $DOCKERDIR/shared:/shared

    environment:

      - CF_API_EMAIL=$CLOUDFLARE_EMAIL

      - CF_API_KEY=$CLOUDFLARE_API_KEY

    labels:

      - "com.centurylinklabs.watchtower.enable=false"

      - "traefik.enable=true"

      # HTTP-to-HTTPS Redirect

      - "traefik.http.routers.http-catchall.entrypoints=http"

      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"

      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      # HTTP Routers

      - "traefik.http.routers.traefik-rtr.entrypoints=https"

      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"

      - "traefik.http.routers.traefik-rtr.tls=true"

#      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs

      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"

      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"

#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain

#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain

      ## Services - API

      - "traefik.http.routers.traefik-rtr.service=api@internal"

      ## Middlewares

      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
@PSJMcNeill
Copy link

Were you able to solve this?

Running into the same issue:

acme: cleaning up failed: cloudflare: could not find the start of authority for _acme-challenge.mydomain.net.: read udp 172.18.0.11:38663->1.0.0.1:53: i/o timeout "

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PSJMcNeill @Toomblr