Closed lucyannofrota closed 1 year ago
Hi, I see you are querying the staging Let's Encrypt server. Is that intended?
Otherwise, Googling the issue does not yield lots of good results, with people saying it's coming from the network, or it is a model MTU issue, or people saying you need to delete and add DNS records again: https://community.traefik.io/t/could-not-find-the-start-of-authority-acme-dns/13978
The staging server is intentional for test purposes, and I assume it should be able to emit the certificate pretty much like the prod server.
I think It should be a problem with the DNS, either the API tokens or the Records. Can you share the DNS records and the API token configurations that you used to get your certificates working? (without sensitive information of course!).
I have the following DNS Records config in cloudflare:
Type Name Content Proxy status TTL
CNAME media mydomain.com Proxied Auto
A mydomain.com mylocalIP DNS only - reserved IP Auto
For the CNAME. Cloudflare omits the domain name in the case of subdomains. If I type media.mydomain.com it will be changed to media.
My cloudflare nameservers:
At cloudflare Records Nameservers I have two name servers listed:
dig +short SOA mydomain.com
I get:
name1.ns.cloudflare.com. dns.cloudflare.com. 9999999999 99999 9999 999999 9999
Using dig +short SOA media.mydomain.com
gets me nothing.
I did try to use media.mydomain.com and mydomain.com and got the same error in both cases. The only difference is that dig +short SOA media.mydomain.com
returns nothing while with dig +short SOA mydomain.com
returns something.My cloudflare API Token configurations:
Token name Permissions Resources Status
DNS API EDIT Zone.DNS 1 Zone Active
ZONE API READ Zone.Zone All zones Active
Any tips or suggestions on how to debug this are welcome.
Where do you want to access your server from? I don't have any CNAMEs, just an A
subdomain record pointing to my internal private IP. If the config is pointing to the CNAME record that could be the issue.
My token looks similar, anyway if it was a token permission issue I think you would get a different error
First of all, thanks for your attention @AdrienPoupa. I really appreciate your effort.
I solved the problem by adding the following line:
version: "3.9"
services:
traefik:
command:
- --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
It seems to be a problem to resolve with the FQDN authority. [Traefik documentation]
Here are a few related issues that helped me to get to the solution for anyone who wants to go deeper:
https://letsdebug.net/ -> A great tool to see if your requests are right
Maybe it's a good idea to add --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
to the main branch. It will avoid problems to resolve the DNS in cases of cloudflare (1.1.1.1) and google (8.8.8.8).
Turns out it's always either a cache issue or a DNS issue ;)
Great investigation, thanks for reporting your findings. I have updated the configuration with your suggestion.
I did the configuration as suggested in the repository except for the VPN. Everything seems to be working as expected, but I cannot get the SSL certificates to work.
I'm using cloudflare domain and DNS.
I'm getting this error in the traefik container:
Here's the changes that I've made in the docker compose: