Here're problems and solutions for Traefik ACME, including failing to connect to Let's Encrypt and no NS records. And there's an example of Traefik ACME configuration.
Background
I'm switching from Nginx Proxy Manager to Traefik for my home server. That's because Nginx Proxy Manager is buggy. The biggest problem is that if a service is down before Nginx is started, Nginx will never start up. And the inconvenience of managing rules for services is also annoying. So I'm trying out Traefik, the more docker-native one.
Common Problems
I actually encountered many problems when setting up Traefik and ACME. Here are the problems and my solutions.
Dial 127.0.0.11:53 time out
Traefik can't connect to Let's Encrypt and keeps complaining Dial 127.0.0.11:53 time out. I'm confused because the containers I created before have no problem accessing the Internet. I tried many solutions and found this one the most helpful: reboot. Oh yeah. After all, rebooting fixes 90 percent of user computer problems.
Connection to Let's Encrypt is unstable
After solving the "dial time out" error. I found that the network connection to Let's Encrypt is unstable. I randomly got timeouts and connection resets. But I have no problem accessing Let's Encrypt on the host. That turns out to be an IPv4 and IPv6 problem. You can try these on the host:
If IPv6 works fine but IPv4 got timeout for connection reset, you are having the same problem as mine. To fix this, we need to add IPv6 to the Traefik docker container and set the hosts via
Since my ISP is constantly changing the IPv6 prefix, providing a fixed CIDR is impossible. Therefore, I chose Docker with IPv6 NAT and created a new network by
After following docker-ipv6nat's documentation, I found that the host couldn't reach any other IPv6 hosts as soon as I restarted the Docker daemon to enable IPv6. I had to disable IPv6 for Docker and reboot the machine.
The problem can be fixed by adding these lines to /etc/sysctl.conf, as described in the troubleshooting section
Finally, I can connect to Let's Encrypt without issue. But there was another problem. Traefik complains:
could not determine authoritative nameservers
That's strange. I tried to dig my domain and found that there is no answer for the NS record and there is only an SOA record.
dig NS my.doma.in
;; QUESTION SECTION:
;my.doma.in. IN NS
;; AUTHORITY SECTION:
my.doma.in. 180 IN SOA PROVIDER INFORMATION
On the one hand, there might be some problems with my DNS provider. On the other hand, LEGO fails to recognize the SOA record. The workaround is to disable DNS checking before notifying Let's Encrypt that we're ready:
View Post on Blog
Background
I'm switching from Nginx Proxy Manager to Traefik for my home server. That's because Nginx Proxy Manager is buggy. The biggest problem is that if a service is down before Nginx is started, Nginx will never start up. And the inconvenience of managing rules for services is also annoying. So I'm trying out Traefik, the more docker-native one.
Common Problems
I actually encountered many problems when setting up Traefik and ACME. Here are the problems and my solutions.
Dial 127.0.0.11:53 time out
Traefik can't connect to Let's Encrypt and keeps complaining
Dial 127.0.0.11:53 time out
. I'm confused because the containers I created before have no problem accessing the Internet. I tried many solutions and found this one the most helpful: reboot. Oh yeah. After all, rebooting fixes 90 percent of user computer problems.Connection to Let's Encrypt is unstable
After solving the "dial time out" error. I found that the network connection to Let's Encrypt is unstable. I randomly got timeouts and connection resets. But I have no problem accessing Let's Encrypt on the host. That turns out to be an IPv4 and IPv6 problem. You can try these on the host:
If IPv6 works fine but IPv4 got timeout for connection reset, you are having the same problem as mine. To fix this, we need to add IPv6 to the Traefik docker container and set the hosts via
Since my ISP is constantly changing the IPv6 prefix, providing a fixed CIDR is impossible. Therefore, I chose Docker with IPv6 NAT and created a new network by
And added Traefik to this network:
You are free to try out the official way to enable IPv6 in Docker: Enable IPv6 support | Docker Documentation
Host lost IPv6 connectivity
After following docker-ipv6nat's documentation, I found that the host couldn't reach any other IPv6 hosts as soon as I restarted the Docker daemon to enable IPv6. I had to disable IPv6 for Docker and reboot the machine.
The problem can be fixed by adding these lines to
/etc/sysctl.conf
, as described in the troubleshooting sectionCould not determine authoritative nameservers
Finally, I can connect to Let's Encrypt without issue. But there was another problem. Traefik complains:
That's strange. I tried to dig my domain and found that there is no answer for the NS record and there is only an SOA record.
On the one hand, there might be some problems with my DNS provider. On the other hand, LEGO fails to recognize the SOA record. The workaround is to disable DNS checking before notifying Let's Encrypt that we're ready:
Final Compose File