search

anandslab / docker-traefik

Docker media and home server stack with Docker Compose, Traefik, Swarm Mode, Google OAuth2/Authelia, and LetsEncrypt
https://www.smarthomebeginner.com/
MIT License
2.89k stars 630 forks source link

No certificate renewal #172

Open Toomblr opened 3 years ago

Toomblr commented 3 years ago

Since 19th of april, my wildcard certs won't renew.

Traefik log provides these errors:

time="2021-05-23T11:25:31Z" level=info msg="Configuration loaded from flags.", time="2021-05-23T11:25:43Z" level=error msg="Unable to obtain ACME certificate for domains \"portainernuc.mijndomein.nl\": unable to generate a certificate for the domains [portainernuc.mijndomein.nl]: error: one or more domains had a problem:\n[portainernuc.mijndomein.nl] [portainernuc.mijndomein.nl] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\"result\\":null,\\"success\\":false,\\"errors\\":[{\\"code\\":81057,\\"message\\":\\"Record already exists.\\"}],\\"messages\\":[]}\"\n" providerName=dns-cloudflare.acme routerName=portainernuc-rtr@file rule="Host(portainernuc.mijndomein.nl)", time="2021-05-23T11:27:41Z" level=error msg="Unable to obtain ACME certificate for domains \"unifi.mijndomein.nl\": unable to generate a certificate for the domains [unifi.mijndomein.nl]: error: one or more domains had a problem:\n[unifi.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.unifi.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=unifi-rtr@file rule="HostSNI(unifi.mijndomein.nl)", time="2021-05-23T11:27:42Z" level=error msg="Unable to obtain ACME certificate for domains \"portainernuc.mijndomein.nl\": unable to generate a certificate for the domains [portainernuc.mijndomein.nl]: error: one or more domains had a problem:\n[portainernuc.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.portainernuc.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=portainernuc-rtr@file rule="Host(portainernuc.mijndomein.nl)", time="2021-05-23T11:27:45Z" level=error msg="Unable to obtain ACME certificate for domains \"hass.mijndomein.nl\": unable to generate a certificate for the domains [hass.mijndomein.nl]: error: one or more domains had a problem:\n[hass.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.hass.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=hass-rtr@file rule="Host(hass.mijndomein.nl)", time="2021-05-23T11:27:45Z" level=error msg="Unable to obtain ACME certificate for domains \"ombi.mijndomein.nl\": unable to generate a certificate for the domains [ombi.mijndomein.nl]: error: one or more domains had a problem:\n[ombi.mijndomein.nl] time limit exceeded: last error: NS amit.ns.cloudflare.com. returned NXDOMAIN for _acme-challenge.ombi.mijndomein.nl.\n" providerName=dns-cloudflare.acme routerName=jdownloader-rtr@docker rule="Host(ombi.mijndomein.nl)", time="2021-05-23T11:27:47Z" level=error msg="Unable to obtain ACME certificate for domains \"hass.mijndomein.nl\": unable to generate a certificate for the domains [hass.mijndomein.nl]: error: one or more domains had a problem:\n[hass.mijndomein.nl] time limit exceeded: last error: read udp 192.168.90.254:34531->108.162.193.63:53: i/o timeout\n" providerName=dns-cloudflare.acme routerName=hass-rtr@file rule="Host(hass.mijndomein.nl)", time="2021-05-23T11:27:47Z" level=error msg="Unable to obtain ACME certificate for domains \"portainernuc.mijndomein.nl\": unable to generate a certificate for the domains [portainernuc.mijndomein.nl]: error: one or more domains had a problem:\n[portainernuc.mijndomein.nl] time limit exceeded: last error: read udp 192.168.90.254:58711->108.162.193.63:53: i/o timeout\n" providerName=dns-cloudflare.acme rule="Host(portainernuc.mijndomein.nl)" routerName=portainernuc-rtr@file,

I already tried to delete my acme.json, recreated the file and reapplied permissions. But after trying to pull new certs, my acme.json is filled with this:

 {
  "dns-cloudflare": {
    "Account": {
      "Email": "mycloudflareemail@gmail.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:mycloudflareemail@gmail.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/12345678"
      },
      "PrivateKey": "MYprivatekey",
      "KeyType": "4096"
    },
    "Certificates": null
  }
}

This is my docker-compose.yml:

services:

# All services / apps go below this line

# Traefik 2 - Reverse Proxy

  traefik:

    container_name: traefik

    image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2

    restart: unless-stopped

    command: # CLI arguments

      - --global.checkNewVersion=true

      - --global.sendAnonymousUsage=true

      - --entryPoints.http.address=:80

      - --entryPoints.https.address=:443

        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/

      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22

      - --entryPoints.traefik.address=:8080

      - --api=true

#      - --api.insecure=true

#      - --serversTransport.insecureSkipVerify=true

      - --log=true

      - --log.level=ERROR # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC

      - --api.dashboard=true

      - --accessLog=true

      - --accessLog.filePath=/traefik.log

      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines

      - --accessLog.filters.statusCodes=400-499

      - --providers.docker=true

      - --providers.docker.endpoint=unix:///var/run/docker.sock

      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)

      - --providers.docker.exposedByDefault=false

      - --providers.docker.network=t2_proxy

      - --providers.docker.swarmMode=false

      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.

#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.

      - --providers.file.watch=true # Only works on top level files in the rules folder

#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing

      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL

      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json

      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare

    networks:

      t2_proxy:

        ipv4_address: 192.168.90.254 # You can specify a static IP

#    networks:

#      - t2_proxy

    security_opt:

      - no-new-privileges:true

    ports:

      - target: 80

        published: 80

        protocol: tcp

        mode: host

      - target: 443

        published: 443

        protocol: tcp

        mode: host

      - target: 8080

        published: 8080

        published: 8080

        protocol: tcp

        mode: host

    volumes:

      - $DOCKERDIR/traefik2/rules:/rules

      - /var/run/docker.sock:/var/run/docker.sock:ro

      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json

      - $DOCKERDIR/traefik2/traefik.log:/traefik.log

      - $DOCKERDIR/shared:/shared

    environment:

      - CF_API_EMAIL=$CLOUDFLARE_EMAIL

      - CF_API_KEY=$CLOUDFLARE_API_KEY

    labels:

      - "com.centurylinklabs.watchtower.enable=false"

      - "traefik.enable=true"

      # HTTP-to-HTTPS Redirect

      - "traefik.http.routers.http-catchall.entrypoints=http"

      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"

      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      # HTTP Routers

      - "traefik.http.routers.traefik-rtr.entrypoints=https"

      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"

      - "traefik.http.routers.traefik-rtr.tls=true"

#      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs

      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"

      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"

#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain

#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain

      ## Services - API

      - "traefik.http.routers.traefik-rtr.service=api@internal"

      ## Middlewares

      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
PSJMcNeill commented 2 years ago

Were you able to solve this?

Running into the same issue:

acme: cleaning up failed: cloudflare: could not find the start of authority for _acme-challenge.mydomain.net.: read udp 172.18.0.11:38663->1.0.0.1:53: i/o timeout "