Closed davidwinter closed 9 months ago
Hello,
the error is not related to the API but to DNS calls.
SERVFAIL
means that the DNS call (SOA) fails, probably related to a problem with your nameservers.
the error occurs when a DNS resolver fails to obtain a valid response from the Authoritative DNS server for a particular domain.
It's not a problem with lego or the DNS provider but with your local environment, you have to check your local DNS configuration.
Interesting... I just appear to be using Cloudflare's DNS:
Ah I think this is to do with the docker container DNS itself... not being able to query outside of it. Just need to figure a way to set the container to use a different DNS, like Cloudflare/Google I imagine... 🤔
Adding the following DNS servers has resolved this situation for me:
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=8.8.8.8:53"
So the entire Traefik configuration is as follows:
services:
reverse-proxy:
image: traefik:v2.10
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=vercel"
- "--certificatesresolvers.myresolver.acme.email=my@email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=8.8.8.8:53"
Your configuration is not valid:
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=8.8.8.8:53"
This is a valid config:
- "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
Welcome
What did you expect to see?
I have tried querying the Vercel API directly with the API token and appending the
?teamId
query string to ensure that I can retrieve DNS records for the given domain:This returns results correctly. So I'm unsure why lego is unable to find the zone to add records to for the DNS challenge.
For a DNS certificate to be created successfully with Traefik using the following configuration with Docker Compose:
What did you see instead?
It fails.
How do you use lego?
Through Traefik
Reproduction steps
docker compose up -d
Version of lego
Logs
Go environment (if applicable)
No response