dnsChallenge: LEGO does not wait for keyboard input -> acme: error presenting token: EOF

[ntaranov]

Do you want to request a feature or report a bug?

Bug

What did you do?

I'm trying to set up Let's Encrypt authentication using dnsChallenge. I've done this with certbot before.

I set up the challenge using traefik command line arguments in docker-compose file. Then I deployed the configuraiton using docker stack deploy. I read the logs (noted that the container didn't wait for input on the initial occasion.

I added the TXT records required. Then I restared the container like this:

docker stop <id>
docker start -ia <id>

When I restart the container, the TXT records required are the same all the lego: messages have new current timestamps.

This might be a traefik issue or LEGO issue or I might do something wrong.

What did you expect to see?

Either traefik container/LEGO waiting for input ("press ENTER") on initial deploy or successful check completion on restart.

What did you see instead?

lego: Please create the following TXT record in your kindrobots.com. zone:
_acme-challenge.finance.kindrobots.com. 120 IN TXT "1NYC_MP1EmQVWk9xqY9Yr8CCU-n-twblDBd68S82WKM"
lego: Press 'Enter' when you are done
time="2019-03-19T10:01:29Z" level=info msg="legolog: [INFO] [eng.kindrobots.com] acme: Preparing to solve DNS-01"
lego: Please create the following TXT record in your kindrobots.com. zone:
_acme-challenge.eng.kindrobots.com. 120 IN TXT "EWAwsyme0fzsQ_fNrkAeJeSLW_kt-l05Y_GmOfPou-g"
lego: Press 'Enter' when you are done
time="2019-03-19T10:01:29Z" level=info msg="legolog: [INFO] [eng-api.kindrobots.com] acme: Preparing to solve DNS-01"
lego: Please create the following TXT record in your kindrobots.com. zone:
_acme-challenge.eng-api.kindrobots.com. 120 IN TXT "8iuV5EP9H8OPrG24iJWmOds_uFM-2lIbNnnhomh0d54"
lego: Press 'Enter' when you are done
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [auth.kindrobots.com] acme: Preparing to solve DNS-01"
lego: Please create the following TXT record in your kindrobots.com. zone:
_acme-challenge.auth.kindrobots.com. 120 IN TXT "ijUh0ChvmMC4Rq5ET3jVGnHXEZ6_w7r8gKye6tn7J6E"
lego: Press 'Enter' when you are done
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [eng-auth.kindrobots.com] acme: Preparing to solve DNS-01"
lego: Please create the following TXT record in your kindrobots.com. zone:
_acme-challenge.eng-auth.kindrobots.com. 120 IN TXT "Kw6k0-xLNHJ9d1hKeCebbMjRy0Xlf2DTgPqtIbLTf7A"
lego: Press 'Enter' when you are done
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [api.kindrobots.com] acme: Preparing to solve DNS-01"
lego: Please create the following TXT record in your kindrobots.com. zone:
_acme-challenge.api.kindrobots.com. 120 IN TXT "R0U4bZEcon9TaUG-gunYABrUoJwk6_JJUND_9NsQEb8"
lego: Press 'Enter' when you are done
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [finance.kindrobots.com] acme: Cleaning DNS-01 challenge"
lego: You can now remove this TXT record from your kindrobots.com. zone:
_acme-challenge.finance.kindrobots.com. 120 IN TXT "..."
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [eng.kindrobots.com] acme: Cleaning DNS-01 challenge"
lego: You can now remove this TXT record from your kindrobots.com. zone:
_acme-challenge.eng.kindrobots.com. 120 IN TXT "..."
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [eng-api.kindrobots.com] acme: Cleaning DNS-01 challenge"
lego: You can now remove this TXT record from your kindrobots.com. zone:
_acme-challenge.eng-api.kindrobots.com. 120 IN TXT "..."
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [auth.kindrobots.com] acme: Cleaning DNS-01 challenge"
lego: You can now remove this TXT record from your kindrobots.com. zone:
_acme-challenge.auth.kindrobots.com. 120 IN TXT "..."
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [eng-auth.kindrobots.com] acme: Cleaning DNS-01 challenge"
lego: You can now remove this TXT record from your kindrobots.com. zone:
_acme-challenge.eng-auth.kindrobots.com. 120 IN TXT "..."
time="2019-03-19T10:01:30Z" level=info msg="legolog: [INFO] [api.kindrobots.com] acme: Cleaning DNS-01 challenge"
lego: You can now remove this TXT record from your kindrobots.com. zone:
_acme-challenge.api.kindrobots.com. 120 IN TXT "..."
time="2019-03-19T10:01:30Z" level=error msg="Unable to obtain ACME certificate for domains \"eng.kindrobots.com,api.kindrobots.com,auth.kindrobots.com,eng-api.kindrobots.com,eng-auth.kindrobots.com,finance.kindrobots.com\" : unable to generate a certificate for the domains [eng.kindrobots.com api.kindrobots.com auth.kindrobots.com eng-api.kindrobots.com eng-auth.kindrobots.com finance.kindrobots.com]: acme: Error -> One or more domains had a problem:\n[api.kindrobots.com] [api.kindrobots.com] acme: error presenting token: EOF\n[auth.kindrobots.com] [auth.kindrobots.com] acme: error presenting token: EOF\n[eng-api.kindrobots.com] [eng-api.kindrobots.com] acme: error presenting token: EOF\n[eng-auth.kindrobots.com] [eng-auth.kindrobots.com] acme: error presenting token: EOF\n[eng.kindrobots.com] [eng.kindrobots.com] acme: error presenting token: EOF\n[finance.kindrobots.com] [finance.kindrobots.com] acme: error presenting token: EOF\n"

Output of traefik version: (What version of Traefik are you using?)

Version: v1.7.9 Codename: maroilles Go version: go1.11.5 Built: 2019-02-11_11:36:32AM OS/Arch: linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

no toml is used

docker-compose file

networks:
  web_network: # stack deploy will and stack name prefix, it's going to be "eng_" -> eng_web_network
    driver: overlay

volumes:
  acme-certs:

services:
  reverse-proxy:
    image: traefik:alpine # The official Traefik docker image
    command:
      - "--debug"
      - "--logLevel=DEBUG"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https Redirect.Permanent:true"
      - "--entrypoints=Name:https Address::443 TLS"
      - "--entrypoints=Name:dashboard Address::1936"
      - "--defaultentrypoints=http,https"
      - "--docker"
      - "--docker.watch"
      - "--docker.exposedbydefault=false"
      - "--docker.swarmMode"
      - "--docker.domain=eng.kindrobots.com"
      - "--api"
      - "--api.entrypoint=dashboard"
      - "--api.dashboard"
      - "--api.statistics"
      - "--api.statistics.recenterrors=500"
      # FIXME Enroll SSL cert from letsencrypt
      - "--acme"
      - "--acme.entryPoint=https"
      - "--acme.dnsChallenge"
      - "--acme.dnschallenge.delaybeforecheck=600"
      - "--acme.onDemand=false"
      - "--acme.email=n@kindrobots.ru"
      - "--acme.acmelogging=true"
      - "--acme.storage=/acme/acme.json"
      - "--acme.dnsChallenge.provider=manual"
      - "--acme.domains=eng.kindrobots.com,api.kindrobots.com,auth.kindrobots.com,eng-api.kindrobots.com,eng-auth.kindrobots.com,finance.kindrobots.com"
    ports:
      - "80:80"
      - "443:443"
      - "1936:8080"
    networks:
      - web_network
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock #So that Traefik can listen to the Docker events
      - acme-certs:/acme

    container_name: traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=eng_web_network"
      - "traefik.frontend.passHostHeader=true"
      - "traefik.frontend.rule=Host:eng.kindrobots.com:1936"
      - "traefik.port=8080"

The configuration itself is tested with docker-compose and TLS with my own (not the Traefik default, which is issued when something goes wrong) self-signed certificates.

Am I missing something, or there is a problem?

[traefiker]

Hi! I'm Træfiker :robot: the bot in charge of communication regulation.

Thanks for your interest in Traefik!

We dedicate the issue tracker to bug reports and feature requests only. My advanced AI tells me this one is neither of them.

I encourage your to seek community support: join our Slack workspace and reach out to us on the #support channel.

Another option is to use Stack Overflow and tag your question traefik.

You can of course double check Traefik's documentation :sweat_smile:

[ntaranov]

This is a bug report.

[ntaranov]

Please reopen.

[ntaranov]

OK, so I went to #support slack channel, and had a research session with @dduportal .

My findings, TL;DR

1. dnsChallenge with manual provider works when launched like docker run -i -t ....
2. dnsChallenge manual provider does not really work under docker stack (or the scenario is not supported), IMO would be great if this were documented. Presumably this is because redirecting STDIN and STDOUT/STDERR is not quite the same as TTY you get with docker run -it ..

Longer version:

1. I used this command to debug the cert generation

   docker run -it \
   -p 80:80 -p 443:443 \
   -v acme-certs:/acme \
   -v /var/run/docker.sock:/var/run/docker.sock \
   traefik:alpine \
   --entrypoints='Name:http Address::80 Redirect.EntryPoint:https Redirect.Permanent:true' \
   --entrypoints='Name:https Address::443 TLS' \
   --defaultentrypoints='http,https' \
   --docker \
   --docker.watch \
   --docker.exposedbydefault=false \
   --docker.domain=eng.kindrobots.com \
   --acme \
   --acme.entryPoint=https \
   --acme.dnsChallenge \
   --acme.onDemand=false \
   --acme.email='n@kindrobots.ru' \
   --acme.acmelogging=true \
   --acme.storage='/acme/acme.json' \
   --acme.dnsChallenge.provider=manual \
   --acme.domains='eng.kindrobots.com,api.kindrobots.com,auth.kindrobots.com,eng-api.kindrobots.com,eng-auth.kindrobots.com,finance.kindrobots.com' \
   --logLevel=DEBUG

2. I made sure my "stack" container in fact uses the same acme.json (beware, docker stack prefixes things with stack name).

3. I got a working cert in place.

[ldez]

We don't recommend using manual especially in this case.

Mainly because manual don't allow to renew certificates automatically.

Prefer use exec or httpreq or acme-dns

More information:

• https://go-acme.github.io/lego/dns/exec/
• https://go-acme.github.io/lego/dns/httpreq/
• https://go-acme.github.io/lego/dns/acme-dns/
• https://github.com/joohoi/acme-dns

[ntaranov]

@ldez , thanks for the comment and the perspective. In our scenario DNS provider is not under our control, and is not willing to take any actions. I guess, this is 90+% of internet scenarios. As I understand exec provider might be helpful if I'll be interested in automating the routine with a 3rd party tool, which I'll consider, but httpreq and acme-dns both require collaboration from DNS-server side.