search

traefik / traefik

The Cloud Native Application Proxy
https://traefik.io
MIT License
50.5k stars 5.04k forks source link

Cloudflare DNS-01 Challenge: i/o timeout #8483

Closed TheSilkky closed 2 years ago

TheSilkky commented 2 years ago

Welcome!

What did you do?

I'm trying to generate Lets Encrypt certificates with the DNS-01 challenge using Cloudflare.

I have tried pinging different servers from within the Traefik container (google.com, cloudflare.com, 1.1.1.1) and all of those worked.

What did you see instead?

Traefik times out when trying to connect to 1.1.1.1

What version of Traefik are you using?

Traefik 2.5.3

What is your environment & configuration?

Static configuration:

api:
  dashboard: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure

  websecure:
    address: :443
    forwardedHeaders:
      trustedIPs:
       # Cloudflare IPs
       # v4
       - "103.21.244.0/22"
       - "103.22.200.0/22"
       - "103.31.4.0/22"
       - "104.16.0.0/13"
       - "104.24.0.0/14"
       - "108.162.192.0/18"
       - "131.0.72.0/22"
       - "141.101.64.0/18"
       - "162.158.0.0/15"
       - "172.64.0.0/13"
       - "173.245.48.0/20"
       - "188.114.96.0/20"
       - "190.93.240.0/20"
       - "197.234.240.0/22"
       - "198.41.128.0/17"
       # v6
       - "2400:cb00::/32"
       - "2606:4700::/32"
       - "2803:f800::/32"
       - "2405:b500::/32"
       - "2405:8100::/32"
       - "2a06:98c0::/29"
       - "2c0f:f248::/32"
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: letsencrypt

providers:
  docker:
    network: traefik-public
    swarmMode: true
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      # Change This!
      email: redacted
      storage: acme.json
      keyType: EC384
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 90
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

Compose:

version: '3.9'

services: 

  traefik:
    image: traefik:v2.5
    hostname: traefik
    networks: 
      - traefik-public
    ports:
      # Host mode is needed for applications using X-Forwarded-For / X-Real-IP headers
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    volumes: 
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik-data/traefik.yml:/traefik.yml:ro
      - ./traefik-data/acme.json:/acme.json
      - ./traefik-data/configurations:/configurations
    deploy:
      restart_policy:
        condition: any
      placement:
        constraints:
          - node.role == manager
      labels: 
        - "traefik.enable=true"
        - "traefik.docker.network=traefik-public"

        # Secure entrypoint
        - "traefik.http.routers.traefik.entrypoints=websecure" 
        - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_HOSTNAME}`)"
        - "traefik.http.routers.traefik.middlewares=traefikAuth@file, traefik-whitelist"
        - "traefik.http.routers.traefik.service=api@internal"

        # IpWhitelist
        - "traefik.http.middlewares.traefik-whitelist.ipwhitelist.sourcerange=${TRUSTED_IP}"

        # Dummy service for Swarm port detection. The port can be any valid integer value.
        - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API}
      - CF_DNS_ZONE_API_TOKEN=${CF_DNS_ZONE_API}

  portainer:
    image: portainer/portainer-ce:alpine
    hostname: portainer
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    networks: 
      - agent
      - traefik-public
    volumes: 
      - portainer-data:/data
    deploy:
      restart_policy:
        condition: any
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik-public"

        # Access Router
        - "traefik.http.routers.portainer.entrypoints=websecure"
        - "traefik.http.routers.portainer.rule=Host(`${PORTAINER_HOSTNAME}`)"
        - "traefik.http.routers.portainer.middlewares=portainer-whitelist"
        - "traefik.http.routers.portainer.service=portainer-service"

        # IpWhitelist
        - "traefik.http.middlewares.portainer-whitelist.ipwhitelist.sourcerange=${TRUSTED_IP}"

        # Service
        - "traefik.http.services.portainer-service.loadbalancer.server.port=9000"

  agent:
    image: portainer/agent:latest
    networks: 
      - agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    deploy:
      mode: global
      restart_policy:
        condition: any
      placement:
        constraints:
          - node.platform.os == linux

volumes: 
  portainer-data:

networks: 
  agent:
    driver: overlay
    attachable: true
  traefik-public:
    external:  true

If applicable, please paste the log output in DEBUG level

time="2021-10-03T05:06:08+02:00" level=error msg="Unable to obtain ACME certificate for domains \"api.piped.silkky.cloud\": unable to generate a certificate for the domains [api.piped.silkky.cloud]: error: one or more domains had a problem:\n[api.piped.silkky.cloud] [api.piped.silkky.cloud] acme: error presenting token: cloudflare: could not find the start of authority for _acme-challenge.api.piped.silkky.cloud.: read udp 172.18.0.18:50048->1.0.0.1:53: i/o timeout\n" providerName=letsencrypt.acme routerName=piped@docker rule="Host(api.piped.silkky.cloud)"

traefiker commented 2 years ago

Hi! I'm Træfiker :robot: the bot in charge of communication regulation.

Thanks for your interest in Traefik!

We dedicate the issue tracker to bug reports and feature requests only. My advanced AI has spotted that your issue might be a configuration problem or relates to something that doesn't look like a bug.

To confirm this, please join our Community Forum and reach out to us on the Traefik section.

In case I'm wrong (well, that would be embarrassing :sweat_smile:), my developers will re-open the issue and fix me!

In the meantime, you can double check Traefik's documentation.