Automatic certificate renewal failing with traefik

kje1 · December 1, 2020, 10:55pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kflix.co.uk

I have my domain setup with traefik as the reverse proxy and using cloudflare as the DNS provider with proxy. Traefik usually auto updates the LE certs 30 days before they are due to expired but this time it has failed. All previous attempts to renew the certificates have worked perfectly fine and no changes have been made to the traefik or cloudlfare configurations since the last certificate renewal.

I'm relatively new to all of this and have no idea what the error means or how to solve it. Any help would be greatly appreciated.

Traefik logs show the following error:

"time="2020-12-01T22:36:16Z" level=error msg="Error renewing certificate from LE: {kflix.co.uk }, acme: Error -> One or more domains had a problem:\n[kflix.co.uk] [kflix.co.uk] acme: error presenting token: cloudflare: unexpected response code 'SERVFAIL' for _acme-challenge.kflix.co.uk.\n"
time="2020-12-01T22:36:17Z" level=error msg="Error renewing certificate from LE: {.kflix.co.uk []}, acme: Error -> One or more domains had a problem:\n[.kflix.co.uk] [*.kflix.co.uk] acme: error presenting token: cloudflare: unexpected response code 'SERVFAIL' for _acme-challenge.kflix.co.uk.\n"

My web server is (include version): Traefik installed via docker

The operating system my web server runs on is (include version): Ubuntu 18.04.

_az · December 1, 2020, 11:03pm

This error comes from Traefik's (lego's, technically) preflight check, before it submits the challenge to Let's Encrypt.

That would suggest that the local DNS resolver which Traefik is using is unable to perform that query.

You should be able to configure a custom DNS resolver for Traefik to use: https://doc.traefik.io/traefik/https/acme/#resolvers

kje1 · December 1, 2020, 11:19pm

Hi.

Thanks for the speedy reply.

I've added the following resolvers into the configuration. Is this correct? What should they be set to? As I mentioned, I'm new to all of this but keen to learn. I'm strugging to understand why something that was previously working now needs to be modified?

I've restarted the traefik docker container and no longer see that error in the logs but the certificates haven't renewed...

Let's encrypt configuration

[acme]
email = "xxx"
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 300
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
[[acme.domains]]
main = "kflix.co.uk"
[[acme.domains]]
main = "*.kflix.co.uk"

_az · December 1, 2020, 11:26pm

It seems like there was a certificate issued around 5 minutes ago, do you not see it?

I think this would come down to whatever local DNS resolver Traefik was using. Maybe it stopped working or became unavailable?

kje1 · December 1, 2020, 11:39pm

I was checking via https://crt.sh/?q=kflix.co.uk which hasn't yet updated to show the new certificates but from the link you provided it does look as though a new one has been generated and I can now see that on my domain if I turn off cloudflare proxy so thanks a lot for the help!

For my own learning - how would I be able to check if the local DNS resolver that Traefik was using has stopped working or became unavailable? If there is no custom resolver set, what does it use by default? Would it be 127.0.0.53 as defined in /etc/resolv.conf?

As I mentoioned, I'm new to all of this and have very limited understanding but keen to learn so any pointers you could give me would be very much appreciated.

_az · December 1, 2020, 11:55pm

Maybe, I'm not sure. I imagine it would be the default DNS resolver that Docker provides, or the equivalents in docker-compose or Kubernetes if you're using those.

I guess a hacky way to find out would be to try run a lookup inside the container:

sudo docker exec -it CONTAINER_ID nslookup -type=txt _acme-challenge.kflix.co.uk

system · December 31, 2020, 11:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.