Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I have my domain setup with traefik as the reverse proxy and using cloudflare as the DNS provider with proxy. Traefik usually auto updates the LE certs 30 days before they are due to expired but this time it has failed. All previous attempts to renew the certificates have worked perfectly fine and no changes have been made to the traefik or cloudlfare configurations since the last certificate renewal.
I'm relatively new to all of this and have no idea what the error means or how to solve it. Any help would be greatly appreciated.
Traefik logs show the following error:
"time="2020-12-01T22:36:16Z" level=error msg="Error renewing certificate from LE: {kflix.co.uk }, acme: Error -> One or more domains had a problem:\n[kflix.co.uk] [kflix.co.uk] acme: error presenting token: cloudflare: unexpected response code 'SERVFAIL' for _acme-challenge.kflix.co.uk.\n"
time="2020-12-01T22:36:17Z" level=error msg="Error renewing certificate from LE: {.kflix.co.uk []}, acme: Error -> One or more domains had a problem:\n[.kflix.co.uk] [*.kflix.co.uk] acme: error presenting token: cloudflare: unexpected response code 'SERVFAIL' for _acme-challenge.kflix.co.uk.\n"
My web server is (include version): Traefik installed via docker
The operating system my web server runs on is (include version): Ubuntu 18.04.
I've added the following resolvers into the configuration. Is this correct? What should they be set to? As I mentioned, I'm new to all of this but keen to learn. I'm strugging to understand why something that was previously working now needs to be modified?
I've restarted the traefik docker container and no longer see that error in the logs but the certificates haven't renewed...
Let's encrypt configuration
[acme]
email = "xxx"
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 300
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
[[acme.domains]]
main = "kflix.co.uk"
[[acme.domains]]
main = "*.kflix.co.uk"
I was checking via https://crt.sh/?q=kflix.co.uk which hasn't yet updated to show the new certificates but from the link you provided it does look as though a new one has been generated and I can now see that on my domain if I turn off cloudflare proxy so thanks a lot for the help!
For my own learning - how would I be able to check if the local DNS resolver that Traefik was using has stopped working or became unavailable? If there is no custom resolver set, what does it use by default? Would it be 127.0.0.53 as defined in /etc/resolv.conf?
As I mentoioned, I'm new to all of this and have very limited understanding but keen to learn so any pointers you could give me would be very much appreciated.