Cannot generate certificate using Traefik - second certificate with same IP - No certificate provided dynamically can check the domain


#1

Hi,

I’m running Ubuntu 18.04 and migrating my services to running in docker and using Traefik as a reverse proxy and with my own domain. I’ve configured the dns to cloudfare and ddclient seems to be updating the ip correctly. I’ve moved all the services to containers already, and they are working through my existing nginx proxy (where I am also using lets encrypt and certbot) but with a different duckdns.org domain.

The issue is when I start up traefik within the docker I get the following errors:

traefik | 2018-08-08T07:15:26.390420900Z time=“2018-08-08T07:15:26Z” level=info msg=“Server configuration reloaded on :80”
traefik | 2018-08-08T07:15:26.390424673Z time=“2018-08-08T07:15:26Z” level=info msg=“Server configuration reloaded on :443”
traefik | 2018-08-08T07:15:26.390427903Z time=“2018-08-08T07:15:26Z” level=info msg=“Server configuration reloaded on :8080”
traefik | 2018-08-08T07:15:45.364252694Z time=“2018-08-08T07:15:45Z” level=debug msg=“No certificate provided dynamically can check the domain “xxx.duckdns.org”, a per default certificate will be used.”
traefik | 2018-08-08T07:15:45.558611146Z time=“2018-08-08T07:15:45Z” level=debug msg=“http: TLS handshake error from 147.75.193.249:52982: remote error: tls: bad certificate”

This continues to reoccur repeatedly.

Strangely, it’s referring to my old duckdns.org domain and not the one I have configured in my docker compose file for traefik. The existing nginx service is also stopped.

update: So I’m guessing this is because i already have a valid lets encrypt certificate pointing to the same IP even though it’s issued to another domain. Is there any way to fix this?

Any help would be very appreciated!


#2

I can see in my acme.json a certificate file:

“Account”: {
“Email”: "null@mydomain.net",
“Registration”: {
“body”: {
“status”: “valid”,
“contact”: [
"mailto:null@mydomain.net"
]
},
“uri”: “https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxx

“Certificates”: [
{
“Domain”: {
“Main”: “*.mydomain.net”,
“SANs”: null
},

But for some reason, the error somehow points to my old duckdns domain?


#3

Hi @paulmorabito,

Why don’t you run grep -r xxx.duckdns.org /etc or for some other directory that contains your Traefik configuration? Maybe you’ll find that there’s still a reference to it somewhere.


#4

So, I can’t get a shell into the container to run the grep command. However, this is the docker compose configuration:

traefik:
hostname: traefik
image: traefik:latest
container_name: traefik
restart: always
domainname: xxxx.net
networks:
- default
- traefik_proxy
ports:
- 80:80
- 443:443
- “8084:8080”
environment:
- CLOUDFLARE_EMAIL=xxxx
- CLOUDFLARE_API_KEY=xxx
labels:
- “traefik.enable=true”
- “traefik.backend=traefik”
- “traefik.frontend.rule=Host:traefik.xxxx.net”
- “traefik.frontend.rule=Host:xxxx.net”
- “traefik.port=8080”
- “traefik.docker.network=traefik_proxy”
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${USERDIR}/docker/traefik:/etc/traefik
- ${USERDIR}/docker/shared:/shared

I’ve looked into each of the directories above and nothing points to duckdns anywhere. I’ve also done a recursive grep through all of my docker directories and likewise, nothing is referring to duckdns except in some log files (which I removed).

Update: So I checked my dynamic dns client updates and both are working. My duckdns.org domain is still pointing to my current IP as is my new domain xxx.net. I manually changed the duckdns ip to something other than my own and now I get:

traefik | 2018-08-09T08:10:32.793425116Z time=“2018-08-09T08:10:32Z” level=debug msg=“Add certificate for domains xxx.net
traefik | 2018-08-09T08:10:32.793983935Z time=“2018-08-09T08:10:32Z” level=debug msg=“Add certificate for domains *.xxx.net”
traefik | 2018-08-09T08:10:32.793992511Z time=“2018-08-09T08:10:32Z” level=info msg=“Server configuration reloaded on :80”
traefik | 2018-08-09T08:10:32.793994760Z time=“2018-08-09T08:10:32Z” level=info msg=“Server configuration reloaded on :443”
traefik | 2018-08-09T08:10:32.793996928Z time=“2018-08-09T08:10:32Z” level=info msg=“Server configuration reloaded on :8080”

and nothing else. Does that mean it’s working?


#5

Sorry, I’m not actually familiar with your software environment!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.