Challenge TLS-ALPN-01 and NAMESERVER: Is changing the nameserver mandatory?

federico.galimberti · August 4, 2022, 8:26pm

I have undertaken a TLS-ALPN-01 challenge with Traefik and Docker Compose and I get this error:

"Could not reliably determine the server's fully qualified domain name, using 192.192.192.192. Set the 'ServerName' directive globally to suppress this message"

I have a Google VPS and the domain name on Freenom.

Do I need to set up a specific nameserver? If I have to, what should I write in "Nameserver 1", "Nameserver 2", ... ," Nameserver 5"?

The proxy provides the valid certificate to the following address:

https://www.traefik.domain-name.ga

but not to the following:

https://www.domain-name.ga

This is my setup on Freenom:

Nome - Tipo - TTL - Target
'' - 'A' - '3600' - '222.222.222.222'
'WWW' - 'A' - '3600' - '222.222.222.222'
'TRAEFIK' - 'A' - '3600 ' - '222.222.222.222'
'WWW.TRAEFIK' - 'A' - '3600' - '222.222.222.222'

At the moment I am using the default nameservers set by Freenom.

Thanks

Osiris · August 4, 2022, 8:29pm

That's not an error, but just a warning from Apache.

federico.galimberti · August 4, 2022, 8:33pm

So do you think the problem I am experiencing is due to a wrong configuration of Traefik and not to a wrong configuration of the Freenom DNS?

Osiris · August 4, 2022, 8:41pm

I have no idea what your problem actually is? I'm assuming you're getting your certificates using Traefik? Personally I don't have experience with Traefik, so I can't help you with that, but perhaps Traefik also has log files which you could search for an actual error message related to the certificate issuance?

federico.galimberti · August 5, 2022, 11:40am

Sure! It is traefik.log.

{"level":"info","msg":"Traefik version 2.8.0 built on 2022-06-29T15:43:58Z","time":"2022-08-03T20:05:32Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n","time":"2022-08-03T20:05:32Z"}
{"level":"warning","msg":"Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year.","time":"2022-08-03T20:05:33Z"}
{"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-08-03T20:05:33Z"}
{"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-08-03T20:05:33Z"}
{"level":"info","msg":"Starting provider *docker.Provider","time":"2022-08-03T20:05:33Z"}
{"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-08-03T20:05:33Z"}
{"level":"info","msg":"Starting provider *acme.Provider","time":"2022-08-03T20:05:33Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-08-03T20:05:33Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-03T20:05:35Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-03T20:05:35Z"}
{"level":"warning","msg":"A new release has been found: 2.8.1. Please consider updating.","time":"2022-08-03T20:15:34Z"}
{"level":"info","msg":"I have to go...","time":"2022-08-03T20:29:49Z"}
{"level":"info","msg":"Stopping server gracefully","time":"2022-08-03T20:29:49Z"}
{"entryPointName":"websecure","level":"error","msg":"accept tcp [::]:443: use of closed network connection","time":"2022-08-03T20:29:49Z"}
{"entryPointName":"web","level":"error","msg":"accept tcp [::]:80: use of closed network connection","time":"2022-08-03T20:29:49Z"}
{"entryPointName":"web","level":"error","msg":"Error while starting server: accept tcp [::]:80: use of closed network connection","time":"2022-08-03T20:29:49Z"}
{"entryPointName":"websecure","level":"error","msg":"Error while starting server: accept tcp [::]:443: use of closed network connection","time":"2022-08-03T20:29:49Z"}
{"level":"info","msg":"Server stopped","time":"2022-08-03T20:29:49Z"}
{"level":"info","msg":"Shutting down","time":"2022-08-03T20:29:49Z"}
{"level":"info","msg":"Traefik version 2.8.0 built on 2022-06-29T15:43:58Z","time":"2022-08-03T20:30:01Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n","time":"2022-08-03T20:30:01Z"}
{"level":"warning","msg":"Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year.","time":"2022-08-03T20:30:02Z"}
{"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-08-03T20:30:02Z"}
{"level":"info","msg":"Starting provider *docker.Provider","time":"2022-08-03T20:30:02Z"}
{"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-08-03T20:30:02Z"}
{"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-08-03T20:30:02Z"}
{"level":"info","msg":"Starting provider *acme.Provider","time":"2022-08-03T20:30:02Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-08-03T20:30:02Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-03T20:30:04Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-03T20:30:04Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-03T20:30:08Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-03T20:30:08Z"}
{"level":"warning","msg":"A new release has been found: 2.8.1. Please consider updating.","time":"2022-08-03T20:40:03Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-08-04T20:30:03Z"}
{"level":"warning","msg":"A new release has been found: 2.8.1. Please consider updating.","time":"2022-08-04T20:30:04Z"}
{"level":"error","msg":"Error while Peeking first byte: read tcp 192.168.128.2:443-\u003e172.105.77.209:56621: read: connection timed out","time":"2022-08-05T05:58:37Z"}

rg305 · August 5, 2022, 4:47pm

Not likely to be the cure, but it may be worth the effort: