Hi, I have problems creating certs for the same domain from multiple servers.
I’m running multiple traefik v2 instances in docker, each instance uses Lets Encrypt Cloudflare DNS for cert creation.
Each traefik instance creates certs for the same insanegenenius.net and *.insanegenius.net domains, and each traefik instance uses its own acme.json file.
The first traefik instance gets the certs fine, subsequent traefik instances fail to get certs.
A variety of errors, notably:
time="2020-07-03T11:43:34-07:00" level=error msg="Unable to obtain ACME certificate for domains \"insanegenius.net,*.insanegenius.net\" : unable to generate a certificate for the domains [insanegenius.net *.insanegenius.net]: error: one or more domains had a problem:\n[*.insanegenius.net] [*.insanegenius.net] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"result\\\":null,\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[]}\"\n[insanegenius.net] [insanegenius.net] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 400: content \"{\\\"result\\\":null,\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":81057,\\\"message\\\":\\\"The record already exists.\\\"}],\\\"messages\\\":[]}\"\n" providerName=dns-cloudflare.acme,
Traefik config using Ansible, all servers use the same config, the docker containers and their networks per server instance is different:
- name: 'Install Traefik'
docker_container:
name: traefik
image: traefik
pull: true
hostname: "traefik-{{ ansible_hostname }}"
domainname: "{{ ansible_domain }}"
restart_policy: unless-stopped
command:
- "--log.level=DEBUG"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network={{ docker_local_network }}"
# SMTP port 25
- "--entrypoints.smtp.address=:25"
# HTTP port 80
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# HTTPS port 443
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls.certresolver=dns-cloudflare"
- "--entrypoints.websecure.http.tls.domains[0].main={{ ansible_fqdn }}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.{{ ansible_domain }}"
- "--entrypoints.websecure.http.tls.domains[1].main={{ external_domain }}"
- "--entrypoints.websecure.http.tls.domains[1].sans=*.{{ external_domain }}"
# SSL certs
- "--certificatesresolvers.dns-cloudflare.acme.email={{ cloudflare_email }}"
- "--certificatesresolvers.dns-cloudflare.acme.storage=/config/acme.json"
- "--certificatesResolvers.dns-cloudflare.acme.dnschallenge.provider=cloudflare"
env:
TZ: "America/Los_Angeles"
CF_DNS_API_TOKEN: "{{ cloudflare_dns_api_token }}"
volumes:
- "{{ appdata_dir }}/traefik/config:/config"
- "/var/run/docker.sock:/var/run/docker.sock"
networks_cli_compatible: yes
purge_networks: yes
networks:
- name: "{{ docker_local_network }}"
published_ports:
- 80:80
- 443:443
- 8080:8080
Looking at the acme.json I can see that the different servers create different lets encrypt accounts and use different private keys.
Looking at CloudFlare DNS I can see two CNAME entries with unique values.
I suspect that the problem has something to do with how the CloudFlare DNS entries are mapped to the acme.json lets encrypt account.
How do I configure the traefik or certbot or cloudflare dns to allow multiple server instances to create certs for the same domain?
Btw, I noticed with all my testing I am now being rate limited, but the problems happened before rate limiting kicked in.