LetsEncrypt certificate requests fail in traefik reverse-proxy on raspberrypi

Dear support team,
running evcc car charging system and traefik reverse-proxy in docker on a raspberrypi4 - please see https://jfraundo251158.github.io.
For some months everything was working fine. Some weeks ago unfortunately there were some changes, more or less in parallel. So I have no clue whether it was probably broken by an AVM Fritzbox or raspberry OS update, or by running out of the 3 month certificate lifetime and a possible never functioning renewal?

My domain is:
7y4sbu5yhxrbxqpi.myfritz.net

I ran this command:

It produced this output: Traefik log
...
time="2023-11-21T09:59:58Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/286007434446"
time="2023-11-21T09:59:58Z" level=error msg="Unable to obtain ACME certificate for domains "7y4sbu5yhxrbxqpi.myfritz.net": unable to generate a certificate for the domains [7y4sbu5yhxrbxqpi.myfritz.net]: error: one or more domains had a problem:\n[7y4sbu5yhxrbxqpi.myfritz.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 2a02:3100:9200:af09:e228:6dff:fe08:34ed: Error getting validation data\n" rule="Host(7y4sbu5yhxrbxqpi.myfritz.net)" routerName=https-evcc-https@file providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
...
time="2023-11-21T10:00:00Z" level=debug msg="Domains ["7y4sbu5yhxrbxqpi.myfritz.net"] need ACME certificates generation for domains "7y4sbu5yhxrbxqpi.myfritz.net"." ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(7y4sbu5yhxrbxqpi.myfritz.net)" routerName=https-evcc-https@file providerName=le.acme
time="2023-11-21T10:00:00Z" level=debug msg="Loading ACME certificates [7y4sbu5yhxrbxqpi.myfritz.net]..." rule="Host(7y4sbu5yhxrbxqpi.myfritz.net)" routerName=https-evcc-https@file providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-11-21T10:00:00Z" level=debug msg="legolog: [INFO] [7y4sbu5yhxrbxqpi.myfritz.net] acme: Obtaining bundled SAN certificate"
time="2023-11-21T10:00:00Z" level=error msg="Unable to obtain ACME certificate for domains "7y4sbu5yhxrbxqpi.myfritz.net": unable to generate a certificate for the domains [7y4sbu5yhxrbxqpi.myfritz.net]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt" routerName=https-evcc-https@file providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(7y4sbu5yhxrbxqpi.myfritz.net)"
time="2023-11-21T10:03:59Z" level=debug msg="http: TLS handshake error from 192.241.222.92:36192: tls: client offered only unsupported versions: "
...

My web server is (include version):

The operating system my web server runs on is (include version):
Raspi OS (Debian)

My hosting provider, if applicable, is:
System is running on my raspberrypi4 with up-to-date OS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Traefik 2.10.5 is doing the certification requests

Any help to detect the issue would be very welcome!

Thanks,
Juergen

Hello @jfr251158, welcome to the Let's Encrypt community. :slightly_smiling_face:

The domain has both an IPv4 and an IPv6 Addresses; they both need to respond to Port 80
for the HTTP-01 challenge however it seems at least IPv6 is not responding on Port 80.

Best Practice - Keep Port 80 Open

Using the online tool Let's Debug yields these results https://letsdebug.net/7y4sbu5yhxrbxqpi.myfritz.net/1685307?debug=y

AAAANotWorking
ERROR
7y4sbu5yhxrbxqpi.myfritz.net has an AAAA (IPv6) record (2a02:3100:9200:af09:e228:6dff:fe08:34ed) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
Get "http://7y4sbu5yhxrbxqpi.myfritz.net/.well-known/acme-challenge/letsdebug-test": dial tcp [2a02:3100:9200:af09:e228:6dff:fe08:34ed]:80: connect: permission denied

Trace:
@0ms: Making a request to http://7y4sbu5yhxrbxqpi.myfritz.net/.well-known/acme-challenge/letsdebug-test (using initial IP 2a02:3100:9200:af09:e228:6dff:fe08:34ed)
@0ms: Dialing 2a02:3100:9200:af09:e228:6dff:fe08:34ed
@108ms: Experienced error: dial tcp [2a02:3100:9200:af09:e228:6dff:fe08:34ed]:80: connect: permission denied
1 Like

Sounds like you need to test on the test/staging environment.

2 Likes

Thanks for fast reply! Have enabled IPv6 too - but didn't fix it. Found now that most likely the Fritzbox is doing something wrong. Forwarding port 80 to my raspberrypi seems to be fishy and instead http://7y4sbu5yhxrbxqpi.myfritz.net brings up the Fritzbox login dialog. I'm trying to clarify this with AVM.

2 Likes

I don't know anything about Fritzbox but vaguely remember it needs special care :slight_smile: You might find something helpful on past threads for it

https://community.letsencrypt.org/search?expanded=true&q=fritzbox

4 Likes

You are right - there are a lot of similar issues. e.g. Certificate renewal on Ubuntu 16.4 failed. In there it's said "You'll also need to make sure that your Apache server that Certbot is creating a certificate for is accessible on port 80. At the moment your Fritzbox control panel appears to be on that port instead". Same for my setup for which I'm in touch with AVM. Thanks!

4 Likes


Probably with a configuration change the he Let's Debug output looks different now. Does it mean there is an IPv6 problem? On the Fritzbox router IPv6 forwarding for ports 80 and 443 is configured.

And have seen that acme.json - where the certificate data should have been stored - is 0 Bytes

Any advice?

Yes, if you are going to list an IP address, ensure that it works.
I see two IPs:

Name:      7y4sbu5yhxrbxqpi.myfritz.net
Addresses: 2a02:3100:9200:d763:e228:6dff:fe08:34ed
           77.178.12.163

The IPv4 address "works":

curl -Ii4 7y4sbu5yhxrbxqpi.myfritz.net
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Wed, 13 Dec 2023 16:36:54 GMT
Content-Length: 19

The IPv6 address does NOT "work":

curl -Ii6 7y4sbu5yhxrbxqpi.myfritz.net
curl: (56) Recv failure: Connection reset by peer
2 Likes

Many thanks @rg305! Seems that the Fritzbox router had enabled iPv6 with its last update. I found a config to disable it. The result is below.


So the basics should be fine now again. Need to go now deeper in the Traefik logs since it's still not working.

3 Likes

That's good to hear - one step closer!

2 Likes

I want to let you know my system (https://jfraundo251158.github.io) is back at work : - )

At the end I was faced with 3 issues for some month

  1. Fritzbox router update enabled iPv6, which caused Let's encrypt troubles by Fritzbox iPv6 problems
  2. Fritzbox router update also had broken DNSSEC validation - for which I recently got a patch
  3. My http / https Traefik mis-config with all the confusion

But now all is fixed!

Again thank you very much for your assistance!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.