Problem getting the certificate from traefik

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: carlosgrillet.me

I ran this command: docker compose up -d traefik

It produced this output:

time="2023-06-21T06:52:28Z" level=error msg="Unable to obtain ACME certificate for domains \"portainer.carlosgrillet.me\": unable to generate a certificate for the domains [portainer.carlosgrillet.me]: error: one or more domains had a problem:\n[portainer.carlosgrillet.me] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 170.187.144.237: Connection refused\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=portainer@docker rule="Host(portainer.carlosgrillet.me)" providerName=letsEncrypt.acme

My web server is (include version): traefik container 2.10.3

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

reading from previous threads, I noticed that letsEncrypt can block IPs, can you please check my pulbic IP? 170.187.144.237. Thank you for your time

1 Like
2

It is far more likely you have some sort of comms config problem affecting outbound requests.

Can you run these two commands in that same container and show result?

curl -I https://acme-v02.api.letsencrypt.org/directory

curl -I https://google.com/Expect404.html
3 Likes
3

Sure, here you have the output

/ # curl -I https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200
server: nginx
date: Wed, 21 Jun 2023 14:02:37 GMT
content-type: application/json
content-length: 752
cache-control: public, max-age=0, no-cache
replay-nonce: 2712Iios8QkMTbPS8KTAdOtrve20Zx3e2wJWJn42IqSQYpo
x-frame-options: DENY
strict-transport-security: max-age=604800

/ # curl -I https://google.com/Expect404.html
HTTP/2 404
date: Wed, 21 Jun 2023 14:02:57 GMT
content-type: text/html; charset=UTF-8
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
4

Thanks. Proves you can reach the Let's Encrypt server so your IP is not blocked. I don't know enough about your traefik setup to help debug. You might find better help debugging the comms problem on the traefik community forum.

3 Likes
5

Thank you for your time Mike.

3 Likes
6

quick update. I tested using the same container but in other server with other public IP, and works well. Something that calls my attention is that in the error message says "connection refused"

time="2023-06-21T23:08:16Z" level=error msg="Unable to obtain ACME certificate for domains "docker.carlosgrillet.me": unable to generate a certificate for the domains [docker.carlosgrillet.me]: error: one or more domains had a problem:\n[docker.carlosgrillet.me] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 170.187.144.237: Connection refused\n" routerName=portainer@docker rule="Host(docker.carlosgrillet.me)" providerName=letsEncrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

I even tryed to change the subdomain from portainer to docker, but still nothing. The other server that I tested had the public ip 200.8.184.52 and worked fine. I just copied the config from one to another.

How can I solve this problem?

7

Yes, the connection refused is a comms problem as I noted. You should look at other differences between the servers that work and fail to see if there's any communications config that is different. You should focus on what might be different between the environment you ran the curl command and the one in which the Acme client runs

3 Likes
8

@carlosgrillet I may have led you astray. The format of the message and your concern about IP being blocked made me think the problem was with the outbound connection from your container.

But, I just looked again and it looks like an inbound problem to your server. It is still some sort of config problem in your system. And, I don't know your overall system well enough to advise. But, if I try to send a test HTTP Challenge request to your domain(s) I get a "connection refused".

This is at least partly because you redirect the HTTP request to HTTPS and nothing is listening on port 443 to process that request. It is best to not redirect the ACME Challenge HTTP request

The Let's Debug test site is good to evaluate new sites (https://letsdebug.net)

Note the below happens with the docker subdomain and your apex domain. You showed both at different times.

curl -i http://docker.carlosgrillet.me/.well-known/acme-challenge/Test123
HTTP/1.1 301 Moved Permanently
Location: https://docker.carlosgrillet.me/.well-known/acme-challenge/Test123

curl -i https://docker.carlosgrillet.me/.well-known/acme-challenge/Test123
curl: (7) Failed to connect to docker.carlosgrillet.me port 443 after 15 ms: Connection refused

nmap -p80,443 docker.carlosgrillet.me
rDNS record for 170.187.144.237: 170-187-144-237.ip.linodeusercontent.com
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https
5 Likes
9

Thank you again for your time. Now its really clear for me. I will re-check all the configuration again. Just for you to know in both server I have this reverse proxy configuration:

                 |              docker network                |
 |Internet| ---> |Traefik container| ---> |Portainer container|
                 :80 -> :443              :80

this is the traefik config I've used in both server. I even try to disable port redirection, but still nothing

global:
  checkNewVersion: true

api:
  insecure: true
  dashboard: true

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"

certificatesResolvers:
  letsEncrypt:
    acme:
      email: <email>
      storage: /etc/traefik/certs/acme.json
      tlsChallenge: {}

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    watch: true
  file:
    directory: /etc/traefik
    watch: true
10

Thanks to your help I could find the error. I feel a bit like a fool but the error was this. look at mi docker-compose file

version: "3"
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    ports:
      - 80:80
      - 441:443
    networks:
      - traefik-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_ssl_data:/ssl-certs
      - /etc/traefik:/etc/traefik
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 50M

Thats why you didn't see the 443 port open. Thank you again for your time Mike. Hope this post can help some one else. Now its working!

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.