[SOLVED] ACME / Traefik - no new certificates are generated

wisbit · January 8, 2023, 10:34am

My domain is: wbdev.org

I use traefik 2.9 and ACME to get certificates for my subdomains.
It produced this output:


time="2023-01-08T10:21:30Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: Obtaining bundled SAN certificate"
time="2023-01-08T10:21:30Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"A5FETQ54jlKCoydxM9DtkwxPyuIJMpf-iJFev1Ie7igmkKg\""
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193505530477"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: Could not find solver for: tls-alpn-01"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: use http-01 solver"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: Trying to solve HTTP-01"
time="2023-01-08T10:21:42Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193505530477"
time="2023-01-08T10:21:43Z" level=error msg="Unable to obtain ACME certificate for domains \"newsudomain.wbdev.org\": unable to generate a certificate for the domains [newsudomain.wbdev.org]: error: one or more domains had a problem:\n[newsudomain.wbdev.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 91.86.42.119: Fetching http://newsudomain.wbdev.org/.well-known/acme-challenge/0OCOc5O36M6uSw8n8NV4BMWAuaOm2AtLGH95lNNmDEQ: Timeout during connect (likely firewall problem)\n" rule="Host(`newsudomain.wbdev.org`)" routerName=newsudomain@docker providerName=letsEncrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

The operating system my web server runs on is (include version): Debian 10 Buster

I can login to a root shell on my machine (yes or no, or I don't know): yes

Hi all,
I've been using traefik w/ Let'sEncrypt for a few years now. Followed a quite standard setup.
I have a few subdomains managed by it. All is well.
Until I decided to add a new webservice that I wish to reach from outside through traefik.

No idea why, but the acme.json file doesn't get a new cert for this new domain. I checked everywhere in traefik to see if I coudl find something, a message.
I checked traefik.log as well but I am not super familiar to some of the information in it.
What I did read was this:
he reads a configuration, he adds certificates for the others subdomains, then says
msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
which I assume is for that new subdomain, then creates middlewares, for all subdomains.

then there is this passage which seems important:
"SSLRedirect is deprecated, please use entrypoint redirection instead." middlewareName=middlewares-secure-headers@file middlewareType=Headers entryPointName=websecure routerName=newsubdomain@docker

Don't really know what to do with that.

Then loads of stuff that I am lost in.
Then adding routes to all subdomains.

msg="Looking for provided certificate(s) to validate [\"newsubdomain.mydomain.com\"]..." providerName=letsEncrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=newsubdomain@docker rule="Host(`newsubdomain.mydomain.com`)"

msg="Domains [\"newsubdomain.mydomain.org\"] need ACME certificates generation for domains \"newsubdomain.mydomain.com\"." ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=newsubdomain@docker rule="Host(`newsubdomain.mydomain.com`)" providerName=letsEncrypt.acme

I tried again the next day and this is what I got


time="2023-01-08T10:21:30Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: Obtaining bundled SAN certificate"
time="2023-01-08T10:21:30Z" level=debug msg="legolog: [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"A5FETQ54jlKCoydxM9DtkwxPyuIJMpf-iJFev1Ie7igmkKg\""
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193505530477"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: Could not find solver for: tls-alpn-01"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: use http-01 solver"
time="2023-01-08T10:21:31Z" level=debug msg="legolog: [INFO] [newsudomain.wbdev.org] acme: Trying to solve HTTP-01"
time="2023-01-08T10:21:42Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193505530477"
time="2023-01-08T10:21:43Z" level=error msg="Unable to obtain ACME certificate for domains \"newsudomain.wbdev.org\": unable to generate a certificate for the domains [newsudomain.wbdev.org]: error: one or more domains had a problem:\n[newsudomain.wbdev.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 91.86.42.119: Fetching http://newsudomain.wbdev.org/.well-known/acme-challenge/0OCOc5O36M6uSw8n8NV4BMWAuaOm2AtLGH95lNNmDEQ: Timeout during connect (likely firewall problem)\n" rule="Host(`newsudomain.wbdev.org`)" routerName=newsudomain@docker providerName=letsEncrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

I have no idea what to do with all this information and how to resolve the situation.

Thanks for any help and pointers.
Cheers.

WB

MikeMcQ · January 8, 2023, 2:34pm

Welcome to the community @wisbit

I don't know much about Traefik but the HTTP solver uses the HTTP Challenge and that needs port 80 to be open. I only see port 443 open for that domain (IP).

The Let's Debug site is helpful to test new setups (link here).

wisbit · January 8, 2023, 3:15pm

Hey there,
Thanks a lot for your reply.
I posted the question on the Traefik forums as well, and somebody there suggested that I should use dnsChallenge instead of httpChallenge.
Which I did, I used my DNS provider api user and api key and so far it's working.

So solution was :

change the challenge type in traefik.yml

certificatesResolvers:
  letsEncrypt:
    acme:
      #caServer: "https://acme-v02.api.letsencrypt.org/directory"
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      email: myemail@mayemail.com
      storage: /acme.json
      #keyType: EC384   
      dnsChallenge:
        provider: mydnsprovider

add some lines in the traefik section of the docker-compose.yml

environment:
       ...
       - DNSPROVIDER_API_KEY=12345678945612345789
       - DNSPROVIDER_API_USER=api_user
       ...

to note that the environment variables are specific to my provider. one should look up their own, and can do so here : Traefik Let's Encrypt Documentation - Traefik

system · February 7, 2023, 3:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ACME / Traefik / Versio, no new certificates generated (previously working) Help	10	951	April 1, 2023
Unable to obtain ACME certificate Server	2	7642	February 20, 2019
Not able to get certs Help	2	1056	November 23, 2018
Unable to obtain ACME certificate for domains, acme: error: 403 Help	4	1344	February 11, 2024
Unable to get new certificates with treafik (acme: error: 400) Help	5	6840	November 3, 2020

[SOLVED] ACME / Traefik - no new certificates are generated

Related topics