I’ve had my Traefik/letsencrypt setup running for a couple of years without failure and have just noticed this error and that my certificate has expired:
——
time="2022-12-14T20:25:36Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.paulmorabito.net`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2022-12-14T20:25:36Z" level=info msg="Starting provider *acme.Provider {\"email\":\"[email@redacted]\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\"},\"ResolverName\":\"dns-cloudflare\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
time="2022-12-14T20:25:36Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
time="2022-12-14T20:25:36Z" level=info msg="Testing certificate renew..." providerName=dns-cloudflare.acme
time="2022-12-14T20:25:37Z" level=info msg="Renewing certificate from LE : {Main:paulmorabito.net SANs:[*.paulmorabito.net]}" providerName=dns-cloudflare.acme
time="2022-12-14T20:53:53Z" level=error msg="Error renewing certificate from LE: {paulmorabito.net [*.paulmorabito.net]}" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=dns-cloudflare.acme error="error: one or more domains had a problem:\n[*.paulmorabito.net] time limit exceeded: last error: NS cleo.ns.cloudflare.com. did not return the expected TXT record [fqdn: paulmorabito.net., value: hPsKM9DTwZNpgjmpD4WSQaaO2ZcifOTfotM2jES2MJ0]: \n[paulmorabito.net] time limit exceeded: last error: NS cleo.ns.cloudflare.com. did not return the expected TXT record [fqdn: paulmorabito.net., value: vZbgQ1k8SOelokpgQq8SXHer02lVSyBXcjvusRtSM_4]: \n
——
I’m running a Debian server with Traefik 2.4.
Any ideas on how to resolve this would be very appreciated.
It's not very simple to troubleshoot Traefik with CloudFlare DNS.
I would start by reviewing the inbound firewall policy.
To ensure that it isn't blocking
But I'm not exactly sure how that plays into a wildcard certificate request.
Is that their latest version?
Has there been any recent update to it?
V2.4 is not the latest so I moved to the latest v2.9 and it gives the same error.
Edit: I did recently install Adguard home on my router and am pointing to a different dns upstream provider. I've disabled all blocklists and certificate renewal still times out. Could this be an issue and if so, can I specify a cloudfare DNS for renewing the certificate from within traefik?
I can access traefik externally and the proxied sites (albeit with certificate errors now).
I can't see any calls to cloudfare being blocked but can see calls to cloudfare api succeeding (for my ddns). I can also see calls to Laura.ns.Cloudflare.com being passed through Adblock when it attempts to renew the certificate. I can also see calls for
_acme-challenge.paulmorabito.net being passed through. Lastly, whoami.cloudflare responds with a SERVFAIL.
Hard to tell by the error message but Cloudflare use DNS validation for their Universal SSL feature and this can conflict with your own attempts to do DNS validation because they already present a hidden _acme-challenge TXT record, you can try disabling the feature under SSL/TLS > Edge Certificates > Disable Universal SSL) but ideally they would only present their own TXT record when they are actually performing validation, instead of all the time. This may not be the cause of your issue.
Thanks. I gave this a try and also tried 1.1.1.1 for the DNS and it was too unsuccessful. At this point, I removed fully Adguard Home that I have running on my router and it renewed without a problem!
So, long story short, there’s something with Adguard Home that is causing this (or perhaps the other DNS service I’m using in conjunction with it). I’ll have to look more into this and the settings here. I’m surprised that specifying the DNS for Traefik didn’t work.
