TLS hand shake problem with Strato?

Hi guys,
i have a problem i tried so solve for a couple of hours now but i cannot find any solutions or similar problems.

General set up:

• Raspberry Pi 4 as home server for home assistant and immich
• Traefik (within docker container on my pi) as reverse proxy
• switched from No IP domain to a couple of Strato sub domains
• before i switched to Strato, everything worked just fine

my traefik compose.yaml:

version: "3.8"
services:
  traefik:
    image: traefik:v2.11
    restart: always
    command:
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=traefik_web
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --entrypoints.https.http.tls.certResolver=le
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --certificatesresolvers.le.acme.email=mail@hendrikthues.de
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    ports:
      - 80:80
      - 443:443
      - 2280:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    networks:
      - web
networks:
  web:
    name: traefik_web

Now, i'm getting the following error:

time="2024-06-05T08:25:31Z" level=error msg="Unable to obtain ACME certificate for domains \"immich.hendrikthues.com\": unable to generate a certificate for the domains [immich.hendrikthues.com]: error: one or more domains had a problem:\n[immich.hendrikthues.com] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 81.169.145.70: remote error: tls: handshake failure\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme routerName=immich@docker rule="Host(`immich.hendrikthues.com`)"
time="2024-06-05T08:25:32Z" level=error msg="Unable to obtain ACME certificate for domains \"hass.hendrikthues.com\": unable to generate a certificate for the domains [hass.hendrikthues.com]: error: one or more domains had a problem:\n[hass.hendrikthues.com] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 81.169.145.70: remote error: tls: handshake failure\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme routerName=hass@docker rule="Host(`hass.hendrikthues.com`)"

whats could be the problem? Logic would suggest, i has to have something to do with Strato, since everything worked before.

as your port 443 is currently not answering anything but port 80 is working, so change

--certificatesresolvers.le.acme.tlschallenge=true

option to

--certificatesresolvers.le.acme.httpchallenge.entrypoint=http

Thanks, i tried it and we might be one step further got a different error now:

time="2024-06-05T11:52:28Z" level=error msg="Unable to obtain ACME certificate for domains \"hass.hendrikthues.com\": unable to generate a certificate for the domains [hass.hendrikthues.com]: error: one or more domains had a problem:\n[hass.hendrikthues.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2a01:238:20a:202:1070::: Invalid response from http://hass.hendrikthues.com/.well-known/acme-challenge/ZJDbOI6lwTzcpsHCT-H4d3cIZMtoMZa2x-SeS5NEt5Q: 404\n" providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=hass@docker rule="Host(`hass.hendrikthues.com`)"
time="2024-06-05T11:52:31Z" level=error msg="Unable to obtain ACME certificate for domains \"immich.hendrikthues.com\": unable to generate a certificate for the domains [immich.hendrikthues.com]: error: one or more domains had a problem:\n[immich.hendrikthues.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2a01:238:20a:202:1070::: Invalid response from http://immich.hendrikthues.com/.well-known/acme-challenge/HP8jbd3hzvn8ZBgsPpeXKNUIVh1l1L3Y5hweChxEydU: 404\n" routerName=immich@docker rule="Host(`immich.hendrikthues.com`)" providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

hmm IP changed from last log: did you check IPv6 address is actually pointed to that server?

Should the IPv6 Adress from the log point to my raspberry pi server? Because no, the IPv6 from the logs is different to the actual IPv6 of my network.

Yes it needs to so give persistent ip of device itself or remove it from dns

But where does this IP come from? Lets encrypt seems to be doing some magic and comes up with this IP to do some more magic. I have no idea, how to fix this.

how you are using strato? as proxy cdn like cloudflare or as renting server from them?

i'm renting a server from them, already having a website under a different domain there.
I was testing some more. When i ping the main domain (hendrikthues.com), i get the correct IP. When i ping the sub domains, i get a different IP. So, i'm guessing, i'm using the Fritz Box DynDNS and/or Strato domains wrong...

because IPv6 doesn't do NAT ddns script on router publishes IP of router itself, and as it's ip for just router itself so it will just print routers web page and not send it to pi: likely need to run ipv6 ddns on pi itself

So, i fixed it. Although, it had nothing to do with what we discussed here.
In a nutshell: Every sub domain i have with strato needs to be updated with my current IP. Which means, i cannot use the DynDNS feature with my fritz box. I installed ddclient on my pi and configured it for every sub domain in intend to use. Now, traefik and letsencrypt are working just fine

Thanks for your help! You definitely pointed me in the right direction

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.