Traefik - 403 ACME certificate

Help
1

Hi!
I'm new using deployment technologies and I'm trying to upload my api-webpage via Digital Ocean.

My API is dockerized and implemented with a django and a vue instances (with its correspondent postgresql db). My app works fine in local but I'm actually very stucked with the final deployment and the ssl configuration via traefik.

I was following this tutorial (Django-Vue-Docker-Deployment) and triyng all the different configurations possible even reading all the documentation and similar errors but I keep having the same problem generating the keys via ACME:

time="2023-06-25T17:22:50Z" level=error msg="Unable to obtain ACME certificate for domains \"apphistologia.top,www.apphistologia.top\": unable to generate a certificate for the domains [apphistologia.top www.apphistologia.top]: error: one or more domains had a problem:\n[apphistologia.top] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 91.195.240.123: Invalid response from http://apphistologia.top/.well-known/acme-challenge/8vAKRzUnYwypTPL2ALsijBfkxGVIfOSzy2h-rZXN7lo: \"<!DOCTYPE html><html lang=\\\"en\\\"  data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXW\"\n[www.apphistologia.top] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 91.195.240.123: Invalid response from http://www.apphistologia.top/.well-known/acme-challenge/D7rrobo7c-m3IzqXVhpaJoaI43iI8u8Ezn52VHmvA68: \"<!DOCTYPE html><html lang=\\\"en\\\"  data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXW\"\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=frontend@file rule="Host(`apphistologia.top`) || Host(`www.apphistologia.top`)" providerName=letsencrypt.acme

My hosting provider and DNS server is Digital Ocean

image
image1522×368 22.8 KB

And my production.yml file looks like this:

version: "3"

volumes:
  media:
  db_postgres_data:
  production_traefik:

services:
  db:
    container_name: db_postgres
    image: postgres:13.0-alpine
    volumes:
      - db_postgres_data:/var/lib/postgresql/data:Z
    ports:
      - "5432:5432"
    env_file:
      - ./tfg/.env

  django:
    container_name: backend_django
    build:
      context: .
      dockerfile: ./Dockerfile
    image: backend_django
    volumes:
      - media:/home/app/backend/data:Z
    ports:
      - "8050:8040"
    depends_on:
      - db

  frontend:
    container_name: frontend
    restart: always
    build:  
      context: ./tfg_front
      dockerfile: Dockerfile
    image: vue_frontend
    depends_on:
      - django
    expose:
      - "80"
  
  traefik:
    container_name: traefik
    build:
      context: .
      dockerfile: ./traefik/Dockerfile
    image: traefik_front
    depends_on:
      - django
    volumes:
      - production_traefik:/etc/traefik/acme:z
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"

The traefik.yml looks like this:

log:
  level: INFO

entryPoints:
  # https://docs.traefik.io/routing/entrypoints/#entrypoint

  web:
    # http
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure

  websecure:
    # https
    address: ":443"

certificatesResolvers:
  letsencrypt:
    # https://docs.traefik.io/master/https/acme/#lets-encrypt
    acme:
      email: "javiexalonso@gmail.com"
      storage: /etc/traefik/acme/acme.json
      # https://docs.traefik.io/master/https/acme/#httpchallenge
      httpChallenge:
        entryPoint: web

http:
  routers:
  
    # https://docs.traefik.io/master/routing/routers/#certresolver

    django:
      rule: "Host(`api.apphistologia.top`)"
      entryPoints:
        - websecure
      middlewares:
        - csrf
      service: django
      tls:
        certResolver: letsencrypt

    frontend:
      rule: "Host(`apphistologia.top`) || Host(`www.apphistologia.top`)"
      entryPoints:
        - websecure
      middlewares:
        - csrf
      service: frontend
      tls:
        certResolver: letsencrypt

  middlewares:
    csrf:
      # https://docs.traefik.io/master/middlewares/headers/#hostsproxyheaders
      # https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
      headers:
        hostsProxyHeaders: ["X-CSRFToken"]

  services:
    django:
      loadBalancer:
        servers:
          - url: http://django:8050
    frontend:
      loadBalancer:
        servers:
          - url: http://frontend:80

providers:
  # https://docs.traefik.io/master/providers/file/
  file:
    filename: /etc/traefik/traefik.yml
    watch: true

I'll appreciate any type of help, I'm a newbie with all these deployment technologies and I need it for a university project. Thank you in advance :smiley:




For some other reason the "api.apphistologia.top" it's giving me a 400 error too creating the key, but I think it's a minor inconvenience:

time="2023-06-25T17:22:43Z" level=error msg="Unable to obtain ACME certificate for domains \"api.apphistologia.top\": unable to generate a certificate for the domains [api.apphistologia.top]: error: one or more domains had a problem:\n[api.apphistologia.top] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for api.apphistologia.top - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for api.apphistologia.top - check that a DNS record exists for this domain\n" rule="Host(`api.apphistologia.top`)" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=django@file
2

I don't know how to correct your system but I can tell you more about what is wrong. Maybe that will help

You are using the HTTP Challenge which means the Let's Encrypt servers send you an HTTP request for a specific challenge token. Your domain should point to a server that provides the correct token.

Yours is not. Instead, it responds with what looks like a parking page. You should start by checking that your DNS is pointing to the right public IP for your system. If that's correct then dig further.

You could look at the access logs for NginX. That's an odd spelling for nginx but your response headers have it this way.

This should return 404 because ForumFakeTest123 is not on your server
The data in your above cert error shows the beginning of this same page
So, you are probably returning this page for every request

curl -i http://apphistologia.top/.well-known/acme-challenge/ForumFakeTest123
HTTP/1.1 200 OK
date: Sun, 25 Jun 2023 18:31:58 GMT
x-adblock-key: MFww(...)
x-cache-miss-from: parking-8b8f7865d-nbggc
server: NginX

<!DOCTYPE html><html lang="en"  
data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0T2XwktKKSVVOHqZexo2OdUCFu0gTuZ5ygSgYygvhei8n8BscdWkJ11QsvCTwXLnh8CHVaVmX9D9u82lYYr9YQ==>
<head><meta charset="utf-8"><title>apphistologia.top&nbsp;-&nbsp;apphistologia Resources and Information.</title>
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0">
<meta name="description" content="apphistologia.top is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, apphistologia.top has it all. We hope you find what you are searching for!"><link
        rel="icon"
        type="image/png"
        href="//img.sedoparking.com/templates/logos/sedo_logo.png"
/><style>
5 Likes
3

Thank you so much Mike!

The DNS Domain and the Digital Ocean DNS records were not synchronized

, a newbie mistake indeed. I truly learned from all of this.

Thank you again for your fast answer, such a great community for devs! :cowboy_hat_face:

4 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.