Traefik and Cloudflare ACME

azizusman · June 15, 2023, 4:34pm

I am deploying Traefik using Helm chart v21.2.0.

I have spent the past couple of days trying to get CA certificate from Cloudflare using Traefik with DNS Challenge in K3s cluster.

I can't seem to figure out what the issue is.Here is the error from the log in the Traefik pod:

traefik {"ACME CA":"https://acme-staging-v02.api.letsencrypt.org/directory","level":"error","msg":"Unable to obtain ACME certificate for domains \"nginx-test.matrixkube.com\": cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": x509: certificate is valid for f928966b25bc296d69d9fd44a2119ab9.1f390ce84234c56ba5be8f2952891e55.traefik.default, not acme-staging-v02.api.letsencrypt.org","providerName":"cloudflare.acme","routerName":"websecure-nginx-test-nginx-nginx-test-matrixkube-com@kubernetes","rule":"Host(`nginx-test.matrixkube.com`) \u0026\u0026 PathPrefix(`/`)","time":"2023-06-12T02:04:49Z"}

Here are my custom chart values:

traefik:

  additionalArguments:
    # DNS Challenge
    # ---
    # Cloudflare Example:
      - --certificatesresolvers.cloudflare.acme.email=<REDACTED>
      - --certificatesresolvers.cloudflare.acme.storage=/data/acme.json
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesresolvers.cloudflare.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

  logs:
    # Configure log settings here...
    general:
      format: json
      level: DEBUG

  ports:
    # Configure your entrypoints here...
    web:
      # (optional) Permanent Redirect to HTTPS
      redirectTo: websecure
    websecure:
      tls:
        enabled: true
        # (optional) Set a Default CertResolver
        certResolver: cloudflare

  env:
    # Set your environment variables here...
    #
    # DNS Challenge Credentials
    # ---
    # Cloudflare Example:
    - name: CF_API_EMAIL
      valueFrom:
        secretKeyRef:
          key: email
          name: cloudflare-credentials
    - name: CF_API_KEY
      valueFrom:
        secretKeyRef:
          key: apiKey
          name: cloudflare-credentials

  # Disable Dashboard
  ingressRoute:
    dashboard:
      enabled: false

  persistence:
    enabled: true
    name: data
    size: 1Gi
    # volumeName: ssl-certs
    path: /data

  # this is required to ensure the acme.json has the required 600 permissions when remounting the volume
  deployment:
    initContainers:
        - name: volume-permissions
          image: busybox:1.31.1
          command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"]
          volumeMounts:
            - name: data
              mountPath: /data

  # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
  ingressClass:
    enabled: true
    isDefaultClass: true

  # Fix for acme.json file being changed to 660 from 600
  podSecurityContext: null

Osiris · June 15, 2023, 4:41pm

It seems for some reason when trying to connect to the Let's Encrypt staging ACME API, your Traefik tries to connect to some other host entirely. Why could that be?

Also:

What do you mean by this exactly?

webprofusion · June 16, 2023, 1:46am

perhaps @elDez would know but it sounds like the outgoing request to the LE directory API is hitting a self-signed cert, which implies the outgoing connection is being proxied?

rg305 · June 16, 2023, 4:03am

I'd say so.

webprofusion · June 16, 2023, 7:17am

I know it's a reverse proxy for apps but I didn't realize it proxied outgoing https as well, in which case all outgoing https would fail unless the self-signed cert used by the proxy is trusted.

elDez · June 16, 2023, 11:28am

azizusman:

      - --certificatesresolvers.cloudflare.acme.email=<REDACTED>
      - --certificatesresolvers.cloudflare.acme.storage=/data/acme.json
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesresolvers.cloudflare.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

I think it's because you are trying to use 2 challenge types at the same time (httpchallenge and dnschallenge), you have to remove httpchallenge.

In all cases, it's weird that the call to /directory is intercepted, it feels like a network issue.

system · July 16, 2023, 11:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.