Traefik/Lego can't find TXT record

My domain is: freeself.one

I ran this command: traefik in docker
docker-compose.yml:

version: "3.3"

services:
  traefik:
    image: "traefik:latest"
    container_name: traefik
    command:
      - --log.level=DEBUG

      - --entrypoints.web.address=:80

      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.le.acme.email=thegergo02@tutanota.com
      - --certificatesresolvers.le.acme.dnschallenge.provider=njalla
      - --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=1200
      #- --certificatesresolvers.le.acme.dnschallenge.storage=/acme.json
      - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

      - --providers.docker
      - --api.insecure
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    environment:
      - NJALLA_TOKEN=[redacted]
      - NJALLA_TTL=1
      - NJALLA_POLLING_INTERVAL=5
      - NJALLA_PROPAGATION_TIMEOUT=1200
    labels:
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.tls.domains[0].main=freeself.one"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.freeself.one"
      - "traefik.http.routers.traefik.service=api@internal"

  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      - traefik.http.routers.whoami.rule=Host(`whoami.freeself.one`)
      - traefik.http.routers.whoami.entrypoints=websecure

It produced this output: relevant logs

traefik    | time="2022-01-15T17:44:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"freeself.one\" \"*.freeself.one\"]..." providerName=le.acme
traefik    | time="2022-01-15T17:44:23Z" level=debug msg="Domains [\"freeself.one\" \"*.freeself.one\"] need ACME certificates generation for domains \"freeself.one,*.freeself.one\"." providerName=le.acme
traefik    | time="2022-01-15T17:44:23Z" level=debug msg="Loading ACME certificates [freeself.one *.freeself.one]..." providerName=le.acme
traefik    | time="2022-01-15T17:44:35Z" level=debug msg="Building ACME client..." providerName=le.acme
traefik    | time="2022-01-15T17:44:35Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
traefik    | time="2022-01-15T17:44:36Z" level=info msg=Register... providerName=le.acme
traefik    | time="2022-01-15T17:44:36Z" level=debug msg="legolog: [INFO] acme: Registering account for thegergo02@tutanota.com"
traefik    | time="2022-01-15T17:44:36Z" level=debug msg="Using DNS Challenge provider: njalla" providerName=le.acme
traefik    | time="2022-01-15T17:44:36Z" level=debug msg="legolog: [INFO] [freeself.one, *.freeself.one] acme: Obtaining bundled SAN certificate"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [*.freeself.one] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1437062598"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [freeself.one] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1437062608"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: use dns-01 solver"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [freeself.one] acme: Could not find solver for: tls-alpn-01"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [freeself.one] acme: Could not find solver for: http-01"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [freeself.one] acme: use dns-01 solver"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Preparing to solve DNS-01"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [freeself.one] acme: Preparing to solve DNS-01"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Trying to solve DNS-01"
traefik    | time="2022-01-15T17:44:37Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Checking DNS record propagation using [127.0.0.11:53]"
traefik    | time="2022-01-15T17:44:42Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 20m0s, interval: 5s]"
traefik    | time="2022-01-15T17:44:43Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Waiting for DNS record propagation."
traefik    | time="2022-01-15T17:44:48Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Waiting for DNS record propagation."
traefik    | time="2022-01-15T17:44:53Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Waiting for DNS record propagation."
traefik    | time="2022-01-15T17:45:06Z" level=debug msg="legolog: [INFO] [freeself.one] acme: Trying to solve DNS-01"
traefik    | time="2022-01-15T17:45:06Z" level=debug msg="legolog: [INFO] [freeself.one] acme: Checking DNS record propagation using [127.0.0.11:53]"
...
traefik    | time="2022-01-15T17:45:11Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 20m0s, interval: 5s]"
traefik    | time="2022-01-15T17:45:17Z" level=debug msg="legolog: [INFO] [freeself.one] The server validated our request"
traefik    | time="2022-01-15T17:45:17Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Cleaning DNS-01 challenge"
traefik    | time="2022-01-15T17:45:17Z" level=debug msg="legolog: [INFO] [freeself.one] acme: Cleaning DNS-01 challenge"
traefik    | time="2022-01-15T17:45:17Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1437062598"
traefik    | time="2022-01-15T17:45:18Z" level=debug msg="legolog: [INFO] Skipping deactivating of valid auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1437062608"
traefik    | time="2022-01-15T17:45:18Z" level=error msg="Unable to obtain ACME certificate for domains \"freeself.one,*.freeself.one\" : unable to generate a certificate for the domains [freeself.one *.freeself.one]: error: one or more domains had a problem:\n[*.freeself.one] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up TXT for _acme-challenge.freeself.one - the domain's nameservers may be malfunctioning\n" providerName=le.acme

My web server is (include version): traefik:latest

The operating system my web server runs on is (include version): Gentoo aarch64

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

As you can see I've fiddled with delays to make sure DNS propagation is not an issue, but no luck. (Don't get surprised, on prod servers I'm rate-limited right now, I forgot to use staging servers at the start).

1 Like

Try changing your DNS nameservers [temporarily]
You should be able to do so by modifying the file:
/etc/resolv.conf

3 Likes

Changed the DNS resolver through Traefik, now:

traefik    | time="2022-01-15T18:48:01Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Checking DNS record propagation using [8.8.8.8:53]"

Same result:

traefik    | time="2022-01-15T18:48:31Z" level=error msg="Unable to obtain ACME certificate for domains \"freeself.one,*.freeself.one\" : unable to generate a certificate for the domains [freeself.one *.freeself.one]: error: one or more domains had a problem:\n[*.freeself.one] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.freeself.one - the domain's nameservers may be malfunctioning\n[freeself.one] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.freeself.one - the domain's nameservers may be malfunctioning\n" providerName=le.acme

Edit: tried:

traefik    | time="2022-01-15T18:49:40Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Checking DNS record propagation using [1.1.1.1:53 8.8.8.8:53]"

Success:

traefik    | time="2022-01-15T18:50:21Z" level=debug msg="legolog: [INFO] [freeself.one] The server validated our request"
traefik    | time="2022-01-15T18:50:21Z" level=debug msg="legolog: [INFO] [*.freeself.one] acme: Cleaning DNS-01 challenge"
traefik    | time="2022-01-15T18:50:21Z" level=debug msg="legolog: [INFO] [freeself.one] acme: Cleaning DNS-01 challenge"
traefik    | time="2022-01-15T18:50:21Z" level=debug msg="legolog: [INFO] [freeself.one, *.freeself.one] acme: Validations succeeded; requesting certificates"
traefik    | time="2022-01-15T18:50:27Z" level=debug msg="legolog: [INFO] [freeself.one] Server responded with a certificate."
traefik    | time="2022-01-15T18:50:27Z" level=debug msg="Certificates obtained for domains [freeself.one *.freeself.one]" providerName=le.acme

Thank you for your help!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.