Traefik/LEGO: Error presenting token: Unexpected response code ‘SERVFAIL’

Im getting the same issue, but dnssec is setup correctly on my domain.

What is the full list of domain names you’re trying to issue a certificate for? and for now. Monitor as a cname to gets servfail, changing it to an a name with the ip works fine.

Edit: forgor to mention im able to resolve both ways on the host, and.even tried a delay and pointing to

What's the exact error message?

I can't see anything wrong, and as far as I know Cloudflare doesn't have any relevant bugs. :confused:

Edit: I just got staging certificates using Cloudflare and DNS-01 and HTTP-01.

Are you using DNS challenge or HTTP?

For HTTP challenge you must be listening on port 80, and those names are not listening on 80 currently.

Same as the parent issue, dnsChallenge

Awesome! Glad you got yours fixed :smiley: mine is not sadly :frowning:here are thr logs with the error
legolog: 2018/02/12 04:17:07 [INFO][] AuthURL:
legolog: 2018/02/12 04:17:07 [INFO][] AuthURL:
legolog: 2018/02/12 04:17:07 [INFO][] acme: Authorization already valid; skipping challenge
legolog: 2018/02/12 04:17:07 [INFO][] acme: Could not find solver for: http-01
legolog: 2018/02/12 04:17:07 [INFO][] acme: Trying to solve DNS-01
time=“2018-02-12T04:17:07Z” level=error msg="map[ presenting token: Unexpected response code ‘SERVFAIL’ for]"
time=“2018-02-12T04:17:07Z” level=error msg=“Error getting ACME certificate for domain []: cannot obtain certificates map[ presenting token: Unexpected response code ‘SERVFAIL’ for]”

I have tried putting radarr as a sans, and as a main even. always gets a cert, and so far getting certs for subdomains is the hardest thing i have encountered so far. Posting my config and traefik command in a sec to see if i have missed something…

That doesn't sound like an error from Let's Encrypt. :confused: A Let's Encrypt error message might have been, for example, "DNS problem: SERVFAIL looking up TXT for".

The authz at also reports that it's been deactivated by the client, not that there was an error and validation failed.

It sounds like the ACME client itself is making some sort of DNS query, and that's failing. Maybe the local DNS resolver is experiencing an issue?

1 Like

I have even specified --dns to traefik to rule that bit out. Here is my traefik run command.

docker run --name=traefik -d --expose 8080 -p 443:443 -p 80:80 -v /home/icebal/traefik/config/acme.json:/acme.json -v /home/icebal/traefik/config/:/etc/traefik -e CLOUDFLARE_EMAIL=“REDACTED” -e CLOUDFLARE_API_KEY=“REDACTED” -v /var/run/docker.sock:/var/run/docker.sock -l -l traefik.port=8080 --network traefik --dns traefik

Here is my config

another container i just brought up to test with, and this doesnt even pop up for a cert challenge :confused:

docker create --name guacamole --link guacd:guacd --link postgres:postgres -e POSTGRES_DATABASE=guacamole_db -e POSTGRES_USER=guacamole_user -e POSTGRES_PASSWORD -p 8084:8080 --label traefik.enable=true --label --network traefik glyptodon/guacamole

Well, it isn't encountering a DNS error for the Let's Encrypt API server. So hostname lookups must be partly working.

Nonetheless that DNS error sounds like it's coming from the client somehow.

Can you tcpdump the DNS traffic it's doing or something?

I don't know much about debugging this ACME client. :confused:

For what it's worth, that contains an email address, and a hashed (probably poorly hashed) password for the web server. :sweat:


1 Like

Totally missed that thanks, and both have been changed thankfully :confused: been working on this all day. If it helps, its the LEGO library used by traefik, but the logs are from lego that the issue is with.

I split this into a different thread, since the other one has been marked as solved, and this issue seems to be different.

I don’t use LEGO. I’m sorry. :confounded:

Its ok, ill keep working with the traefik guys and see if they can pinpoint the issue.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.