Unable to generate Cert via Traefik 2

Hello

I am getting problems with Traefik and lego acme DNS challenge.
It adds TXT records fine but I keep getting following error even tough I changed my NS to Cloudflare from Porkbun.

Running this in Unraid server and no network issues as ACME on SWAG container gets certs fine from LE and Cloudflare.

time="2024-01-26T22:08:23Z" level=error msg="Unable to obtain ACME certificate for domains \"xxx.xxx,*xxx.xxx\"" rule="Host(`xxxx.xxx.xxx`)" error="unable to generate a certificate for the domains [xxx.xxx *.xxx.xxx]: error: one or more domains had a problem:\n[*.xxx.xxx] propagation: time limit exceeded: last error: NS fortaleza.ns.porkbun.com. returned REFUSED for xxxx.xxx.\n[xxxx.xxx] propagation: time limit exceeded: last error: NS curitiba.ns.porkbun.com. returned REFUSED for xxxxxx.\n" providerName=le.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=https-app@docker

Those DNS servers are rejecting a query with REFUSED

Without knowing the actual domain name there is not much we can say.

You could try using https://dnsviz.net to check your DNS configuration

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My domain is: lv426.xyz

I ran this command: n/a running traefik with built in acme client

It produced this output:

time="2024-01-26T22:08:23Z" level=error msg="Unable to obtain ACME certificate for domains \"xxx.xxx,*xxx.xxx\"" rule="Host(`xxxx.xxx.xxx`)" error="unable to generate a certificate for the domains [xxx.xxx *.xxx.xxx]: error: one or more domains had a problem:\n[*.xxx.xxx] propagation: time limit exceeded: last error: NS fortaleza.ns.porkbun.com. returned REFUSED for xxxx.xxx.\n[xxxx.xxx] propagation: time limit exceeded: last error: NS curitiba.ns.porkbun.com. returned REFUSED for xxxxxx.\n" providerName=le.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=https-app@docker

My web server is (include version): Traefik 2.10.7

The operating system my web server runs on is (include version): Unraid 16.12.6

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Client: Lego acme 4.14.2

Did you change your lego config to use Cloudflare instead of Porkbun?

And, how did you test the TXT records?

Yes my config is as follows:

certificatesResolvers:
  letsencrypt:
    acme:
      email: xxxxx
      storage: /etc/traefik/acme.json
      # Use staging caServer for now to not get limited (comment out when in production)
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 5
        resolvers:
          - "8.8.8.8:53"
          - "9.9.9.9:53"

I tested it by using nslookup -q=txt

I don't know enough about Traefik / lego to debug why Porkbun is still being queried. You might try a Traefik forum. Or maybe someone else here will know.

There isn't a TXT record right now but you should try this when you do

nslookup -q=TXT _acme-challenge.lv426.xyz dale.ns.cloudflare.com

Yeah thats what I did after it added the record.
I also posted on trafiek forum but not much help there either

I solved wrong NS being used but same error as before
nslookup brings up the TXT record

time="2024-01-27T18:47:06Z" level=error msg="Unable to obtain ACME certificate for domains \"nextcloud.lv426.xyz\": unable to generate a certificate for the domains [nextcloud.lv426.xyz]: error: one or more domains had a problem:\n[nextcloud.lv426.xyz] propagation: time limit exceeded: last error: NS dale.ns.cloudflare.com. returned REFUSED for lv426.xyz.\n" providerName=letsencrypt.acme routerName=nextcloud@docker rule="Host(`nextcloud.lv426.xyz`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"

Can you show exactly the command and its output that shows the TXT record ?

Have you tried removing the CNAME for the nextcloud subdomain and just replacing that with an A record to your private IP? I don't know why this would help but when odd problems occur I like to simplify the setup as much as possible.

Is there any debug log available from traefik or the lego client. I don't know why Let's Encrypt would get a REFUSED error so it looks to me like that's when lego is using the DNS API.

So I deleted the cname and I already had a A record with IP in CF. This time I tried wildcard in traefik.
Same issue

Below is the command and output

PS C:\Users\rxx> nslookup -q=TXT _acme-challenge.lv426.xyz dale.ns.cloudflare.com
Server:  dale.ns.cloudflare.com
Address:  172.64.33.95

Non-authoritative answer:
_acme-challenge.lv426.xyz       canonical name = lv426.xyz
lv426.xyz       text =

        "2rEskA77x-iagHiv8atXIldd1GsYKo9VLbn8eZej39I"

Debug is on traefik as below
Rest of the log is just waiting for propagation messages and finally error I already posted

time="2024-01-27T19:31:29Z" level=debug msg="Loading ACME certificates [lv426.xyz *.lv426.xyz]..." providerName=letsencry
pt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-01-27T19:31:29Z" level=debug msg="Building ACME client..." providerName=letsencrypt.acme
time="2024-01-27T19:31:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=letsenc
rypt.acme
time="2024-01-27T19:31:29Z" level=debug msg="Looking for provided certificate(s) to validate [\"lv426.xyz\" \"*.lv426.xyz
\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2024-01-27T19:31:29Z" level=debug msg="No ACME certificate generation required for domains [\"lv426.xyz\" \"*.lv426
.xyz\"]." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2024-01-27T19:31:29Z" level=debug msg="Using DNS Challenge provider: cloudflare" providerName=letsencrypt.acme
time="2024-01-27T19:31:29Z" level=debug msg="legolog: [INFO] [lv426.xyz, *.lv426.xyz] acme: Obtaining bundled SAN certifi
cate"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] [*.lv426.xyz] AuthURL: https://acme-staging-v02.api.letsencr
ypt.org/acme/authz-v3/10853263574"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] [lv426.xyz] AuthURL: https://acme-staging-v02.api.letsencryp
t.org/acme/authz-v3/10853263584"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] [*.lv426.xyz] acme: use dns-01 solver"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] [lv426.xyz] acme: Could not find solver for: tls-alpn-01"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] [lv426.xyz] acme: Could not find solver for: http-01"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] [lv426.xyz] acme: use dns-01 solver"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] [*.lv426.xyz] acme: Preparing to solve DNS-01"
time="2024-01-27T19:31:30Z" level=debug msg="legolog: [INFO] Found CNAME entry for \"_acme-challenge.lv426.xyz.\": \"lv42
6.xyz.\""
time="2024-01-27T19:31:32Z" level=debug msg="legolog: [INFO] cloudflare: new record for lv426.xyz, ID 55ce8194cd2cda16892
61d2c63e46b59"
time="2024-01-27T19:31:32Z" level=debug msg="legolog: [INFO] [lv426.xyz] acme: Preparing to solve DNS-01"
time="2024-01-27T19:31:32Z" level=debug msg="legolog: [INFO] Found CNAME entry for \"_acme-challenge.lv426.xyz.\": \"lv42
6.xyz.\""
time="2024-01-27T19:31:33Z" level=debug msg="legolog: [INFO] cloudflare: new record for lv426.xyz, ID 00a466b9a0f61ee499d
8c38075a26a26"
time="2024-01-27T19:31:33Z" level=debug msg="legolog: [INFO] [*.lv426.xyz] acme: Trying to solve DNS-01"
time="2024-01-27T19:31:33Z" level=debug msg="legolog: [INFO] Found CNAME entry for \"_acme-challenge.lv426.xyz.\": \"lv42
6.xyz.\""
time="2024-01-27T19:31:33Z" level=debug msg="legolog: [INFO] [*.lv426.xyz] acme: Checking DNS record propagation using [1
.1.1.1:53 1.0.0.1:53]"
time="2024-01-27T19:31:35Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2024-01-27T19:31:35Z" level=debug msg="Delaying 5000000000 rather than validating DNS propagation now." providerNam
e=letsencrypt.acme
time="2024-01-27T19:31:40Z" level=debug msg="legolog: [INFO] [*.lv426.xyz] acme: Waiting for DNS record propagation."

What is this CNAME for? I don't understand why you need that

_acme-challenge.lv426.xyz. 300  IN      CNAME   lv426.xyz.

After removing that and trying again, please show whole log

Its a wildcard cname.
Dont you need it for wildcards to work? I got same setup for another domain but using swag container.

Not a wildcard cert anyway. You can also use DNS wildcards just on the A record (or AAAA) and not CNAME everything.

But, whether that is causing this problem I don't know.

I don't know why you would get that REFUSED error for lego querying Cloudflare. If the pre-check is failing it hasn't even requested the cert from Let's Encrypt yet.

Maybe someone else will have ideas.

So I found a old thread which had same issue and they suggested disabling pre check.
I done that and now I get different error lol

time="2024-01-27T20:24:21Z" level=error msg="Unable to obtain ACME certificate for domains \"lv426.xyz,*.lv426.xyz\"" error="unable to generate a certificate for the domains [lv426.xyz *.lv426.xyz]: error: one or more domains had a problem:\n[*.lv426.xyz] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record \"W5C1slt99d-PaxotC27JcEJpYsgL7GtBvWi6unRQy7c\" found at _acme-challenge.lv426.xyz\n[lv426.xyz] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"W5C1slt99d-PaxotC27JcEJpYsgL7GtBvWi6unRQy7c\" found at _acme-challenge.lv426.xyz\n" routerName=https-app@docker rule="Host(`nextcloud.lv426.xyz`)" providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"

Well, that's an error from the Let's Encrypt server.

They can see a TXT record but it is the wrong value. Your earlier request used 2 different names (the root and a wildcard) so should have two TXT records. If something went wrong in lego/cloudflare maybe both were not placed properly?

Your earlier nslookup only showed one value. Do you ever see 2 values? Because you should.

Maybe try to get cert with just the root name as a test. If that works try just the wildcard. If both work try combining in one cert. If that fails it points to the problem.

I messed up my traefik config now trying to fix it haha
I will start from scratch tomorrow and see if it works for 1 cert

so its all working now with just 1 domain.
will try and sort out san later on.
thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.