I set up Traefik (v. 2.2) with docker and docker-compose. Everything worked great until last week.
I wanted to set up a new container over HTTPS when I noticed that Traefik could not received certificates from Let's encrypt and started serving the Traefik default certificates.
I tried to remove the acme.json to generate a complete new one but that did not work either.
My domain is: traefik.nicolasmauchle.ch
Log files of Traefik (Startup):
traefik | time="2020-10-03T15:59:33+02:00" level=debug msg="No default certificate, generating one"
traefik | time="2020-10-03T15:59:33+02:00" level=debug msg="Try to challenge certificate for domain [traefik.nicolasmauchle.ch] found in HostSNI rule" providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik | time="2020-10-03T15:59:33+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.nicolasmauchle.ch\"]..." providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik | time="2020-10-03T15:59:33+02:00" level=debug msg="Domains [\"traefik.nicolasmauchle.ch\"] need ACME certificates generation for domains \"traefik.nicolasmauchle.ch\"." providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik | time="2020-10-03T15:59:33+02:00" level=debug msg="Loading ACME certificates [traefik.nicolasmauchle.ch]..." providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik | time="2020-10-03T15:59:33+02:00" level=debug msg="Building ACME client..." providerName=http.acme
traefik | time="2020-10-03T15:59:33+02:00" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=http.acme
traefik | time="2020-10-03T15:59:34+02:00" level=debug msg="Using HTTP Challenge provider." providerName=http.acme
traefik | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: Obtaining bundled SAN certificate"
traefik | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/125007215"
traefik | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: Could not find solver for: tls-alpn-01"
traefik | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: use http-01 solver"
traefik | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: Trying to solve HTTP-01"
traefik | time="2020-10-04T10:19:20+02:00" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/125007215"`
traefik | time="2020-10-04T10:19:21+02:00" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/125007215"
traefik | time="2020-10-03T16:00:45+02:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.nicolasmauchle.ch\": unable to generate a certificate for the domains [traefik.nicolasmauchle.ch]: error: one or more domains had a problem:\n[traefik.nicolasmauchle.ch] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://traefik.nicolasmauchle.ch/.well-known/acme-challenge/RJDjxkLDKiSj4kO0CmozWR3OTCTqmhfXQZFoXqx0wlQ: Connection reset by peer, url: \n" rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker providerName=http.acme
traefik.yml
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
log:
level: DEBUG
certificatesResolvers:
http:
acme:
email: <EMAIL>
storage: /certbot_acme/acme.json
httpChallenge:
entryPoint: http
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- certbot_acme:/certbot_acme
- ./traefik.yml:/traefik.yml
labels:
# Dashboard
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.nicolasmauchle.ch`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.middlewares.traefik-auth.basicauth.users=<USER:PASS>"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-ssl.entrypoints=https"
- "traefik.http.routers.traefik-ssl.rule=Host(`traefik.nicolasmauchle.ch`)"
- "traefik.http.routers.traefik-ssl.middlewares=traefik-auth"
- "traefik.http.routers.traefik-ssl.tls=true"
- "traefik.http.routers.traefik-ssl.tls.certresolver=http"
- "traefik.http.routers.traefik-ssl.service=api@internal"
volumes:
certbot_acme:
external: true
networks:
proxy:
external: true
Note: The current certificate for traefik.nicolasmauchle.ch is an old one.
When I manually call the URL (http://traefik.nicolasmauchle.ch/.well-known/acme-challenge/RJDjxkLDKiSj4kO0CmozWR3OTCTqmhfXQZFoXqx0wlQ) via browser I see the following Traefik log messages
traefik | time="2020-10-03T16:05:51+02:00" level=debug msg="Unable to split host and port: address traefik.nicolasmauchle.ch: missing port in address. Fallback to request host." providerName=http.acme
traefik | time="2020-10-03T16:05:51+02:00" level=debug msg="Retrieving the ACME challenge for token RJDjxkLDKiSj4kO0CmozWR3OTCTqmhfXQZFoXqx0wlQ..." providerName=http.acme
traefik | time="2020-10-03T16:05:51+02:00" level=error msg="Error getting challenge for token retrying in 259.784598ms" providerName=http.acme
traefik | time="2020-10-03T16:05:51+02:00" level=error msg="Error getting challenge for token retrying in 1.115444186s" providerName=http.acme
traefik | time="2020-10-03T16:05:53+02:00" level=error msg="Error getting challenge for token retrying in 1.049517649s" providerName=http.acme
traefik | time="2020-10-03T16:05:54+02:00" level=error msg="Error getting challenge for token retrying in 1.875633294s" providerName=http.acme
traefik | time="2020-10-03T16:05:55+02:00" level=error msg="Error getting challenge for token retrying in 1.844470499s" providerName=http.acme
What seems to be the problem here?