Unable to get new certificates with treafik (acme: error: 400)

I set up Traefik (v. 2.2) with docker and docker-compose. Everything worked great until last week.
I wanted to set up a new container over HTTPS when I noticed that Traefik could not received certificates from Let's encrypt and started serving the Traefik default certificates.

I tried to remove the acme.json to generate a complete new one but that did not work either.

My domain is: traefik.nicolasmauchle.ch

Log files of Traefik (Startup):

traefik    | time="2020-10-03T15:59:33+02:00" level=debug msg="No default certificate, generating one"
traefik    | time="2020-10-03T15:59:33+02:00" level=debug msg="Try to challenge certificate for domain [traefik.nicolasmauchle.ch] found in HostSNI rule" providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik    | time="2020-10-03T15:59:33+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.nicolasmauchle.ch\"]..." providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik    | time="2020-10-03T15:59:33+02:00" level=debug msg="Domains [\"traefik.nicolasmauchle.ch\"] need ACME certificates generation for domains \"traefik.nicolasmauchle.ch\"." providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik    | time="2020-10-03T15:59:33+02:00" level=debug msg="Loading ACME certificates [traefik.nicolasmauchle.ch]..." providerName=http.acme rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker
traefik    | time="2020-10-03T15:59:33+02:00" level=debug msg="Building ACME client..." providerName=http.acme
traefik    | time="2020-10-03T15:59:33+02:00" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=http.acme
traefik    | time="2020-10-03T15:59:34+02:00" level=debug msg="Using HTTP Challenge provider." providerName=http.acme
traefik    | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: Obtaining bundled SAN certificate"
traefik    | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/125007215"
traefik    | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: Could not find solver for: tls-alpn-01"
traefik    | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: use http-01 solver"
traefik    | time="2020-10-03T15:59:34+02:00" level=debug msg="legolog: [INFO] [traefik.nicolasmauchle.ch] acme: Trying to solve HTTP-01"
traefik    | time="2020-10-04T10:19:20+02:00" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/125007215"`
traefik    | time="2020-10-04T10:19:21+02:00" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/125007215"
traefik    | time="2020-10-03T16:00:45+02:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.nicolasmauchle.ch\": unable to generate a certificate for the domains [traefik.nicolasmauchle.ch]: error: one or more domains had a problem:\n[traefik.nicolasmauchle.ch] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://traefik.nicolasmauchle.ch/.well-known/acme-challenge/RJDjxkLDKiSj4kO0CmozWR3OTCTqmhfXQZFoXqx0wlQ: Connection reset by peer, url: \n" rule="Host(`traefik.nicolasmauchle.ch`)" routerName=traefik-ssl@docker providerName=http.acme

traefik.yml

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

log:
  level: DEBUG

certificatesResolvers:
  http:
    acme:
      email: <EMAIL>
      storage: /certbot_acme/acme.json
      httpChallenge:
        entryPoint: http

docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - certbot_acme:/certbot_acme
      - ./traefik.yml:/traefik.yml
    labels:
      # Dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.nicolasmauchle.ch`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=<USER:PASS>"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-ssl.entrypoints=https"
      - "traefik.http.routers.traefik-ssl.rule=Host(`traefik.nicolasmauchle.ch`)"
      - "traefik.http.routers.traefik-ssl.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-ssl.tls=true"
      - "traefik.http.routers.traefik-ssl.tls.certresolver=http"
      - "traefik.http.routers.traefik-ssl.service=api@internal"


volumes:
  certbot_acme:
    external: true

networks:
  proxy:
    external: true

Note: The current certificate for traefik.nicolasmauchle.ch is an old one.

When I manually call the URL (http://traefik.nicolasmauchle.ch/.well-known/acme-challenge/RJDjxkLDKiSj4kO0CmozWR3OTCTqmhfXQZFoXqx0wlQ) via browser I see the following Traefik log messages

traefik    | time="2020-10-03T16:05:51+02:00" level=debug msg="Unable to split host and port: address traefik.nicolasmauchle.ch: missing port in address. Fallback to request host." providerName=http.acme
traefik    | time="2020-10-03T16:05:51+02:00" level=debug msg="Retrieving the ACME challenge for token RJDjxkLDKiSj4kO0CmozWR3OTCTqmhfXQZFoXqx0wlQ..." providerName=http.acme
traefik    | time="2020-10-03T16:05:51+02:00" level=error msg="Error getting challenge for token retrying in 259.784598ms" providerName=http.acme
traefik    | time="2020-10-03T16:05:51+02:00" level=error msg="Error getting challenge for token retrying in 1.115444186s" providerName=http.acme
traefik    | time="2020-10-03T16:05:53+02:00" level=error msg="Error getting challenge for token retrying in 1.049517649s" providerName=http.acme
traefik    | time="2020-10-03T16:05:54+02:00" level=error msg="Error getting challenge for token retrying in 1.875633294s" providerName=http.acme
traefik    | time="2020-10-03T16:05:55+02:00" level=error msg="Error getting challenge for token retrying in 1.844470499s" providerName=http.acme

What seems to be the problem here?

2 Likes

Hi @bhzunami

I'm not firm with traefik, never used. But your error

msg="Unable to split host and port: address traefik.nicolasmauchle.ch: missing port in address. Fallback to request host."

looks like a general configuration error.

And checking

there is nothing like that:

Instead, there is something like

## Static configuration
entryPoints:
  web:
   address: ":80"

not a protocol, only web:

3 Likes

Hello @JuergenAuer

Thanks for your fast reply.

The name in the entryPoints is free to choose. With the configuration

entryPoints:
 web:
   address: ":80"

You need to set the label in the docker-compose.yml file

- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik-ssl.entrypoints=websecure"

But to be sure I renamed the name but with little success.

This error appears when I call the URL with a browser or by CURL.
msg="Unable to split host and port: address traefik.nicolasmauchle.ch: missing port in address. Fallback to request host."

I am pretty sure a browser request is fully wrong. But I wanted to test, that the destination is reachable and Traefik reacts to it.

The odd behavior is, that I did not change any configuration and it stopped working. The settings used to be correct.

2 Likes

I could solve the problem. Fail2Ban blocked the IP-Addresse(s) of Let's Encrypt. After releasing the IP-Addresse(s) everything went back to normal.

Fail2Ban blocked the IP-Addresses because my container was not stable (crashed immediately after start). And then it looked as if Let's Encrypt was trying to call up web pages that do not exist. Which leads to a blocking entry in the firewall.

@JuergenAuer Thanks for your help.

3 Likes

Thanks, good to know.

Ah, that's an explantation, thanks sharing. Yep, such "additional problems" may be first completely invisible.

Happy to read you have found a solution :+1:

3 Likes