Unable to Obtain Cert

Help
1

Hello, everyone,

I'm having some trouble obtaining my cert. My domain (phaneuf.network) was registered through google, but I changed my nameservers to CloudFlare. My (slightly edited for security configs) are:

traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: email_from_google@email.com
      storage: /acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL= cloud_flare_account_email@email.com
      - CF_API_KEY= cloud_flare_global_api
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik/data/traefik.yml:/traefik.yml:ro
      - /root/traefik/data/acme.json:/acme.json
      - /root/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.network`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:hashed_password"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.network`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.network"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.network"
      - "traefik.http.routers.traefik-secure.service=api@internal"


networks:
  proxy:
    external: true

After running, my acme.json reads:

{
  "cloudflare": {
    "Account": {
      "Email": "cloud_flare_account_email@email.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:cloud_flare_account_email@email.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/123193476"
      },
      "PrivateKey": "private_key"
      "KeyType": "4096"
    },
    "Certificates": null
  }
}
1 Like
2

What issue are you running into exactly? The only thing we now know is you're "unable to obtain cert" from the thread title, but that's very little to work with with regard to actual error messages/logs et cetera. Frankly, I don't even know which steps you've taken to actually aquire a cert. I only see a bunch of config files.

1 Like
3

@phaneuf, yes, I think it would be more relevant to start by seeing the exact error message you received, compared to your configuration.

1 Like
4

Note also that if you are proxying your request via cloudlare (the default setting for most DNS entries in cloudflare) then http requests won't go directly to your site, they go via cloudflare. Look in your SSL settings on Cloudflare and try the different settings, I think (from memory) you need 'Full' instead of 'Strict' because you need to allow port 80 http traffic for http validation to work.

1 Like
5

https traffic on my server finds its way to port 433 with Apache2 on Ubuntu 20.04.2 with port 80 supported for http 301 permanent redirect to the https

I have to open both ports on my firewall to direct them to the web server

AFAIK cloudflare can handle https fine, I know many sites that use https there that work fine

6

The key is not having Cloudflare auto redirect your http requests to https before they get to your server, otherwise self hosted acme challenges on port 80 will just never get through.

1 Like
7

maybe you should check the control panel on cloudfare and see if the needed ports are open

8

For an example that is known to be working, this is how I have SSL/TLS set on my cloudflare:

image
image1053×521 24.1 KB

1 Like
9

How is it when set to strict, still works?

10

Please show us the error.

1 Like
11

Probably not.

Full (strict) ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your origin web server. Full (strict) support SSL hostname validation against CNAME targets.

Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

The Full(strict) SSL option checks for SSL certificate validity at the origin web server. A self-signed certificate cannot be used. A Cloudflare Origin CA certificate or valid certificate purchased from a Certificate Authority is required to avoid 526 errors.

https://support.cloudflare.com/hc/en-us/articles/200170416#h_8afd8a8d-382d-4694-a2b2-44cbc9f637ef

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.