[Sorry for all the edits, hit submit too quickly and had to finish typing]
My domain is: alinlung.top
My web server is (include version): Traefik v2.4.8
The operating system my web server runs on is (include version): Debian Buster
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using Traefik as a reverse proxy for a few services run on a local home server (each service on its own subdomain, so traefik.alinlung.top, netdata.alinlung.top, etc). I want to set-up a wildcard certificate (*.alinlung.top), but it seems the challenge is failing for some reason.
This is my docker-compose set-up for traefik:
traefik:
container_name: traefik
image: traefik
command:
- --log.level=INFO
- --api.insecure=true
- --accesslog=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.file.filename=/config/traefik.yml
-SNIP-
# HTTPS LetsEncrypt Wildcard Config
- --certificatesresolvers.letsencrypt.acme.email=-SNIP-
- --certificatesresolvers.letsencrypt.acme.storage=letsencrypt/acme-wildcard.json
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true # It needs to be a DNS Challenge (rather than TCP or HTTP) for wildcard certificates to work
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=namesilo
#- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=600
#- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
# Staging server is used for testing (so you don't hit API limits)
# HTTP / HTTPS Entrypoints
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
ports:
- 80:80 # Web EntryPoint
- 443:443 # WebSecure EntryPoint
- 11007:8080 # WebUI
volumes:
- *shared-volume
- *docker-sock
- ${USERDIR}/docker/traefik/letsencrypt:/letsencrypt
- ${USERDIR}/docker/traefik/certs:/certs
- ${USERDIR}/docker/traefik/config:/config
environment:
- *PUID
- *PGID
- *TZ
- NAMESILO_API_KEY=${NAMESILO_API_KEY}
labels:
- traefik.enable=true
-SNIP-
- traefik.http.routers.traefik-wildcard-cert.tls=true
- traefik.http.routers.traefik-wildcard-cert.tls.certresolver=letsencrypt
- traefik.http.routers.traefik-wildcard-cert.tls.domains[0].main=*.alinlung.top
# - traefik.http.routers.traefik-wildcard-cert.tls.domains[0].sans=alinlung.top
- traefik.http.routers.traefik-wildcard-cert.service=api@internal
-SNIP-
This is the error I see in Traefik's logs:
time="2021-05-17T22:34:28+03:00" level=error msg="Unable to obtain ACME certificate for domains \"*.alinlung.top\" : unable to generate a certificate for the domains [*.alinlung.top]: error: one or more domains had a problem:\n[*.alinlung.top] time limit exceeded: last error: NS ns1.dnsowl.com. did not return the expected TXT record [fqdn: _acme-challenge.alinlung.top., value: 09wwvh4fBPgEAB1LaVYfkPJkMHJtH5GIzUnXU2hUAlw]: \n" providerName=letsencrypt.acme
But I have namesilo's DNS management page open on my second screen, I can see the TXT record is created and has the correct value. See the screenshot below
I'm guessing the issue might be the TXT record not getting propagated, but I set a 10-minute delay from the config and it didn't make any difference, so I'm a bit low on ideas.