1

On Docker I installed Portainer and then create new Stack with Traefik (certbot). I logged into my OVH and generate API keys for certbot. My docker-compose file looks like bellow.

I use this manual for OVH https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/ I want to certbot generate wildcard certificate for my domain.

version: "3.8"

volumes:
  trafeik_crt:

networks:
  frontend_proxy:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.5.0/26

services:

  traefik:
    container_name: Traefik
    image: traefik:latest
    environment:
      TRAEFIK_LOG_LEVEL: 'DEBUG'
      TRAEFIK_GLOBAL_CHECKNEWVERSION: 'true'
      TRAEFIK_PROVIDERS_DOCKER: 'true'
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: 'true'
      TRAEFIK_API: 'true'
      TRAEFIK_API_DASHBOARD: 'true'
      TRAEFIK_API_INSECURE: 'true'
      OVH_ENDPOINT: 'ovh-eu'
      OVH_APPLICATION_KEY: 'my_app_key'
      OVH_APPLICATION_SECRET: 'my_secret'
      OVH_CONSUMER_KEY: 'my_cons_key'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot: 'true'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE: 'true'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE_PROVIDER: 'ovh'
#      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_CASERVER: 'ttps://acme-v02.api.letsencrypt.org/directory'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_EMAIL: 'info@mydomain.com'
      TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_STORAGE: '/letsencrypt/acme.json'
      TRAEFIK_ENTRYPOINTS_web: 'true'
      TRAEFIK_ENTRYPOINTS_webs: 'true'
      TRAEFIK_ENTRYPOINTS_web_ADDRESS: ':80'
      TRAEFIK_ENTRYPOINTS_webs_ADDRESS: ':443'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO: 'webs'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT: 'true'
      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: 'https'
      
    hostname:
      srv_traefik1
    ports:
      - 8051:80/tcp # Trafeik HTTP
      - 8052:8080/tcp # Trafeik WebUI
      - 4351:443/tcp # Trafeik HTTPS
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - trafeik_crt:/letsencrypt
    networks:
      frontend_proxy:
        ipv4_address: 172.20.5.2
    dns:
      - 172.16.25.1;

When i enable DEBUG logs I got below error

level=debug msg="Creating load-balancer" entryPointName=web serviceName=httpd-httpd-main routerName=httpd_main@docker
level=debug msg="Creating server 0 http://172.20.5.3:80" entryPointName=web serviceName=httpd-httpd-main serverName=0 routerName=httpd_main@docker
level=debug msg="child http://172.20.5.3:80 now UP"
level=debug msg="Propagating new UP status"
level=debug msg="Added outgoing tracing middleware httpd-httpd-main" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=httpd_main@docker
level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=webs middlewareName=traefik-internal-recovery
level=debug msg="Adding route for mydomain.com with TLS options default" entryPointName=web
level=debug msg="Adding route for mydomain.com with TLS options default" entryPointName=webs
level=debug msg="Trying to challenge certificate for domain [mydomain.com] found in HostSNI rule" rule="Host(`mydomain.com`)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker
level=debug msg="Looking for provided certificate(s) to validate [\"mydomain.com\"]..." routerName=httpd_main@docker rule="Host(`mydomain.com`)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
level=debug msg="Domains [\"mydomain.com\"] need ACME certificates generation for domains \"mydomain.com\"." providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker rule="Host(`mydomain.com`)"
level=debug msg="Loading ACME certificates [mydomain.com]..." rule="Host(`mydomain.com`)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker
level=debug msg="Building ACME client..." providerName=certbot.acme
level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=certbot.acme
level=error msg="Unable to obtain ACME certificate for domains \"mydomain.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:44201->127.0.0.11:53: i/o timeout" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main@docker rule="Host(`mydomain.com`)" providerName=certbot.acme
Pierre
  • 2,552
  • 5
  • 26
  • 47
jaros85
  • 21
  • 2

1 Answers1

0

The error is in the last line of your debug output:

Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:44201->127.0.0.11:53: i/o timeout

To generate your certificates, your Traefik container try to reach acme-v02.api.letsencrypt.org without success. It tries to use a local DNS server 127.0.0.11:53 but fails to contact it.

You need to fix this DNS issues to fix your certificate generation

Have a look at this SO answer, it can guide you to fix this issue: ACME certificates timeout with traefik

Pierre
  • 2,552
  • 5
  • 26
  • 47