Replies: 2 comments 7 replies
-
|
Hello, My guess is something related to the characters used by your domain (non-ASCII characters, non-puny coded domain, etc.) or related to your network. Based on your logs, I think you are a Traefik user, your configuration can help to understand the problem. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your response. Domain name consists of ASCII characters, all worked fine until a few days ago, the last time I touched traefik config was about a year ago. My internet provider was recently acquired by a bigger one, got a new modem a few weeks ago - it's zyxel EX5601-T1. Traefik network: docker network create -d overlay --attachable proxyTraefik docker compose: version: "3.3"
networks:
proxy:
external: true
volumes:
traefik:
external: true
letsencrypt:
external: true
log:
external: true
configs:
traefik_users:
file: /mnt/.../traefik/users
services:
traefik:
image: traefik:latest #v2.9.6
configs:
- source: traefik_users
target: /users
mode: 444
ports:
- "80:80"
- "443:443"
command:
- --api.insecure=false
- --api.dashboard=true
# - --api.debug=true
- --accesslog=true
- --accesslog.filepath=/var/log/traefik/access.log
- --accesslog.bufferingsize=100
- --log.level=ERROR
- --log.filepath=/var/log/traefik/traefik.log
- --providers.providersThrottleDuration=10s
- --providers.file.filename=/config/dynamic.toml
- --providers.file.watch=true
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.swarmMode=true
- --providers.docker.exposedByDefault=false
- --providers.docker.network=proxy
- --entrypoints.ep-http.address=:80
- --entrypoints.ep-https.address=:443
#- --certificatesresolvers.certresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
#- --certificatesresolvers.certresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.certresolver.acme.tlschallenge=true
#- --certificatesresolvers.certresolver.acme.httpchallenge.entrypoint=ep-http
- --certificatesresolvers.certresolver.acme.email=...@gmail.com
- --certificatesresolvers.certresolver.acme.storage=/letsencrypt/acme.json
volumes:
- traefik:/config
- letsencrypt:/letsencrypt
- log:/var/log
- /var/run/docker.sock:/var/run/docker.sock
networks:
- proxy
deploy:
replicas: 1
restart_policy:
condition: any
delay: 3s
placement:
constraints:
- node.role == manager
- node.hostname == hostname here
labels:
- traefik.enable=true
# Generic redirect to https
- traefik.http.middlewares.mw-redirect-to-https.redirectscheme.scheme=https
- traefik.http.middlewares.mw-redirect-to-https.redirectscheme.permanent=true
- traefik.http.routers.r-redirect-to-https.rule=hostregexp(`{host:.+}`)
- traefik.http.routers.r-redirect-to-https.entrypoints=ep-http
- traefik.http.routers.r-redirect-to-https.middlewares=mw-redirect-to-https
# Secure Traefik
- traefik.http.middlewares.mw-traefik-auth.basicauth.usersfile=/users
- traefik.http.middlewares.mw-traefik-auth.basicauth.realm=traefik
- traefik.http.routers.r-traefik.entrypoints=ep-https
- traefik.http.routers.r-traefik.rule=Host(`mydomain.com`) && (PathPrefix(`/api/`) || PathPrefix(`/dashboard/`))
- traefik.http.routers.r-traefik.tls=true
- traefik.http.routers.r-traefik.tls.certresolver=certresolver
- traefik.http.routers.r-traefik.middlewares=mw-traefik-auth
- traefik.http.routers.r-traefik.service=api@internal
- traefik.http.services.dummy-service.loadbalancer.server.port=1357Traefik dynamic.toml: [http.routers]
[http.routers.r-foo]
entrypoints = ["ep-https"]
service = "s-foo"
rule = "Host(`foo.mydomain.com`)"
[http.routers.r-foo.tls]
certresolver = "certresolver"
[http.routers.r-bar]
entrypoints = ["ep-https"]
service = "s-bar"
rule = "Host(`bar.mydomain.com`)"
[http.routers.r-bar.tls]
certresolver = "certresolver"
[http.routers.r-baz]
entrypoints = ["ep-https"]
service = "s-baz"
rule = "Host(`baz.mydomain.com`)"
[http.routers.r-baz.tls]
certresolver = "certresolver"
[http.services]
[http.services.s-foo]
[http.services.s-foo.loadbalancer]
[[http.services.s-foo.loadbalancer.servers]]
url = "http://192.168.1.12:12345/"
[http.services.s-bar]
[http.services.s-bar.loadbalancer]
[[http.services.s-bar.loadbalancer.servers]]
url = "http://192.168.1.12:23456/"
[http.services.s-baz]
[http.services.s-baz.loadbalancer]
[[http.services.s-baz.loadbalancer.servers]]
url = "http://192.168.1.12:34567/" |
Beta Was this translation helpful? Give feedback.
-
|
@ldez could you please take a look? thanks! |
Beta Was this translation helpful? Give feedback.
-
|
I still think it's related to your network. FYI, renewing or obtaining a certificate uses the same process, so you can try to just create a certificate. |
Beta Was this translation helpful? Give feedback.
-
yeah that's my suspect too, is there anything I could do to collect more info on what exactly happens? or, maybe - I am thinking about buying a router which could run dd-wrt - do you know a good one? what do you think in general about this approach? this is not the only problem with the router that I got from my new internet provider |
Beta Was this translation helpful? Give feedback.
-
|
It's complex to diagnose because you should analyze the TLS frame after the router. You could check the router's documentation, or try to find out if someone has the same problem. |
Beta Was this translation helpful? Give feedback.
-
|
Hello, I have a similar issue. Hopefully, someone can direct me in the right direction. I am currently using Traefik (v2.11.2) in a Docker Swarm deployment and I've been using the same setup for over a year now. Until now everything worked fine but now I have issues with a few services. One service (a database) has been running for a while now and in the past, the certificates could successfully be renewed. Now the process fails and unfortunately it is not clear why. It looks like lego tries to do the challenge but there is no success/error message. After some tries, the log shows "remote error: tls: unrecognized name" Additionally, I have a new service where previously no certificate existed. It shows a similar behavior. It occasionally has the error "unrecognized name" but it also shows the error "incorrect validation certificate" and during secondary validation has the problem with "unrecognized name" Unfortunately, I couldn't find much information about these types of errors and if so they would be unrelated. My colleagues also did take a look at the configuration but it stayed the same and for the new service everything is configured correctly (a similar configuration is already running and working). Just in case here is the relevant configuration: I already tried a few things to solve this issue but nothing worked so far. Here is a list of things that I tried:
Additional information:
Thank you in advance for helping, I appreciate every help I can get with this. |
Beta Was this translation helpful? Give feedback.
-
|
In summary, only a few domains don't work (with TLS-ALPN01 and HTTP01 challenge) but other work, my guess is a problem with your local DNS or a firewall. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the hint. I changed the DNS entries for all servers in our swarm but that didn't work... instead I got a different error message 🥳 It made me/us realize, that we probably had the setup running wrong for traefik the whole time. Traefik was replicated globally on all our manager nodes. At first, this sounds correct since traefik requires to be running on a manager node, but the routing ended up incorrect. In other words, the challenge was initiated by one instance but the other instances didn't know about that but got the answer from Let's Encrypt. For some reason, this worked for about 1.5 years, and as mentioned in my first post, downgrading traefik didn't work, so I have no clue why it failed just now. We changed traefik to only be running once on the swarm (still limited to manager nodes but only one replica) and use the docker swarm routing mesh correctly now. After reconfiguring, it immediately worked and generated the certificate. Maybe this will help others in the future :) |
Beta Was this translation helpful? Give feedback.
-
Hello, is this the right place to ask for help with the error below?
It's the latest traefik/letsencrypt (uses github.com/go-acme/lego/v4 v4.14.0), running in a container in a docker swarm on a raspberry pi 4. Time to renew certificates and it fails, worked fine so far.
nslookup inside the container resolves all involved hostnames successfully, the same on an external network. Inbound and outbound 80/443 are forwarded/open.
What I've collected so far is here:
urn:ietf:params:acme:error:tls:
This error indicates a problem with the TLS (Transport Layer Security) connection during the ACME protocol exchange. It typically means there was an issue with the TLS handshake or communication between the client (your server) and the ACME server.
remote error: tls: unrecognized name:
This error suggests that the ACME server received a TLS certificate request for a domain name that it does not recognize or is not associated with the account making the request.
Any further help is very much appreciated.
Beta Was this translation helpful? Give feedback.
All reactions