We Keep Coding

Traefik and certbot cannot generate certificate on OVH

On Docker I installed Portainer and then create new Stack with Traefik (certbot).
I logged into my OVH and generate API keys for certbot.
My docker-compose file looks like bellow.
I use this manual for OVH https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/
I want to certbot generate wildcard certificate for my domain.
version: "3.8"
volumes:
trafeik_crt:
networks:
frontend_proxy:
driver: bridge
enable_ipv6: false
ipam:
driver: default
config:
- subnet: 172.20.5.0/26
services:
traefik:
container_name: Traefik
image: traefik:latest
environment:
TRAEFIK_LOG_LEVEL: 'DEBUG'
TRAEFIK_GLOBAL_CHECKNEWVERSION: 'true'
TRAEFIK_PROVIDERS_DOCKER: 'true'
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: 'true'
TRAEFIK_API: 'true'
TRAEFIK_API_DASHBOARD: 'true'
TRAEFIK_API_INSECURE: 'true'
OVH_ENDPOINT: 'ovh-eu'
OVH_APPLICATION_KEY: 'my_app_key'
OVH_APPLICATION_SECRET: 'my_secret'
OVH_CONSUMER_KEY: 'my_cons_key'
TRAEFIK_CERTIFICATESRESOLVERS_certbot: 'true'
TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE: 'true'
TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_DNSCHALLENGE_PROVIDER: 'ovh'
# TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_CASERVER: 'ttps://acme-v02.api.letsencrypt.org/directory'
TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_EMAIL: 'info#mydomain.com'
TRAEFIK_CERTIFICATESRESOLVERS_certbot_ACME_STORAGE: '/letsencrypt/acme.json'
TRAEFIK_ENTRYPOINTS_web: 'true'
TRAEFIK_ENTRYPOINTS_webs: 'true'
TRAEFIK_ENTRYPOINTS_web_ADDRESS: ':80'
TRAEFIK_ENTRYPOINTS_webs_ADDRESS: ':443'
TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO: 'webs'
TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT: 'true'
TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: 'https'
hostname:
srv_traefik1
ports:
- 8051:80/tcp # Trafeik HTTP
- 8052:8080/tcp # Trafeik WebUI
- 4351:443/tcp # Trafeik HTTPS
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- trafeik_crt:/letsencrypt
networks:
frontend_proxy:
ipv4_address: 172.20.5.2
dns:
- 172.16.25.1;
When i enable DEBUG logs I got below error
level=debug msg="Creating load-balancer" entryPointName=web serviceName=httpd-httpd-main routerName=httpd_main#docker
level=debug msg="Creating server 0 http://172.20.5.3:80" entryPointName=web serviceName=httpd-httpd-main serverName=0 routerName=httpd_main#docker
level=debug msg="child http://172.20.5.3:80 now UP"
level=debug msg="Propagating new UP status"
level=debug msg="Added outgoing tracing middleware httpd-httpd-main" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=httpd_main#docker
level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=webs middlewareName=traefik-internal-recovery
level=debug msg="Adding route for mydomain.com with TLS options default" entryPointName=web
level=debug msg="Adding route for mydomain.com with TLS options default" entryPointName=webs
level=debug msg="Trying to challenge certificate for domain [mydomain.com] found in HostSNI rule" rule="Host(`mydomain.com`)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main#docker
level=debug msg="Looking for provided certificate(s) to validate [\"mydomain.com\"]..." routerName=httpd_main#docker rule="Host(`mydomain.com`)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
level=debug msg="Domains [\"mydomain.com\"] need ACME certificates generation for domains \"mydomain.com\"." providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main#docker rule="Host(`mydomain.com`)"
level=debug msg="Loading ACME certificates [mydomain.com]..." rule="Host(`mydomain.com`)" providerName=certbot.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main#docker
level=debug msg="Building ACME client..." providerName=certbot.acme
level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=certbot.acme
level=error msg="Unable to obtain ACME certificate for domains \"mydomain.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:44201->127.0.0.11:53: i/o timeout" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=httpd_main#docker rule="Host(`mydomain.com`)" providerName=certbot.acme

The error is in the last line of your debug output:
Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:44201->127.0.0.11:53: i/o timeout
To generate your certificates, your Traefik container try to reach acme-v02.api.letsencrypt.org without success. It tries to use a local DNS server 127.0.0.11:53 but fails to contact it.
You need to fix this DNS issues to fix your certificate generation
Have a look at this SO answer, it can guide you to fix this issue:
ACME certificates timeout with traefik

curl: (7) Failed connect to xx.xx.xx.xx:80; Connection refused

I am trying to deploy nginx - ingress
kubectl run nginx --image=nginx
kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-65899c769f-wf7dl 1/1 Running 0 9m
kubectl expose deploy nginx --port 80
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx ClusterIP 10.254.75.184 <none> 80/TCP 9m
vi ingress.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx
spec:
rules:
- host: kub-mst.coral.io
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
nginx kub-mst 80 9m
vi /etc/hosts
xx.xx.xx.xx kub-mst.coral.io
curl kub-mst.coral.io
curl: (7) Failed connect to kub-mst; Connection refused
I have Kubernetes Cluster and am trying to
curl http://xx.xx.xx.xx
it returns
curl: (7) Failed connect to xx.xx.xx.xx:80; Connection refused
and i execute
kubectl cluster-info
it returns
Kubernetes master is running at http://localhost:8080
KubeDNS is running at http://localhost:8080/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
xx.xx.xx.xx is public IP.
how to troubleshooting to detect where is the problem

You provided the ingress controller with a single rule that matches the host header of your request, yet, for some odd reason, you're testing with a request that does not provide the host header.
curl -H 'Host: kub-mst.coral.io' http://xx.xx.xx.xx

SSL passthrough with Traefik

I need to send the SSL connections directly to the backend, not decrypt at my Traefik. The backend needs to receive https requests.
I tried the traefik.frontend.passTLSCert=true option but getting "404 page not found" error when I access my web app and also get this error on Traefik container
traefik | time="2018-09-16T10:47:41Z" level=error msg="Failed to create TLSClientConfig: no TLS provided"
traefik | time="2018-09-16T10:47:41Z" level=error msg="Failed to create RoundTripper for frontend frontend-Host-dev-mydomain-com-0: no TLS provided"
traefik | time="2018-09-16T10:47:41Z" level=error msg="Skipping frontend frontend-Host-dev-mydomain-com-0..."
Could you suggest any solution? Thank you.
I'm using Traefik version 1.6.6.
Here is my docker-compose.yml for the app container.
version: '3'
services:
app:
image: webdevops/php-nginx-dev:7.2
networks:
- proxy
volumes:
- ./:/app
- ../traefik/ssl/*.mydomain.com.crt:/opt/docker/etc/nginx/ssl/server.crt
- ../traefik/ssl/*.mydomain.com.key:/opt/docker/etc/nginx/ssl/server.key
environment:
- WEB_DOCUMENT_ROOT=/app
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:dev.mydomain.com
- traefik.docker.network=proxy
- traefik.port=443
networks:
proxy:
external: true
The docker-compose.yml of my Traefik container.
version: "3"
services:
traefik:
image: traefik
container_name: traefik
command:
- --api
- --docker
- --docker.exposedbydefault=false
restart: always
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./ssl:/sslcert
networks:
proxy:
external: true
Finally, my traefik.toml file.
debug = true
logLevel = "ERROR"
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/sslcert/*.mydomain.com.crt"
keyFile = "/sslcert/*.mydomain.com.key"
[retry]

Traefik now has TCP support in its new 2.0 version - which is still in alpha at this time (Apr 2019).
See PR https://github.com/containous/traefik/pull/4587
and the release notes of v2.0.0-alpha1 at https://github.com/containous/traefik/releases/tag/v2.0.0-alpha1 showing this TCP support PR being included
Hence once 2.0 is released (probably within 2-3 months), HTTPS passthrough will become possible.

Answer for traefik 1.0 (outdated)
passTLSCert forwards the TLS Client certificate to the backend, that is, a client that sends a certificate in the TLS handshake to prove it's identity.
Traefik is an HTTP reverse proxy. To establish the SSL connection directly with the backend, you need to reverse proxy TCP and not HTTP, and traefik doesn't (yet ?) support tcp (but there are issues for that on github).
Traefik won't fit your usecase, there are different alternatives, envoy is one of them.

The new passthrough for TCP routers is already available: https://docs.traefik.io/routing/routers/#passthrough

Traefik Error forwarding EOF / Bad Gateway (Let's Encrypt Related)

I'm attempting to set up Cryptpad via Docker, reachable through Traefik, on a public server. I have Traefik set up as well as Cryptpad but so far, upon navigating to http://cryptpad.myserver.com (which redirects to https, as specifically configured) I get a Bad Gateway error in the browser and the following error in the treafik container's logs:
level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
Further, another issue which may be related is that it does not seem that Let's Encrypt is able to issue certs for neither cryptpad.myserver.com nor monitor.myserver.com (which I configured as per the instructions here https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04).
EDIT:
The Bad Gateway issue does seem to be stemming from a failure to create a valid cert, as I can reach Cryptpad through Traefik fine over plain HTTP (after turning off the related HTTPS configurations of course). The title of this question has been edited accordingly to reflect this relation.
For example, when attempting to reach https://monitor.myserver.com, I get the following errors in the traefik container's logs:
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T13:53:37Z" level=debug msg="LoadCertificateForDomains [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="Look for provided certificate to validate [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="No provided certificate found for domains [monitor.myserver.com], get ACME certificate."
time="2018-01-10T13:53:37Z" level=debug msg="Loading ACME certificates [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=warning msg="A new release has been found: 1.4.6. Please consider updating."
time="2018-01-10T13:53:37Z" level=error msg="map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T13:53:37Z" level=error msg="Error getting ACME certificates [monitor.myserver.com] : Cannot obtain certificates map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]+v"
Similarly, when attempting to reach http://cryptpad.myserver.com, the following ssl errors are logged (ending with the EOF / Bad Gatewway error noted above):
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T11:59:18Z" level=debug msg="LoadCertificateForDomains [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:18Z" level=debug msg="Loading ACME certificates [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=error msg="map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T11:59:18Z" level=error msg="Error getting ACME certificates [cryptpad.myserver.com] : Cannot obtain certificates map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]+v"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
The following is the docker-compose.yml file for Traefik and its traefik.toml file (both configured by consulting the guide already mentioned above [via Digital Ocean] and Traefik's own here https://docs.traefik.io/user-guide/docker-and-lets-encrypt/):
version: '2'
services:
traefik:
image: traefik
networks:
- proxy
ports:
- "9080:9080"
- "9443:9443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.frontend.rule=Host:monitor.myserver.com"
- "traefik.port=8080"
container_name: traefik
networks:
proxy:
external: true
traefik.toml:
checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":9080"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":9443"
[entryPoints.https.tls]
[retry]
[acme]
email = "example#myserver.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[web]
address = ":8080"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedbydefault = false
And here are the .env and docker-compose.yml files for Cryptpad, which I received and edited according to https://github.com/xwiki-labs/cryptpad/blob/master/docs/cryptpad-docker.md and the guides previously mentioned:
VERSION=latest
USE_SSL=true
STORAGE='./storage/file'
LOG_TO_STDOUT=true
docker-compose.yml
version: '2'
services:
cryptpad:
build:
context: .
args:
- VERSION=${VERSION}
image: "xwiki/cryptpad:${VERSION}"
hostname: cryptpad
labels:
- "traefik.backend=cryptpad"
- "traefik.docker.network=proxy"
- "traefik.frontend.rule=Host:cryptpad.myserver.com"
- "traefik.enable=true"
- "traefik.port=3000"
- "traefik.frontend.passHostHeader=true"
- "traefik.default.protocol=https"
environment:
- USE_SSL=${USE_SSL}
- STORAGE=${STORAGE}
- LOG_TO_STDOUT=${LOG_TO_STDOUT}
restart: always
volumes:
- ./data/files:/cryptpad/datastore:rw
- ./data/customize:/cryptpad/customize:rw
networks:
- proxy
- default
expose:
- "3000"
networks:
proxy:
external: true
Any help would be greatly appreciated. & of course I can provide much more details if necessary.

I think you are running into this issue:
https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983
Apparently letsencrypt has disabled TLS-SNI-01 because of security issues. Here is the link to the issue: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
It looks like that letsencrypt needs a few days, before they can enable it again.

Pass traffic directly to container to answer LetsEncrypt challenge in Traefik

I have a container ('matrix'), based on https://github.com/silvio/docker-matrix (though that's probably not important).
It runs a service on port 8448 and 3478 (not 80 or 443).
Without running traefik, and only running the 'matrix' container, inside of the 'matrix' container, I can run LetsEncrypt's certbot, which requests tells LetsEncrypt to try to contact me on port 443 and provide a ssl cert, like so:
certbot certonly --standalone --test-cert --email admin#amazing.site --agree-tos -d m.amazing.site
The challenge is made, the challenge is accepted, certs get saved in dir /etc/letsencrypt in the container.
Ok now I want to do this when running Traefik.
I pass my parameters for Traefik for this container in my docker-compose file, like so:
labels:
- "traefik.acme=false"
- "traefik.enable=true"
- "traefik.backend=matrix"
- "traefik.frontend.rule=Host:m.amazing.site"
- "traefik.port=443"
restart: always
expose:
- 443
ports:
- "8448:8448"
- "3478:3478"
When I run the challenge in the container (same command as above)
certbot certonly --standalone --test-cert --email admin#amazing.site --agree-tos -d m.amazing.site
I get the following in my Traefik logs
time="2017-07-14T01:04:35Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 453.949201ms"
time="2017-07-14T01:04:35Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 808.788592ms"
time="2017-07-14T01:04:36Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 1.138006833s"
time="2017-07-14T01:04:37Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 2.436785791s"
time="2017-07-14T01:04:40Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 3.055167113s"
time="2017-07-14T01:04:43Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 4.856677044s"
time="2017-07-14T01:04:48Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 7.544878611s"
time="2017-07-14T01:04:55Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 6.313970727s"
time="2017-07-14T01:05:01Z" level=error msg="Error getting cert: Cannot find challenge cert for domain 8b1e27af665c4676b47236f25c3ccc73.1313b1cc8ceaaa7467ba2e5845c08fde.acme.invalid"
time="2017-07-14T01:05:01Z" level=debug msg="ACME got nothing 8b1e27af665c4676b47236f25c3ccc73.1313b1cc8ceaaa7467ba2e5845c08fde.acme.invalid"
2017/07/14 01:05:01 server.go:2753: http: TLS handshake error from 66.133.109.36:55264: EOF
Note these are real logs. No mention of the actual domain name I am trying to verify.
What am I doing wrong?

You cannot disable acme for a particular host out of the box since acme installs a route that is executed before all the rules.
I figured out a way to solve this:
https://gist.github.com/micw/67faf5cd3d4a6f64568ca2bb9a051230
Best regards,
Michael.