Traefik Error forwarding EOF / Bad Gateway (Let's Encrypt Related)

Question

I'm attempting to set up Cryptpad via Docker, reachable through Traefik, on a public server. I have Traefik set up as well as Cryptpad but so far, upon navigating to http://cryptpad.myserver.com (which redirects to https, as specifically configured) I get a Bad Gateway error in the browser and the following error in the treafik container's logs:

level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"

Further, another issue which may be related is that it does not seem that Let's Encrypt is able to issue certs for neither cryptpad.myserver.com nor monitor.myserver.com (which I configured as per the instructions here https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04).

---

EDIT: The Bad Gateway issue does seem to be stemming from a failure to create a valid cert, as I can reach Cryptpad through Traefik fine over plain HTTP (after turning off the related HTTPS configurations of course). The title of this question has been edited accordingly to reflect this relation.

---

For example, when attempting to reach https://monitor.myserver.com, I get the following errors in the traefik container's logs:

time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9080" 
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9443" 
time="2018-01-10T13:53:37Z" level=debug msg="LoadCertificateForDomains [monitor.myserver.com]..." 
time="2018-01-10T13:53:37Z" level=debug msg="Look for provided certificate to validate [monitor.myserver.com]..." 
time="2018-01-10T13:53:37Z" level=debug msg="No provided certificate found for domains [monitor.myserver.com], get ACME certificate." 
time="2018-01-10T13:53:37Z" level=debug msg="Loading ACME certificates [monitor.myserver.com]..." 
time="2018-01-10T13:53:37Z" level=warning msg="A new release has been found: 1.4.6. Please consider updating." 
time="2018-01-10T13:53:37Z" level=error msg="map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]" 
time="2018-01-10T13:53:37Z" level=error msg="Error getting ACME certificates [monitor.myserver.com] : Cannot obtain certificates map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]+v" 

Similarly, when attempting to reach http://cryptpad.myserver.com, the following ssl errors are logged (ending with the EOF / Bad Gatewway error noted above):

time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9443" 
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9080" 
time="2018-01-10T11:59:18Z" level=debug msg="LoadCertificateForDomains [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:18Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:18Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate." 
time="2018-01-10T11:59:18Z" level=debug msg="Loading ACME certificates [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:18Z" level=error msg="map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]" 
time="2018-01-10T11:59:18Z" level=error msg="Error getting ACME certificates [cryptpad.myserver.com] : Cannot obtain certificates map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]+v" 
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate." 
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..." 
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate." 
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com" 
time="2018-01-10T11:59:52Z" level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF" 

The following is the docker-compose.yml file for Traefik and its traefik.toml file (both configured by consulting the guide already mentioned above [via Digital Ocean] and Traefik's own here https://docs.traefik.io/user-guide/docker-and-lets-encrypt/):

version: '2'

services:
  traefik:
    image: traefik
    networks:
      - proxy
    ports:
      - "9080:9080"
      - "9443:9443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    labels:
      - "traefik.frontend.rule=Host:monitor.myserver.com"
      - "traefik.port=8080"
    container_name: traefik

networks:
  proxy:
    external: true

traefik.toml:

checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]

[entryPoints]
    [entryPoints.http]
    address = ":9080"
        [entryPoints.http.redirect]
            entryPoint = "https"
    [entryPoints.https]
    address = ":9443"
        [entryPoints.https.tls]

[retry]

[acme]
email = "example@myserver.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false

[web]

address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedbydefault = false

And here are the .env and docker-compose.yml files for Cryptpad, which I received and edited according to https://github.com/xwiki-labs/cryptpad/blob/master/docs/cryptpad-docker.md and the guides previously mentioned:

VERSION=latest
USE_SSL=true
STORAGE='./storage/file'
LOG_TO_STDOUT=true

docker-compose.yml

version: '2'
services:

  cryptpad:
    build:
      context: .
      args:
        - VERSION=${VERSION}
    image: "xwiki/cryptpad:${VERSION}"
    hostname: cryptpad

    labels:
      - "traefik.backend=cryptpad"
      - "traefik.docker.network=proxy"
      - "traefik.frontend.rule=Host:cryptpad.myserver.com"
      - "traefik.enable=true"
      - "traefik.port=3000"
      - "traefik.frontend.passHostHeader=true"
      - "traefik.default.protocol=https"
    environment:
      - USE_SSL=${USE_SSL}
      - STORAGE=${STORAGE}
      - LOG_TO_STDOUT=${LOG_TO_STDOUT}
    restart: always
    volumes:
      - ./data/files:/cryptpad/datastore:rw
      - ./data/customize:/cryptpad/customize:rw
    networks:
      - proxy
      - default
    expose:
      - "3000"

networks:
  proxy:
    external: true

Any help would be greatly appreciated. & of course I can provide much more details if necessary.

Answer 1

I think you are running into this issue:

https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

Apparently letsencrypt has disabled TLS-SNI-01 because of security issues. Here is the link to the issue: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

It looks like that letsencrypt needs a few days, before they can enable it again.