Reputation: 1053
Generating SSL certificate with letsencrypt fails with "300 - Multiple Choices"
I've some problems getting traefik to generate a lets-encrypt certificate for a domain with the www. supdomain as separate SAN. I have other containers with identical configuration working in this environment.
The (debug) log is quite verbose but I was able to see this messages
time="2018-08-27T07:41:43Z" level=debug msg="Try to challenge certificate for domain [mydomain.de www.mydomain.de] founded in Host rule"
time="2018-08-27T07:41:43Z" level=debug msg="Looking for provided certificate(s) to validate [\"mydomain.de\" \"www.mydomain.de\"]..."
time="2018-08-27T07:41:43Z" level=debug msg="Domains [\"mydomain.de\" \"www.mydomain.de\"] need ACME certificates generation for domains \"mydomain.de,www.mydomain.de\"."
time="2018-08-27T07:41:43Z" level=debug msg="Loading ACME certificates [mydomain.de www.mydomain.de]..."
time="2018-08-27T07:41:56Z" level=debug msg="Unable to split host and port: address www.mydomain.de: missing port in address. Fallback to request host."
time="2018-08-27T07:42:00Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.de,www.mydomain.de\" detected thanks to rule \"Host:mydomain.de,www.mydomain.de\" : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[mydomain.de] acme: Error 403 - urn:ietf:paramsacme:error:unauthorized - Invalid response from http://mydomain.de/.well-known/acme-challenge/o74RJIDdodxG-hXpmX9en_55ZpptifsjYInrjY97Bic: \"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>300 Multiple Choices</title>\n</head><body>\n<h1>Multiple C\"\n"
time="2018-08-27T07:43:44Z" level=debug msg="No certificate provided dynamically can check the domain \"www.mydomain.de\", a per default certificate will be used."
The LABELs used by this container are:
LABEL traefik.enable="true" \
traefik.backend="mydomain-backend" \
traefik.docker.network="web-gateway" \
traefik.frontend.rule="Host:mydomain.de,www.mydomain.de" \
traefik.port="80"
So far the message is quite obvious with Invalid response from http://mydomain.de/.well-known/acme-challenge/o74RJIDdodxG-hXpmX9en_55ZpptifsjYInrjY97Bic which seems to return a code-300 result.
But why is this happening? Shouldnt' the traefik catch the requests to /.well-known and return the correct auth-key to letsencrypt?
Using only a single domain wwww.mydomain.de generation of certificate works.
How can I fix this? Thanks in advance!
Upvotes: 1
Views: 621
Answers (1)
Reputation: 1053
I found the solution. According to this this blog entry it is related to the DNS settings of the first domain mydomain.de which has a A-Record pointing to my server and an AAAA-Record (IPv6) pointing to a different location which caused the "Multiple choice" response which is in fact a response from the certbot/letsencrypt and is not related to traefik.
After removing the AAAA-Record from DNS certificate generations now seems to work.
Upvotes: 1
Related Questions
- Keycloak from docker Letsencrypt cert and ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- Letsencrypt certs generated but getting TLS error with docker traefik using dns acme challenge
- Docker Traefik and letsencrypt wildcard
- Keycloak Error with Docker and Letsencrypt certificates again
- Traefik v2 and Invalid Lets Encrypt Certificate
- Keycloak Error with Docker and Letsencrypt certificates
- Traefik V2.0 with Letsencrypt is unable to generate a certificate for the domains
- Traefik Configuration Example Mixing Let's Encrypt and Purchased Certs
- Traefik LetsEncrypt error "too many registrations for this IP"
- Traefik is not creating certs for subdomains using the docker backend