Traefik acme timeouts

Question

Im trying to get Traefik working properly in AKS. Overall it works fine however i can not get the ACME certs to work. Below attached my traefik.toml configuration on which i cant find anything odd.

The 3 domains that are mentioned are dummy in this use case by actually exists and reply as well

# traefik.toml
logLevel = "info"
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"
  [entryPoints.traefik]
  address = ":8080"
[ping]
entryPoint = "http"
[kubernetes]
[traefikLog]
  format = "json"
[acme]
KeyType = "RSA4096"
email = "pimjansen@domain.com"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
  [acme.httpChallenge]
  entryPoint = "http"
[[acme.domains]]
   main = "traefik.domain.com"
[[acme.domains]]
   main = "elasticsearch.domain.com"
[[acme.domains]]
   main = "kibana.domain.com"
[api]
  entryPoint = "traefik"
  dashboard = true

The actual error i am receiving is this:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"traefik.hardstyletop40.com\" : unable to generate a certificate for the domains [traefik.domain.com]: acme: Error -\u003e One or more domains had a problem:\n[traefik.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://traefik.hardstyletop40.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data, url: \n","time":"2019-09-11T14:47:13Z"}

With details about the challenge:

"challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/293838266/LPH2sA",
      "token": "mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
      "validationRecord": [
        {
          "url": "http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
          "hostname": "traefik.hardstyletop40.com",
          "port": "80",
          "addressesResolved": [
            "13.79.159.165"
          ],
          "addressUsed": "13.79.159.165"
        }
      ]
    },

Thanks in advance

Answer 1

How letsencrypt works is by putting a file in the .well-known directory on your specified webserver. You're saying they're dummy, so you might be doing them locally? In anycase, if the autogenerated file isn't found on the webserver, it can't be verified that the certificate is requested from the "owning" domain.

How the flow works heavily simplified:

1. letsencrypt -> generate file name: abc133......
2. letsencrypt -> find webroot of provided domain in webserver config
3. letsencrypt -> copy file to .well-known in webroot of given domain
4. letsencrypt -> send a webrequest with filename and domain name to letsencrypt.org
5. letsencrypt.org -> try to request the file from the given domain looked up via dns
6. letsencrypt.org -> successfully requested file and verified, output certificate
7. letsencrypt -> read certificate and copy to certificates folder, make a few symlinks
8. letsencrypt -> modify webserver configs if needed

Now if you're working with dummy domains and not on the live server, the above process will fail on step 3, which will cause step 5 to fail, which will result in an error which you are getting.

An alternative is that you set a DNS record key to verify, if you can't run the command on the webserver to generate the certificate.

sudo certbot -d your.dummy.com --manual --preferred-challenges dns certonly

This will give you a code you will need to put in a txt record on your domain server

When you have done that, you confirm in the letsencrypt app that you've set the record and continue.

In short, if you cannot run the command on the webserver to generate the certificates, or cannoot modify the dns records, you cannot obtain a certificate via letsencrypt.