Acme http challenge error with multiple traefik instances

johackim · March 8, 2020, 5:35pm

Hello,

Here my traefik configuration :

version: "3.7"

services:
  traefik:
    image: traefik:${VERSION:-v1.7.21-alpine}
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    command:
      - --entryPoints=Name:http Address::80 Compress:true Redirect.EntryPoint:https
      - --entryPoints=Name:https Address::443 Compress:true TLS
      - --defaultEntryPoints=https,http
      - --docker.swarmmode=true
      - --docker.exposedbydefault=false
      - --docker.network=traefik-net
      - --acme
      - --acme.onHostRule=true
      - --acme.storage=/letsencrypt/acme.json
      - --acme.acmeLogging=true
      - --acme.entryPoint=https
      - --acme.httpChallenge.entryPoint=http
      - --acme.email=${ACME_EMAIL:-noreply@ethibox.fr}
    volumes:
      - ${VOLUME_PATH}letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    deploy:
      mode: global
      placement:
        constraints: [node.role==manager]

volumes:
  letsencrypt:

networks:
  default:
    external: true
    name: traefik-net

I can't resolve acme http challenge with multiple traefik instances (global mode) :

time="2020-03-08T14:28:39Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.fr\" detected thanks to rule \"Host:mydomain.fr\" : unable to 
generate a certificate for the domains [mydomain.fr]: acme: Error -> One or more domains had a problem:\n[mydomain.fr] acme: error: 403 :: POST :: https://acme-v02.
api.letsencrypt.org/acme/finalize/79998865/2581198707 :: urn:ietf:params:acme:error:orderNotReady :: Order's status (\"valid\") is not acceptable for finalization, url: \n"

time="2020-03-08T14:29:38Z" level=error msg="Error getting challenge for token: cannot find challenge for token ntewarYd4CeQNofVFgOyEgglXKST5Nw2shooXs_-6_Q"

time="2020-03-08T14:43:32Z" level=info msg="legolog: [INFO] [mydomain.fr] acme: Obtaining bundled SAN certificate"
time="2020-03-08T14:43:32Z" level=info msg="legolog: [INFO] nonce error retry: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: \"0002734f7r9xaWldm981X1GzAM5RXJ_1X7ZLJFumfsFg7aE\", url: "
time="2020-03-08T14:43:33Z" level=info msg="legolog: [INFO] [mydomain.fr] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3237757872"

PS: I have a load balancer in front.
PS2: It works when I have just one instance.

johackim · March 8, 2020, 8:59pm

I found a solution !

With consul

To share acme storage with multiple traefik instances :

version: "3.7"

services:
  consul:
    image: consul:1.7.1
    command: agent -server -bootstrap-expect=1
    environment:
      - CONSUL_BIND_INTERFACE=eth0
      - CONSUL_CLIENT_INTERFACE=eth0
    volumes:
      - ${VOLUME_PATH}consul:/consul/data
    networks:
      - internal

  traefik:
    image: traefik:${VERSION:-v1.7.21-alpine}
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    command:
      - --entryPoints=Name:http Address::80 Compress:true Redirect.EntryPoint:https
      - --entryPoints=Name:https Address::443 Compress:true TLS
      - --defaultEntryPoints=https,http
      - --docker.swarmmode=true
      - --docker.exposedbydefault=false
      - --docker.network=traefik-net
      - --consul
      - --consul.endpoint=consul:8500
      - --consul.prefix=traefik
      - --acme
      - --acme.onHostRule=true
      - --acme.storage=traefik/acme/account
      - --acme.acmeLogging=true
      - --acme.entryPoint=https
      - --acme.httpChallenge.entryPoint=http
      - --acme.email=${ACME_EMAIL:-noreply@ethibox.fr}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    deploy:
      mode: ${MODE:-replicated}
      placement:
        constraints: [node.role==manager]
    networks:
      - internal
      - traefik

volumes:
  consul:

networks:
  internal:
    driver: overlay
    attachable: true
  traefik:
    external: true
    name: traefik-net

Topic		Replies	Views
ACME error 400 with TLS challenge but not with HTTP challenge in Docker Swarm Traefik v2 (latest) letsencrypt-acme	0	1110	May 11, 2020
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4624	July 18, 2019
Let's Encrypt HTTP Challenge is failing for reasons I don't understand Traefik v2 (latest) letsencrypt-acme	1	475	September 4, 2019
Cannot get ACME client ACME challenge not specified Traefik v2 (latest) letsencrypt-acme	5	5046	October 21, 2020
Unable to obtain https/ACME certification for a docker microservice with subdomains Traefik v1 docker , docker-swarm , letsencrypt-acme	0	1111	September 3, 2019

Acme http challenge error with multiple traefik instances

Related Topics