Hello !
I'm trying to set up Traefik V2 on a Synology DS1518+ with a Let's encrypt certificate using a DNS-01 challenge with OVH as my domain name host.
It doesn't work and I really don't understand why. I can't find any good info about the Error -\u003e .
I have tried to generate different ovh application, but it didn't help. I have also tried to simplify my docker compose to put directly my appliction key, etc and the error is still the same.
I really don't know what to debug next.
Thank you for taking the time to read !
My docker-compose is :
version: '3.7'
#secrets:
# # secret name also used to name the file exposed within the container
# ovh_endpoint:
# # path on the host
# file: "/volume1/docker/cli/traefik/secrets/ovh_endpoint.secret"
# ovh_application_key:
# file: "/volume1/docker/cli/traefik/secrets/ovh_application_key.secret"
# ovh_application_secret:
# file: "/volume1/docker/cli/traefik/secrets/ovh_application_secret.secret"
# ovh_consumer_key:
# file: "/volume1/docker/cli/traefik/secrets/ovh_consumer_key.secret"
networks:
traefik-public-net:
external: true
services:
traefik:
# The official v2.0 Traefik docker image
image: "traefik:v2.1"
container_name: "traefik"
# Enables the web UI and tells Traefik to listen to docker
ports:
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
# secrets:
# - "ovh_endpoint"
# - "ovh_application_key"
# - "ovh_application_secret"
# - "ovh_consumer_key"
environment:
- "TZ=Europe/Paris"
- "OVH_ENDPOINT=ovh-eu"
- "OVH_APPLICATION_KEY=xxxxxxxxxxx"
- "OVH_APPLICATION_SECRET=yyyyyyyyyyyyyyyyyy"
- "OVH_CONSUMER_KEY=zzzzzzzzzzzzzzzzzzzzzzzzzz"
networks:
- traefik-public-net
volumes:
# So that Traefik can listen to the Docker events
- /volume1/docker/cli/traefik/traefik.toml:/etc/traefik/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock:ro
- /volume1/docker/cli/traefik/acme.json:/etc/traefik/acme.json
- /volume1/docker/cli/traefik/traefik.log:/var/traefik.log
labels:
#labels to have access to the dashboard with digest auth
- traefik.enable=true
- traefik.http.routers.traefikdashboard-http.rule=Host(`traefik.mydomain.ovh`)
- traefik.http.routers.traefikdashboard-http.entrypoints=http
- traefik.http.middlewares.httptohttps.redirectscheme.scheme=https
- traefik.http.routers.traefikdashboard-http.middlewares=httptohttps
- traefik.http.routers.traefikdashboard-https.rule=Host(`traefik.mydomain.ovh`)
- traefik.http.routers.traefikdashboard-https.entrypoints=https
- traefik.http.routers.traefikdashboard-https.service=api@internal
- traefik.http.routers.traefikdashboard-https.tls.certresolver=dnschallengeovh
- traefik.http.routers.traefikdashboard-https.tls.domains[0].main=*.mydomain.ovh
- traefik.http.routers.traefikdashboard-https.tls.domains[0].sans=mydomain.ovh
- traefik.http.routers.traefikdashboard-https.middlewares=auth
- traefik.http.middlewares.auth.digestauth.users=admin:traefik:44322354bb6bc62ac53f507812fa4eb24398eb60
restart: unless-stopped
my traefik.toml:
[global]
checkNewVersion = true
sendAnonymousUsage = false
[entryPoints]
[entryPoints.http]
# Listen on port 80 for incoming requests
address = ":80"
[entryPoints.https]
# Listen on port 443 for incoming requests
address = ":443"
[providers]
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false #Expose containers by default through Traefik. If set to false, containers that don't have a traefik.enable=true label will be ignored from the resulting routing configuration.
watch = true
#[providers.docker.tls]
# insecureSkipVerify = true #If insecureSkipVerify is true, TLS for the connection to Docker accepts any certificate presented by the server and any host name in that certificate.
[certificatesResolvers.dnschallengeovh.acme]
email = "myemail@gmail.com"
storage = "acme.json"
#caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[certificatesResolvers.dnschallengeovh.acme.dnsChallenge]
provider = "ovh"
delayBeforeCheck = 10
resolvers = ["213.251.128.146:53", "213.251.188.146:53"]
[api]
dashboard = true
#insecure = true
#debug = true
[log]
filePath = "/var/traefik.log"
format = "json"
level = "DEBUG" #Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
and the relevant logs :
{"level":"debug","msg":"legolog: [INFO] acme: Registering account for myemail@gmail.com","time":"2020-03-20T01:09:47+01:00"}
{"level":"debug","msg":"Using DNS Challenge provider: ovh","providerName":"dnschallengeovh.acme","time":"2020-03-20T01:09:48+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh, mydomain.ovh] acme: Obtaining bundled SAN certificate","time":"2020-03-20T01:09:48+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425608","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425609","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] acme: use dns-01 solver","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Could not find solver for: tls-alpn-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Could not find solver for: http-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: use dns-01 solver","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] acme: Preparing to solve DNS-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Preparing to solve DNS-01","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [*.mydomain.ovh] acme: Cleaning DNS-01 challenge","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [WARN] [*.mydomain.ovh] acme: error cleaning up: ovh: unknown record ID for '_acme-challenge.mydomain.ovh.' ","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] [mydomain.ovh] acme: Cleaning DNS-01 challenge","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [WARN] [mydomain.ovh] acme: error cleaning up: ovh: unknown record ID for '_acme-challenge.mydomain.ovh.' ","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425608","time":"2020-03-20T01:09:49+01:00"}
{"level":"debug","msg":"legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3455425609","time":"2020-03-20T01:09:49+01:00"}
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"*.mydomain.ovh,mydomain.ovh\" : unable to generate a certificate for the domains [*.mydomain.ovh mydomain.ovh]: acme: Error -\u003e One or more domains had a problem:\n[*.mydomain.ovh] [*.mydomain.ovh] acme: error presenting token: ovh: could not determine zone for domain: 'mydomain.ovh'. unexpected response code 'REFUSED' for mydomain.ovh.\n[mydomain.ovh] [mydomain.ovh] acme: error presenting token: ovh: could not determine zone for domain: 'mydomain.ovh'. unexpected response code 'REFUSED' for mydomain.ovh.\n","providerName":"dnschallengeovh.acme","time":"2020-03-20T01:09:50+01:00"}