traefik: ACME RFC2136 update not retried on error

Do you want to request a feature or report a bug?

Bug

What did you do?

Set up RFC2136 acme certificate updates.

What did you expect to see?

Certs updated even in the case of transient errors with the configured DNS server, or network issues like packet loss.

What did you see instead?

  • At renewal, either the server specified by RFC2136_NAMESERVER or the network appears to have had issues, resulting in the following: msg="Error renewing certificate from LE: {*.mydomain.com [mydomain.com]}, acme: Error -> One or more domains had a problem:\n[mydomain.com] error presenting token: rfc2136: DNS update failed: read udp [2001:xxxx::1]:52529->[2001:xxxx::2]:53: i/o timeout\n"
  • Subsequently, the following message was repeated every day, so it appears to be trying to confirm the DNS update that never happened, and failing: msg="Error renewing certificate from LE: {*.mydomain.com [mydomain.com]}, acme: Error -> One or more domains had a problem:\n[mydomain.com] time limit exceeded: last error: NS ns0.mydomain.com. did not return the expected TXT record [fqdn: _acme-challenge.mydomain.com.]\n"

Now, my certs are going to expire in a couple of weeks, and I don’t know how to make traefik retry the DNS update so that the renewal can occur.

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.7.6
Codename:     maroilles
Go version:   go1.11.3
Built:        2018-12-14_06:43:37AM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, …)?

[acme]
email = "letsencrypt@mydomain.com"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"

# staging server for testing
#caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
acmeLogging = true

        [acme.httpChallenge]
        entryPoint = "http"

        [acme.dnsChallenge]
        provider = "rfc2136"

        [[acme.domains]]
        main = "*.mydomain.com"
        sans = ["mydomain.com"]

        [[acme.domains]]
        main = "*.myotherdomain.com"
        sans = ["myotherdomain.com"]

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 16 (10 by maintainers)

Most upvoted comments

I will create a PR on Traefik soon.

+1
ldez on Jan 9, 2019
Read more comments on GitHub
← traefik: Acme process cannot find TLS key on Etcd3
traefik: acme.json not being created in pod (running on Kubernetes): no such file or directory →