traefik: traefik 2.4 cant renew ssl certificates : acme: error presenting token: timeout
Bug
What did you do?
everyday traefik reboots on docker with latest version. Since 13 days the certificates desn’t renew anymore with this error. aka since the 2.4 version is out. I reverted to version 2.3.7 and it works again. there must be a bug in 2.4
What did you expect to see?
a working certificate renew
What did you see instead?
an error :
level=error msg="Error renewing certificate from LE: {whoami.xxx.com []}, error: one or more domains had a problem:\n[whoami.xxx.com] [whoami.xxx.com] acme: error presenting token: timeout 2021-02-02 04:12:50.62907638 +0000 UTC m=+7.229727075\n" providerName=le.acme
Output of traefik version: (What version of Traefik are you using?)
Version: 2.4.1
Codename: livarot
Go version: go1.15.7
Built: 2021-02-01T16:28:12Z
OS/Arch: linux/amd64
What is your environment & configuration (arguments, toml, provider, platform, …)?
version: "3.3"
services:
#################
# REVERSE PROXY #
#################
traefik:
image: traefik:latest
container_name: traefik
restart: always
command:
# listen port 443 and name it websecure
- --entrypoints.websecure.address=:443
# listen port 80 and name it web
- --entrypoints.web.address=:80
# you need to enable traefik on each container
- --providers.docker.exposedByDefault=false
# listen for docker changes
- --providers.docker=true
# activate traefik api
- --api
# activate traefik ping service
- --ping
- --ping.manualrouting=true
- --ping.entryPoint=websecure
# use letencrypt to generate certificates
- --certificatesresolvers.le.acme.email=xxx@xxx.com
- --certificatesresolvers.le.acme.storage=/traefik/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
# set logging level
- --log.level=INFO
# activate accesslog in a separate file
- --accesslog=true
- --accesslog.format=json
- --accesslog.bufferingsize=100
- --accesslog.filepath=/traefik/access.log
- --accesslog.fields.headers.names.User-Agent=keep
- --accesslog.fields.headers.names.X-Request-ID=keep
# activate metrics exporting to influxdb
- --metrics.influxdb=true
- --metrics.influxdb.protocol=http
- --metrics.influxdb.address=https://influxdb.xxx.com
- --metrics.influxdb.database=mydb
- --metrics.influxdb.username=admin
- --metrics.influxdb.password=${PASSWORD}
# config file for more settings : tls ciphers for grade A on ssllabs
- --providers.file.filename=/traefik/traefik.toml
- --providers.file.watch=true
# add a custom uniqid on every request
- --tracing.jaeger=true
- --tracing.jaeger.samplingParam=0
- --tracing.jaeger.traceContextHeaderName=X-Request-ID
labels:
- "traefik.enable=true"
# catch all traefik errors
- "traefik.http.routers.globalerrorpage.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.globalerrorpage.tls.certresolver=le"
- "traefik.http.routers.globalerrorpage.entrypoints=websecure"
- "traefik.http.routers.globalerrorpage.service=errorpage"
- "traefik.http.routers.globalerrorpage.priority=1"
# create a middleware to replace 404 errors by a standard page
- "traefik.http.middlewares.errorpage.errors.status=404"
- "traefik.http.middlewares.errorpage.errors.service=errorpage"
- "traefik.http.middlewares.errorpage.errors.query=/{status}"
# create a middleware to redirect to www
- traefik.http.middlewares.redirect-to-www.redirectregex.regex=(https|http)://(?:www.)?(.*)
- traefik.http.middlewares.redirect-to-www.redirectregex.replacement=https://www.$${2}
# create a middleware to redirect to non-www
- traefik.http.middlewares.redirect-to-nonwww.redirectregex.regex=(https|http)://(www\.(.*))
- traefik.http.middlewares.redirect-to-nonwww.redirectregex.replacement=https://$${3}
# create a middleware named redirect-to-https, to automatically redirect http to https
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
# apply middleware "redirect-to-https", to all hosts connected to "web" entrypoint
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
# create a middleware named admin, to request a basic authentification of users
# you can generate a user:password pair with this command :
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
- "traefik.http.middlewares.admin.basicauth.users=admin:${HASHPASSWORD}"
# create a middleware named securityheaders to automatically set good security headers
- "traefik.http.middlewares.securityheaders.headers.referrerPolicy=strict-origin-when-cross-origin"
# api secure
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=securityheaders,admin"
- "traefik.http.routers.traefik.tls.certresolver=le"
- "traefik.http.routers.traefik.entrypoints=websecure"
# ping secure
- "traefik.http.routers.ping.rule=Host(`traefik.${DOMAIN}`) && PathPrefix(`/ping`)"
- "traefik.http.routers.ping.service=ping@internal"
- "traefik.http.routers.ping.middlewares=securityheaders"
- "traefik.http.routers.ping.tls.certresolver=le"
- "traefik.http.routers.ping.entrypoints=websecure"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik:/traefik"
whoami:
image: containous/whoami
restart: always
container_name: whoami
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
- "traefik.http.routers.whoami.tls.certresolver=le"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.middlewares=securityheaders"
errorpage:
image: ${REGISTRY}/errorpage:latest
build: ./errorpage
restart: always
container_name: errorpage
volumes:
- ./errorpage:/usr/app/
working_dir: /usr/app
command: nodemon --exitcrash server.js
environment:
- "NODE_ENV=production"
labels:
- "traefik.enable=true"
- "traefik.http.services.errorpage.loadbalancer.server.port=3000"
- "traefik.http.routers.errorpage.rule=Host(`error.${DOMAIN}`)"
- "traefik.http.routers.errorpage.tls.certresolver=le"
- "traefik.http.routers.errorpage.entrypoints=websecure"
- "traefik.http.routers.errorpage.middlewares=securityheaders"
healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost:3000/health']
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 10
- Comments: 20 (5 by maintainers)
I confirm I had the same issue with 2.4
As you can see, we put the label
bug/confirmed, so we already confirmed this bug.I’m actually still seeing this with 2.4.3:
Hello @ngc4579 @rafipiccolo,
Did you try to change the default provider’s throttle duration(2s by default)? (here’s the documentation) Increasing the throttling of providers would also increase the timeout for the TLS challenges.
I’m also seeing this problem on a Raspberry Pi 2 Model B (armv7l arch), on a clean install of Raspberry Pi OS Lite (Debian Buster-based), with docker.io and docker-compose from the stock repositories. traefik:v2.4.8 times out, traefik:v2.3.7 works with Let’s Encrypt.
I’m afraid to test much since I know you can get your domain or IP banned from requesting too many certificates.
Since there are a few of us here are reporting this with Raspberries, I wonder if this could be related to the libseccomp problem ( https://docs.linuxserver.io/faq#libseccomp ) which affects some images. For information, I am not using the fixed libseccomp from buster-backports. traefik:v2.4.8 is based on Alpine 3.11 though…
Same problem here with traefik 2.4.2 and 2.4.8, revert to 2.3.7 solved the problem
time="2021-04-08T10:53:00Z" level=error msg="Error renewing certificate from LE: {example.com []}, error: one or more domains had a problem:\n[example.com] [example.com] acme: error presenting token: timeout 2021-04-08 10:52:59.546612756 +0000 UTC m=+5.729588202\n" providerName=mytlschallenge.acme