Common Problems Setting up Traefik ACME #192
Labels
blog: software
Using software or scripts.|189834763-c83d6825-95f2-4044-8a4d-a75b86fd078d.png
@post
This is a blog post
tag: docker
|108685840-96de5d00-752f-11eb-91df-f5e884d827bf.png
tag: network
Projects
View Post on Blog
Background
I'm switching from Nginx Proxy Manager to Traefik for my home server. That's because Nginx Proxy Manager is buggy. The biggest problem is that if a service is down before Nginx is started, Nginx will never start up. And the inconvenience of managing rules for services is also annoying. So I'm trying out Traefik, the more docker-native one.
Common Problems
I actually encountered many problems when setting up Traefik and ACME. Here are the problems and my solutions.
Dial 127.0.0.11:53 time out
Traefik can't connect to Let's Encrypt and keeps complaining
Dial 127.0.0.11:53 time out
. I'm confused because the containers I created before have no problem accessing the Internet. I tried many solutions and found this one the most helpful: reboot. Oh yeah. After all, rebooting fixes 90 percent of user computer problems.Connection to Let's Encrypt is unstable
After solving the "dial time out" error. I found that the network connection to Let's Encrypt is unstable. I randomly got timeouts and connection resets. But I have no problem accessing Let's Encrypt on the host. That turns out to be an IPv4 and IPv6 problem. You can try these on the host:
If IPv6 works fine but IPv4 got timeout for connection reset, you are having the same problem as mine. To fix this, we need to add IPv6 to the Traefik docker container and set the hosts via
Since my ISP is constantly changing the IPv6 prefix, providing a fixed CIDR is impossible. Therefore, I chose Docker with IPv6 NAT and created a new network by
And added Traefik to this network:
You are free to try out the official way to enable IPv6 in Docker: Enable IPv6 support | Docker Documentation
Host lost IPv6 connectivity
After following docker-ipv6nat's documentation, I found that the host couldn't reach any other IPv6 hosts as soon as I restarted the Docker daemon to enable IPv6. I had to disable IPv6 for Docker and reboot the machine.
The problem can be fixed by adding these lines to
/etc/sysctl.conf
, as described in the troubleshooting sectionCould not determine authoritative nameservers
Finally, I can connect to Let's Encrypt without issue. But there was another problem. Traefik complains:
That's strange. I tried to dig my domain and found that there is no answer for the NS record and there is only an SOA record.
On the one hand, there might be some problems with my DNS provider. On the other hand, LEGO fails to recognize the SOA record. The workaround is to disable DNS checking before notifying Let's Encrypt that we're ready:
Final Compose File
The text was updated successfully, but these errors were encountered: