Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Could not determine solvers #2691

Closed
tobgen opened this issue Jan 11, 2018 · 13 comments

Comments

@tobgen
Copy link

commented Jan 11, 2018

What did you do?

Trying to make Traefik issue a cert for my new setup.
Have tried on 3 different docker boxes, for 3 different domains, on different ISP's

What did you expect to see?

Getting a cert for the requested service

What did you see instead?

time="2018-01-11T09:08:09Z" level=error msg="map[whoami.fraggelberget.nu:[whoami.fraggelberget.nu] acme: Could not determine solvers]"
time="2018-01-11T09:08:09Z" level=error msg="Error getting ACME certificates 

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.4.6
Codename:     roquefort
Go version:   go1.9.2
Built:        2018-01-02_12:27:08PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

config json
{
 "GraceTimeOut": 10000000000,
 "Debug": true,
 "CheckNewVersion": true,
 "AccessLogsFile": "",
 "AccessLog": {
  "format": "common"
 },
 "TraefikLogsFile": "",
 "LogLevel": "INFO",
 "EntryPoints": {
  "http": {
   "Network": "",
   "Address": "xxxx",
   "TLS": null,
   "Redirect": null,
   "Auth": null,
   "WhitelistSourceRange": null,
   "Compress": false,
   "ProxyProtocol": null,
   "ForwardedHeaders": null
  },
  "https": {
   "Network": "",
   "Address": "xxxx",
   "TLS": {
    "MinVersion": "",
    "CipherSuites": null,
    "Certificates": null,
    "ClientCAFiles": null
   },
   "Redirect": null,
   "Auth": null,
   "WhitelistSourceRange": null,
   "Compress": false,
   "ProxyProtocol": null,
   "ForwardedHeaders": null
  }
 },
 "Cluster": null,
 "Constraints": [],
 "ACME": {
  "Email": "xxxx",
  "Domains": null,
  "Storage": "xxxx",
  "StorageFile": "",
  "OnDemand": false,
  "OnHostRule": false,
  "CAServer": "xxxx",
  "EntryPoint": "xxxx",
  "DNSProvider": "",
  "DelayDontCheckDNS": 0,
  "ACMELogging": false,
  "TLSConfig": null
 },
 "DefaultEntryPoints": [
  "https",
  "http"
 ],
 "ProvidersThrottleDuration": 2000000000,
 "MaxIdleConnsPerHost": 200,
 "IdleTimeout": 0,
 "InsecureSkipVerify": false,
 "RootCAs": null,
 "Retry": {
  "Attempts": 0
 },
 "HealthCheck": {
  "Interval": 30000000000
 },
 "RespondingTimeouts": null,
 "ForwardingTimeouts": null,
 "Docker": {
  "Watch": true,
  "Filename": "",
  "Constraints": null,
  "Trace": false,
  "DebugLogGeneratedTemplate": false,
  "Endpoint": "xxxx",
  "Domain": "xxxx",
  "TLS": null,
  "ExposedByDefault": false,
  "UseBindPortIP": false,
  "SwarmMode": false
 },
 "File": null,
 "Web": {
  "Address": ":8080",
  "CertFile": "",
  "KeyFile": "",
  "ReadOnly": false,
  "Statistics": null,
  "Metrics": null,
  "Path": "",
  "Auth": null,
  "Debug": false,
  "CurrentConfigurations": null,
  "Stats": null,
  "StatsRecorder": null
 },
 "Marathon": null,
 "Consul": null,
 "ConsulCatalog": null,
 "Etcd": null,
 "Zookeeper": null,
 "Boltdb": null,
 "Kubernetes": null,
 "Mesos": null,
 "Eureka": null,
 "ECS": null,
 "Rancher": null,
 "DynamoDB": null,
 "ConfigFile": "//traefik.toml"
}

traefik.toml:

debug = true
checkNewVersion = true
logLevel = "INFO"

defaultEntryPoints = ["https","http"]
[accessLog]

[web]
  address = ":8080"

[entryPoints]
  [entryPoints.http]
  address = ":80"
   # [entryPoints.http.redirect]
   # entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "fraggelberget.nu"
watch = true
exposedbydefault = false

[acme]
email = "xxx@fraggelberget.nu"
storage = "acme.json"
entryPoint = "https"
#onDemand = true
OnHostRule = true
caServer = "https://acme-staging.api.letsencrypt.org/directory"

docker-compose.yml:

  traefik:
    image: traefik:1.4.6
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8070:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/docker/traefik/traefik.toml:/traefik.toml
      - /data/docker/traefik/acme.json:/acme.json
    container_name: traefik
    labels:
     - traefik.enable=false
    links:
      - whoami


  whoami:
    image: emilevauge/whoami
    container_name: whoami
    labels:
      - "traefik.tags=backend"
      - "traefik.enable=true"
      - "traefik.whoami.frontend.rule=Host:whoami.fraggelberget.nu"

Log from docker logs traefik:

time="2018-01-11T09:08:09Z" level=debug msg="Validation of load balancer method for backend backend-whoami-whoami-dockercompose-whoami failed: invalid load-balancing method ''. Using default method wrr."
time="2018-01-11T09:08:09Z" level=debug msg="Configuration received from provider docker: {"backends":{"backend-whoami-whoami-dockercompose-whoami":{"servers":{"service-0":{"url":"http://172.18.0.17:80","weight":0}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-whoami-whoami-dockercompose-whoami":{"entryPoints":["https","http"],"backend":"backend-whoami-whoami-dockercompose-whoami","routes":{"service-whoami":{"rule":"Host:whoami.fraggelberget.nu"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}}}}"
time="2018-01-11T09:08:09Z" level=debug msg="Last docker config received more than 2s, OK"
time="2018-01-11T09:08:09Z" level=debug msg="Creating frontend frontend-whoami-whoami-dockercompose-whoami"
time="2018-01-11T09:08:09Z" level=debug msg="Wiring frontend frontend-whoami-whoami-dockercompose-whoami to entryPoint https"
time="2018-01-11T09:08:09Z" level=debug msg="Creating route service-whoami Host:whoami.fraggelberget.nu"
time="2018-01-11T09:08:09Z" level=debug msg="Creating backend backend-whoami-whoami-dockercompose-whoami"
time="2018-01-11T09:08:09Z" level=debug msg="Creating load-balancer wrr"
time="2018-01-11T09:08:09Z" level=debug msg="Creating server service-0 at http://172.18.0.17:80 with weight 0"
time="2018-01-11T09:08:09Z" level=debug msg="Creating retries max attempts 1"
time="2018-01-11T09:08:09Z" level=debug msg="Wiring frontend frontend-whoami-whoami-dockercompose-whoami to entryPoint http"
time="2018-01-11T09:08:09Z" level=debug msg="Creating route service-whoami Host:whoami.fraggelberget.nu"
time="2018-01-11T09:08:09Z" level=debug msg="Creating backend backend-whoami-whoami-dockercompose-whoami"
time="2018-01-11T09:08:09Z" level=debug msg="Creating load-balancer wrr"
time="2018-01-11T09:08:09Z" level=debug msg="Creating server service-0 at http://172.18.0.17:80 with weight 0"
time="2018-01-11T09:08:09Z" level=debug msg="Creating retries max attempts 1"
time="2018-01-11T09:08:09Z" level=info msg="Server configuration reloaded on :80"
time="2018-01-11T09:08:09Z" level=info msg="Server configuration reloaded on :443"
time="2018-01-11T09:08:09Z" level=debug msg="LoadCertificateForDomains [whoami.fraggelberget.nu]..."
time="2018-01-11T09:08:09Z" level=debug msg="Look for provided certificate to validate [whoami.fraggelberget.nu]..."
time="2018-01-11T09:08:09Z" level=debug msg="No provided certificate found for domains [whoami.fraggelberget.nu], get ACME certificate."
time="2018-01-11T09:08:09Z" level=debug msg="Loading ACME certificates [whoami.fraggelberget.nu]..."
time="2018-01-11T09:08:09Z" level=error msg="map[whoami.fraggelberget.nu:[whoami.fraggelberget.nu] acme: Could not determine solvers]"
time="2018-01-11T09:08:09Z" level=error msg="Error getting ACME certificates [whoami.fraggelberget.nu] : Cannot obtain certificates map[whoami.fraggelberget.nu:[whoami.fraggelberget.nu] acme: Could not determine solvers]+v"
time="2018-01-11T09:56:41Z" level=debug msg="Look for provided certificate to validate [144.63.20.144]..."
time="2018-01-11T09:56:41Z" level=debug msg="No provided certificate found for domains [144.63.20.144], get ACME certificate."
time="2018-01-11T09:56:41Z" level=debug msg="Challenge GetCertificate 144.63.20.144"
time="2018-01-11T09:56:41Z" level=debug msg="ACME got nothing 144.63.20.144"

Logs from another setup (this one using LetsEncrypt stage-api,domain name removed):

traefik-ingress_1  | time="2018-01-10T13:19:41Z" level=debug msg="Loading ACME certificates [special.xxx.se www.special.xxx.se]..." 
traefik-ingress_1  | legolog: 2018/01/10 13:19:41 [INFO][special.xxxt.se, www.special.xxx.se] acme: Obtaining bundled SAN certificate
traefik-ingress_1  | legolog: 2018/01/10 13:19:42 [INFO][special.xxxx.se] AuthURL: https://acme-staging.api.letsencrypt.org/acme/authz/[REDACTED]
traefik-ingress_1  | legolog: 2018/01/10 13:19:42 [INFO][www.special.xxx.se] AuthURL: https://acme-staging.api.letsencrypt.org/acme/authz/[REDACTED]
traefik-ingress_1  | legolog: 2018/01/10 13:19:42 [INFO][special.xxx.se] acme: Could not find solver for: http-01
traefik-ingress_1  | legolog: 2018/01/10 13:19:42 [INFO][special.xxx.se] acme: Could not find solver for: dns-01
traefik-ingress_1  | legolog: 2018/01/10 13:19:42 [INFO][www.special.xxxt.se] acme: Could not find solver for: dns-01
traefik-ingress_1  | legolog: 2018/01/10 13:19:42 [INFO][www.special.xxx.se] acme: Could not find solver for: http-01
traefik-ingress_1  | time="2018-01-10T13:19:42Z" level=error msg="map[special.xxx.se:[special.xxx.se] acme: Could not determine solvers www.special.xxx.se:[www.special.xxx.se] acme: Could not determine solvers]" 
traefik-ingress_1  | time="2018-01-10T13:19:42Z" level=error msg="Error getting ACME certificates [special.xxx.se www.special.xxx.se] : Cannot obtain certificates map[special.xxx.se:[special.xxx.se] acme: Could not determine solvers www.special.xxx.se:[www.special.xxx.se] acme: Could not determine solvers]+v" 

Logs from the 3rd setup (Using LetsEncrypt prod-api, has worked before on another hostname, but does not work anymore):

traefik_1        | time="2018-01-11T10:22:58Z" level=debug msg="LoadCertificateForDomains [whoami1.netnerdz.se]..." 
traefik_1        | time="2018-01-11T10:22:58Z" level=debug msg="Look for provided certificate to validate [whoami1.netnerdz.se]..." 
traefik_1        | time="2018-01-11T10:22:58Z" level=debug msg="No provided certificate found for domains [whoami1.netnerdz.se], get ACME certificate." 
traefik_1        | time="2018-01-11T10:22:58Z" level=debug msg="Loading ACME certificates [whoami1.netnerdz.se]..." 
traefik_1        | legolog: 2018/01/11 10:22:58 [INFO][whoami1.netnerdz.se] acme: Obtaining bundled SAN certificate
traefik_1        | legolog: 2018/01/11 10:22:58 [INFO][whoami1.netnerdz.se] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/[REDACTED]
traefik_1        | legolog: 2018/01/11 10:22:58 [INFO][whoami1.netnerdz.se] acme: Could not find solver for: http-01
traefik_1        | legolog: 2018/01/11 10:22:58 [INFO][whoami1.netnerdz.se] acme: Could not find solver for: dns-01
traefik_1        | time="2018-01-11T10:22:58Z" level=error msg="map[whoami1.netnerdz.se:[whoami1.netnerdz.se] acme: Could not determine solvers]" 
traefik_1        | time="2018-01-11T10:22:58Z" level=error msg="Error getting ACME certificates [whoami1.netnerdz.se] : Cannot obtain certificates map[whoami1.netnerdz.se:[whoami1.netnerdz.se] acme: Could not determine solvers]+v" 
@signaleleven

This comment has been minimized.

Copy link

commented Jan 11, 2018

This is due to the following.

https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

I just spent a couple of hours banging my head on this until I started suspecting that LE was at fault.
I believe - until LE "fixes" this - the only alternative is DNS authentication (for which I have no experience but it feels "harder")

@tobgen

This comment has been minimized.

Copy link
Author

commented Jan 11, 2018

@signaleleven
On one of the boxes, we see this in the logs:

Could not find solver for: http-01

This can point towards that http is used, and not TLS-SNI-01.
But since I have no clue on how traefik or lego works, I will not write that in stone :)

@ldez

This comment has been minimized.

Copy link
Member

commented Jan 11, 2018

Related to #1832

@turbo

This comment has been minimized.

Copy link

commented Jan 11, 2018

Same error here. I can't start any of our production systems because of this. Details (domains redacted):

time="2018-01-11T12:51:23Z" level=debug msg="Loading ACME certificates [staging.example.com]..."
time="2018-01-11T12:51:23Z" level=debug msg="No provided certificate found for domains [staging.example.com], get ACME certificate."
time="2018-01-11T12:51:23Z" level=error msg="map[staging.example.com:[staging.example.com] acme: Could not determine solvers]"
time="2018-01-11T12:51:23Z" level=error msg="Error getting ACME certificates [staging.example.com] : Cannot obtain certificates map[staging.example.com:[staging.example.com] acme: Could not determine solvers]+v"
@justb81

This comment has been minimized.

Copy link

commented Jan 11, 2018

manual workaround is, to get certs via separate acme-container (and http-challenge) and copy them to certs-folder

@turbo

This comment has been minimized.

Copy link

commented Jan 11, 2018

Hm, we're using DO, so a DO-powered DNS challenge (docs: https://docs.traefik.io/configuration/acme/#dnsprovider) would probably work. Testing that now.

@turbo

This comment has been minimized.

Copy link

commented Jan 11, 2018

Using the DNS challenge worked.

@ldez

This comment has been minimized.

Copy link
Member

commented Jan 11, 2018

Closes in favor of #1832

@ldez ldez closed this Jan 11, 2018

@paulvanbladel

This comment has been minimized.

Copy link

commented Jan 12, 2018

Hi @justb81 , could you eleborate how to do this with separate acme-container ?

@justb81

This comment has been minimized.

Copy link

commented Jan 12, 2018

@paulvanbladel kind of specific, but i…

  1. used janeczku/rancher-letsencrypt:v0.5.0 to get the cert-files.
  2. than i copied the .pem to a (persistent) folder in my traefik-service.
  3. rename the .pem files to .crt and .key
  4. insert the files to traefik.toml under [entryPoints.https.tls]
@paulvanbladel

This comment has been minimized.

Copy link

commented Jan 12, 2018

@justb81 Thanks a lot for this, very much appreciated.
Cheers
Paul.

@alioygur

This comment has been minimized.

Copy link

commented Jan 14, 2018

is there any temporary solution?

@ldez

This comment has been minimized.

Copy link
Member

commented Jan 14, 2018

@alioygur use DNS challenge or waiting for #2701

@containous containous locked and limited conversation to collaborators Jan 14, 2018

lukemarsden added a commit to dotmesh-io/discovery.dotmesh.io that referenced this issue Jan 16, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
7 participants
You can’t perform that action at this time.