Error preparing server: Failed to post JWS message.

[devster31]

Do you want to request a feature or report a bug?

Report a bug

What did you do?

Launched the official traefik image with the following docker-compose file:

---
services:
  traefik:
    container_name: traefik
    environment:
      CLOUDFLARE_EMAIL: "${EMAIL}"
      CLOUDFLARE_API_KEY: "${CLOUDFLARE_API_KEY}"
    image: traefik
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    restart: unless-stopped
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "${MOUNT}/traefik:/etc/traefik"
      - "${MOUNT}/certs:/etc/traefik/certs"
version: '3.3'

and launched docker-compose up traefik

What did you expect to see?

Recent versions should have patched this issue, so I expected the server to start up regardless of ACME status.

What did you see instead?

traefik        | time="2018-03-06T22:53:22Z" level=info msg="Using TOML configuration file /etc/traefik/traefik.toml"
traefik        | time="2018-03-06T22:53:22Z" level=info msg="Traefik version v1.5.3 built on 2018-02-27_02:47:04PM"
traefik        | time="2018-03-06T22:53:22Z" level=info msg="
traefik        | Stats collection is disabled.
traefik        | Help us improve Traefik by turning this feature on :)
traefik        | More details on: https://docs.traefik.io/basics/#collected-data
traefik        | "
traefik        | time="2018-03-06T22:53:22Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:0x140f0d20 Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13e48a20} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik        | time="2018-03-06T22:53:22Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0x13e29c80 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:true ProxyProtocol:<nil> ForwardedHeaders:0x13e48a30} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik        | time="2018-03-06T22:53:22Z" level=info msg="Starting server on :80"
traefik        | time="2018-03-06T22:53:40Z" level=info msg="Generating ACME Account..."
traefik        | time="2018-03-06T22:55:08Z" level=info msg=Register...
traefik        | time="2018-03-06T22:55:24Z" level=error msg="Error creating TLS config: Failed to post JWS message. -> Failed to HTTP POST to https://acme-staging.api.letsencrypt.org/acme/new-reg -> Post https://acme-staging.api.letsencrypt.org/acme/new-reg: net/http: timeout awaiting response headers"
traefik        | time="2018-03-06T22:55:24Z" level=fatal msg="Error preparing server: Failed to post JWS message. -> Failed to HTTP POST to https://acme-staging.api.letsencrypt.org/acme/new-reg -> Post https://acme-staging.api.letsencrypt.org/acme/new-reg: net/http: timeout awaiting response headers"

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.5.3
Codename:     cancoillotte
Go version:   go1.9.4
Built:        2018-02-27_02:47:04PM
OS/Arch:      linux/arm

What is your environment & configuration (arguments, toml, provider, platform, ...)?

defaultEntryPoints = ["http", "https"]
logLevel = "INFO"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
    minVersion = "VersionTLS11"
  [entryPoints.api]
  address = ":8080"

[api]
  entryPoint = "api"

[acme]
email = "<myemail>"
storage = "/etc/traefik/certs/acme.json"
entryPoint = "https"
onHostRule = true
  [acme.dnsChallenge]
  provider = "cloudflare"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "<mydomain>"
watch = true
exposedbydefault = false
usebindportip = true
swarmmode = false

Not much more info in the debug log:

traefik        | time="2018-03-06T23:07:07Z" level=info msg="Using TOML configuration file /etc/traefik/traefik.toml"
traefik        | time="2018-03-06T23:07:07Z" level=info msg="Traefik version v1.5.3 built on 2018-02-27_02:47:04PM"
traefik        | time="2018-03-06T23:07:07Z" level=info msg="
traefik        | Stats collection is disabled.
traefik        | Help us improve Traefik by turning this feature on :)
traefik        | More details on: https://docs.traefik.io/basics/#collected-data
traefik        | "
traefik        | time="2018-03-06T23:07:07Z" level=debug msg="Global configuration loaded {"LifeCycle":{"RequestAcceptGraceTimeout":"0s","GraceTimeOut":"10s"},"GraceTimeOut":"0s","Debug":true,"CheckNewVersion":true,"SendAnonymousUsage":false,"AccessLogsFile":"","AccessLog":null,"TraefikLogsFile":"","TraefikLog":null,"LogLevel":"DEBUG","EntryPoints":{"api":{"Network":"","Address":":8080","TLS":null,"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}},"http":{"Network":"","Address":":80","TLS":null,"Redirect":{"entryPoint":"https"},"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"VersionTLS11","CipherSuites":null,"Certificates":null,"ClientCAFiles":null,"ClientCA":{"Files":null,"Optional":false}},"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":true,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":{"Email":"<myemail>","Domains":null,"Storage":"/etc/traefik/certs/acme.json","StorageFile":"","OnDemand":false,"OnHostRule":true,"CAServer":"","EntryPoint":"https","DNSChallenge":{"Provider":"cloudflare","DelayBeforeCheck":"0s"},"HTTPChallenge":null,"DNSProvider":"","DelayDontCheckDNS":"0s","ACMELogging":false,"TLSConfig":null},"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":"2s","MaxIdleConnsPerHost":200,"IdleTimeout":"0s","InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":"30s"},"RespondingTimeouts":null,"ForwardingTimeouts":null,"Web":null,"Docker":{"Watch":true,"Filename":"","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Endpoint":"unix:///var/run/docker.sock","Domain":"<mydomain>","TLS":null,"ExposedByDefault":false,"UseBindPortIP":true,"SwarmMode":false},"File":null,"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null,"ServiceFabric":null,"Rest":null,"API":{"EntryPoint":"api","Dashboard":true,"Debug":true,"CurrentConfigurations":null,"Statistics":null},"Metrics":null,"Ping":null}"
traefik        | time="2018-03-06T23:07:07Z" level=info msg="Preparing server api &{Network: Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x12e7c290} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik        | time="2018-03-06T23:07:07Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:0x12ee4a20 Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x12e7c270} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik        | time="2018-03-06T23:07:07Z" level=info msg="Starting server on :8080"
traefik        | time="2018-03-06T23:07:07Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0x12b9fc40 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:true ProxyProtocol:<nil> ForwardedHeaders:0x12e7c280} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik        | time="2018-03-06T23:07:07Z" level=info msg="Starting server on :80"
traefik        | time="2018-03-06T23:07:19Z" level=info msg="Generating ACME Account..."
traefik        | time="2018-03-06T23:08:03Z" level=debug msg="Building ACME client..."
traefik        | time="2018-03-06T23:08:05Z" level=debug msg="Using DNS Challenge provider: cloudflare"
traefik        | time="2018-03-06T23:08:05Z" level=info msg=Register...
traefik        | time="2018-03-06T23:08:23Z" level=error msg="Error creating TLS config: Failed to post JWS message. -> Failed to HTTP POST to https://acme-v01.api.letsencrypt.org/acme/new-reg -> Post https://acme-v01.api.letsencrypt.org/acme/new-reg: net/http: timeout awaiting response headers"
traefik        | time="2018-03-06T23:08:23Z" level=fatal msg="Error preparing server: Failed to post JWS message. -> Failed to HTTP POST to https://acme-v01.api.letsencrypt.org/acme/new-reg -> Post https://acme-v01.api.letsencrypt.org/acme/new-reg: net/http: timeout awaiting response headers"

[traefiker]

Closed by #2977.

[devster31]

Hi, I read the quick commit and I don't believe this fixes the issue since I can't see any option to automatically accept the ToS on startup for traefik, or any workaround to register an account beforehand.
In addition the error message suggests that this is a failure of some kind in an HTTP POST request and not just a generic registration error.
Other acme clients work fine so that part should definitely not be an issue.
Am I misunderstanding what's happening behind the scenes?

[juliens]

Hi @devster31,

Recent versions should have patched this issue, so I expected the server to start up regardless of ACME status.

With this fix, Træfik will start even if you can not contact Let's Encrypt when you try to register or accept the ToS ( a miss in my previous PR ).
Your already generated certificates will continue to be exposed. But you will not be able to generate new certificate or renew expired certificates unless you restart Træfik when Let's Encrypt is up.

Do you talk about something else ?

[devster31]

Hi @juliens thanks for the overview. This is the same thing I understood from the patch.
What I wanted to mention is that this allows traefik to start up but it doesn't solve the issue that acme certificates still won't be generated and it seems there's something deeper behind this.

In essence the first and immediate issue that traefik exits on failure is solved; however the acme section still seems (to me) to be broken. I just wanted to make sure that it's not maybe a configuration issue on my side that's still preventing traefik to correctly generating SSL certificates.

[devster31]

Upon further research it seems that in my case this could be caused by the library itself since using the command line tool seems to have the same issue: go-acme/lego#496