traefik for cloudflare auto cert used to work, but now I have to add --certificatesresolvers.letsencrypt.acme.dnschallenge.disablepropagationcheck=1 #9751
Description
Welcome!
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've searched similar issues on the Traefik community forum and didn't find any.
I did find this one: #7316
What did you do?
I have a typical traefik in docker config, and it used to work for auto cert renew, but lately something has changed.
I now have to add --certificatesresolvers.letsencrypt.acme.dnschallenge.disablepropagationcheck=1
to skip the check, otherwise I keep getting waiting for dns propagation msg, and it fails eventually.
I am not sure this is a change due to docker (I did have tailscale enabled as a docker desktop extension), or it's a change due to traefik.
- --certificatesResolvers.letsencrypt.acme.email=${ACME_EMAIL}
- --certificatesResolvers.letsencrypt.acme.storage=/srv/traefik/letsencrypt/acme.json
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers[0]=8.8.8.8:53
- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers[1]=1.1.1.1:53
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.dnschallenge.disablepropagationcheck=1 #something has changed in traefik, have to add this.
What did you see instead?
Here is the error message:
time limit exceeded: last error: read udp 127.0.0.1:48131->127.0.0.11:53
It seems to me that traefik has stuck on checking whether the dns-name has been propagated for docker's own 127.0.0.11 to resolve it?
/ # nslookup traefik.dom.bayeslearner.org
Server: 127.0.0.11
Address: 127.0.0.11:53
Non-authoritative answer:
Name: traefik.dom.bayeslearner.org
Address: 192.168.1.189
Non-authoritative answer:
But that seems to be resolved correctly.
What version of Traefik are you using?
/ # traefik version
Version: 2.9.8
Codename: banon
Go version: go1.19.6
Built: 2023-02-15T15:23:25Z
OS/Arch: linux/arm64
What is your environment & configuration?
version: "3.7"
services:
### Traefik: An open-source Edge Router that makes publishing your services a fun and easy experience ###
traefik:
image: traefik
container_name: traefik
restart: always
environment:
- NAMECHEAP_API_KEY=${NAMECHEAP_API_KEY}
- NAMECHEAP_API_USER=${NAMECHEAP_API_USER}
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_API_KEY=${CF_API_KEY}
- TZ=${TZ}
command:
## Global settings ##
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
## Traefik pilot token ##
- --pilot.token=${TRAEFIK_PILOT_TOKEN}
## Log Settings (options: ERROR, DEBUG, PANIC, FATAL, WARN, INFO) - https://docs.traefik.io/observability/logs ##
- --log=true
- --log.level=${LOG_LEVEL}
- --log.filePath=/srv/traefik/log/traefik.log
# - --log.format=json
## Access Log - https://doc.traefik.io/traefik/observability/access-logs ##
- --accesslog=true
- --accesslog.filepath=/srv/traefik/accesslog/traefik-access.log
- --accesslog.fields.defaultmode=keep
- --accesslog.fields.headers.defaultmode=keep
- --accesslog.bufferingSize=100
# - --accesslog.format=json
## Metrics - https://doc.traefik.io/traefik/observability/metrics/overview ##
- --metrics=false
- --metrics.prometheus=false
## API Settings - https://docs.traefik.io/operations/api/, endpoints - https://docs.traefik.io/operations/api/#endpoints ##
- --api=true
- --api.insecure=false
- --api.dashboard=true
- --api.debug=true
- --ping=false
## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
- --providers.docker=true
- --providers.docker.watch=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=traefik-network
- --providers.file.watch=true
- --providers.file.directory=/srv/traefik/rules
## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
# Set security headers for https #
- --entryPoints.websecure.http.middlewares=security-headers@file
# Add Let's Encrypt as default certresolver for all services
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certresolver=letsencrypt
## Global HTTP -> HTTPS redirection - https://blog.jensknipper.de/blog/traefik-http-to-https-redirect ##
# - --entryPoints.web.http.redirections.entryPoint.to=websecure
# - --entryPoints.web.http.redirections.entryPoint.scheme=https
# - --entryPoints.web.http.redirections.entryPoint.permanent=true
## Certificate Settings (Let's Encrypt) - https://docs.traefik.io/https/acme/#configuration-examples ##
- --certificatesResolvers.letsencrypt.acme.email=${ACME_EMAIL}
- --certificatesResolvers.letsencrypt.acme.storage=/srv/traefik/letsencrypt/acme.json
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers[0]=8.8.8.8:53
- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers[1]=1.1.1.1:53
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.dnschallenge.disablepropagationcheck=1 #something has changed in traefik, have to add this.
ports:
- 80:80
- 443:443
volumes:
- ${VOLUME_DIR}/traefik-data/log:/srv/traefik/log
- ${VOLUME_DIR}/traefik-data/accesslog:/srv/traefik/accesslog
- ${VOLUME_DIR}/traefik-data/letsencrypt:/srv/traefik/letsencrypt
- ./rules:/srv/traefik/rules
- ./credentials:/srv/traefik/credentials
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
## Watchtower configuration: Only enable monitoring ##
- com.centurylinklabs.watchtower.enable=true
- com.centurylinklabs.watchtower.monitor-only=true
## Diun configuration ##
- diun.enable=true
## Traefik configuration ##
# Enable Traefik and global configuration #
- traefik.enable=true
# Global HTTP -> HTTPS redirection
- traefik.http.routers.http-catchall.entrypoints=web
- traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
- traefik.http.routers.http-catchall.middlewares=redirect-to-https
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
# Global wildcard certificates
- traefik.http.routers.wildcard-certs.entrypoints=websecure
- traefik.http.routers.wildcard-certs.tls.certresolver=letsencrypt
- traefik.http.routers.wildcard-certs.tls.domains[0].main=*.${DOMAIN}
- traefik.http.routers.wildcard-certs.tls.domains[0].sans=${DOMAIN}
# Traefik dashboard configuration
- traefik.http.routers.api.entrypoints=web,websecure
- traefik.http.routers.api.rule=Host(`${DASHBOARD_DOMAIN}`)
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.middlewares=basic-auth@file
networks:
default:
external:
name: traefik-network
Add more configuration information here.
If applicable, please paste the log output in DEBUG level
No response