dockertraefiklets-encryptpowerdnsacme

DNS challenge from traefik to PowerDNS


Trying to setup the DNS challenge to get a wildcard certificate.

This is what our environment variables look like:

environment:
  - TRAEFIK_ENTRYPOINTS_HTTP=true
  - TRAEFIK_ENTRYPOINTS_HTTP_ADDRESS=:80
  - TRAEFIK_ENTRYPOINTS_HTTPS=true
  - TRAEFIK_ENTRYPOINTS_HTTPS_ADDRESS=:443
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS=true
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_CERTRESOLVER=default
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_DOMAINS_0_MAIN=mydomain.net
  - TRAEFIK_ENTRYPOINTS_HTTPS_HTTP_TLS_DOMAINS_0_SANS=*.mydomain.net
  - TRAEFIK_PROVIDERS_DOCKER=true
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT=true
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_EMAIL=info@mydomain.net
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE=true
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_PROVIDER=pdns
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_RESOLVERS=8.8.8.8:53
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_DNSCHALLENGE_DELAYBEFORECHECK=15
  - TRAEFIK_CERTIFICATESRESOLVERS_DEFAULT_ACME_STORAGE=/data/acme.json
  - PDNS_API_URL=http://192.168.123.10:8081/
  - PDNS_API_KEY=pdns-api-key

And this is the log it outputs:

time="2021-09-06T08:53:39+02:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.net,*.mydomain.net\" : unable to generate a certificate for the domains [mydomain.net *.mydomain.net]: error: one or more domains had a problem:\n[*.mydomain.net] time limit exceeded: last error: read udp 192.168.160.2:38270->195.141.155.147:53: i/o timeout\n[mydomain.net] time limit exceeded: last error: read udp 192.168.160.2:49936->195.141.155.147:53: i/o timeout\n" providerName=default.acme

Already tried to increase DELAYBEFORECHECK and to set a RESOLVER without success.

The ACME challenges get created correctly in PowerDNS:

PowerDNS TXT challenge

May be someone can help or has an idea on how to get this work?


Solution

  • NAT reflection via UDP was not correctly setup. Now it works.