ansible-nas
ansible-nas copied to clipboard
davestephens
Need help getting traefik to update letsencrypt cert
I'm trying to use traefik and vaultwarden but traefik is continuing to use the default certificate even after waiting a long time for it to update.
Below is my nas.yml
ansible_nas_hostname: ansible-nas
ansible_nas_timezone: Etc/UTC
ansible_nas_email: [email protected]
ansible_nas_domain: example.com
## Enable some applications
heimdall_enabled: true
portainer_enabled: true
cloudflare_ddns_enabled: true
cloudflare_token: TOKEN
bitwarden_enabled: true
bitwarden_available_externally: true
traefik_enabled: true
#traefik_debug: "true"
watchtower: true
route53_enabled: false
speedtest_enabled: false
logstack_enabled: true
I also followed the instructions from this issue: https://github.com/davestephens/ansible-nas/issues/230
I did also notice that the acme.json certificate section is null:
"Certificates": null
What are the best ways to debug further?
@davestephens now that I have the other issue solved, any thoughts on this or steps I should take to debug further? I'm still just seeing traefik use the default certificate for bitwarden instead of a cert for my domain. Below is my latest nas.yml:
# Example options
ansible_nas_hostname: ansible-nas
ansible_nas_timezone: Etc/UTC
ansible_nas_domain: 111.com
ansible_nas_user: nas
ansible_nas_email: [email protected]
## Enable some applications
traefik_enabled: true
bitwarden_enabled: true
bitwarden_available_externally: true
watchtower_enabled: true
cloudflare_ddns_enabled: true
cloudflare_token: CLOUDFLARE_TOKEN
healthchecks_enabled: true
healthchecks_ping_minutes: 5
healthchecks_url: HEALTHCHECK_URL
@davestephens any thoughts on this? Am I just missing a setting or something? I still haven't been able to fix it. I also have ports 80 and 443 open.
@choskeli Curious if you fixed it. I am having the same issue. Adding A record pointing to my ip in route 53, the website is accessible from https, just warning that ssl certificate is wrong.
ok, so i resolve this issue. This answer is helpful.
Set traefik_debug: true in your nas.yml
Run docker ps to see all running containers
Run docker logs <container_id> to see the traefik container's log
I saw my AWS_REGION is missing in the logs
That's because AWS_REGION is no longer optional since Traefik 2.10.5
need to add these in nas.yml
traefik_dns_provider: route53
traefik_environment_variables:
AWS_ACCESS_KEY_ID:
AWS_SECRET_ACCESS_KEY:
AWS_HOSTED_ZONE_ID:
AWS_REGION:
@davestephens I would like to add these vars in a readme somewhere. Can you suggest a place?
It's not possible to doc every possible DNS provider - the Traefik config file did have a note to go look at the ACME docs, but I've added something to the docs too.
Hmm I tried configuring the DNS challenge provider and still just getting the default traefik cert.
Here is my traefik.toml:
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "letsencrypt"
[entryPoints.websecure.http.tls.domains]
main = "111.abc"
sans = [
"*.111.abc"
]
[entryPoints.traefik]
address = ":8083"
[providers]
providersThrottleDuration = "2s"
[providers.docker]
exposedbydefault = false
[api]
insecure = true
dashboard = true
[log]
level = "INFO"
[ping]
terminatingStatusCode = 0
[certificatesResolvers]
[certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "[email protected]"
storage = "/letsencrypt/acme.json"
caserver = "https://acme-v02.api.letsencrypt.org/directory"
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "namesilo"
[metrics]
[metrics.prometheus]
And when I run env from within the traefik docker container I get the following:
NAMESILO_TTL=25900s
HOSTNAME=ansible-nas
SHLVL=1
HOME=/root
NAMESILO_PROPOGATION_TIMEOUT=15m
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NAMESILO_POLLING_INTERVAL=15m
NAMESILO_API_KEY=MY_API_KEY_HERE
And here are my traefik container logs:
time="2024-02-29T16:17:30Z" level=info msg="Stopping server gracefully"
time="2024-02-29T16:17:30Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2024-02-29T16:17:30Z" level=error msg="Error while starting server: accept tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2024-02-29T16:17:30Z" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=web
time="2024-02-29T16:17:30Z" level=error msg="Error while starting server: accept tcp [::]:80: use of closed network connection" entryPointName=web
time="2024-02-29T16:17:30Z" level=error msg="accept tcp [::]:8083: use of closed network connection" entryPointName=traefik
time="2024-02-29T16:17:30Z" level=error msg="close tcp [::]:8083: use of closed network connection" entryPointName=traefik
time="2024-02-29T16:17:30Z" level=info msg="Server stopped"
time="2024-02-29T16:17:30Z" level=info msg="Shutting down"
time="2024-02-29T16:17:34Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.toml"
time="2024-02-29T16:17:34Z" level=info msg="Traefik version 2.11.0 built on 2024-02-12T15:26:45Z"
time="2024-02-29T16:17:34Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2024-02-29T16:17:34Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-02-29T16:17:34Z" level=info msg="Starting provider *traefik.Provider"
time="2024-02-29T16:17:34Z" level=info msg="Starting provider *docker.Provider"
time="2024-02-29T16:17:34Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-02-29T16:17:34Z" level=info msg="Starting provider *acme.Provider"
time="2024-02-29T16:17:34Z" level=info msg="Testing certificate renew..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-02-29T16:17:35Z" level=warning msg="IPWhiteList is deprecated, please use IPAllowList instead." routerName=bitwarden-ws@docker entryPointName=web
time="2024-02-29T16:17:35Z" level=warning msg="IPWhiteList is deprecated, please use IPAllowList instead." entryPointName=web routerName=bitwarden@docker
time="2024-02-29T16:17:35Z" level=warning msg="IPWhiteList is deprecated, please use IPAllowList instead." entryPointName=websecure routerName=websecure-bitwarden-ws@docker
time="2024-02-29T16:17:35Z" level=warning msg="IPWhiteList is deprecated, please use IPAllowList instead." entryPointName=websecure routerName=websecure-bitwarden@docker
Any ideas what I'm doing wrong? I'd really like to get this up and running again.
I did figure this out by the way. I was deferring namesilo to cloudflare for DNS, so I really had to setup the environment variables for cloudflare, not namesilo