Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private CA Resolver and Cloudflare DNS cannot co-exist #10576

Open
2 tasks done
SolomonHD opened this issue Apr 8, 2024 · 5 comments · May be fixed by #10816
Open
2 tasks done

Private CA Resolver and Cloudflare DNS cannot co-exist #10576

SolomonHD opened this issue Apr 8, 2024 · 5 comments · May be fixed by #10816
Assignees
@ldez
Labels
area/acme kind/enhancement a new or improved feature. priority/P3 maybe

Comments

@SolomonHD
Copy link

SolomonHD commented Apr 8, 2024
edited by ldez
Loading

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

Add Cloudflare DNS resolver after running private step CA HTTP resolver

If I comment out LEGO_CA_CERTIFICATES and LEGO_CA_SERVER_NAME env vars then Cloudflare DNS works, but step CA can no longer issue certs

What did you see instead?

time="2024-04-07T19:34:34Z" level=error msg="Unable to obtain ACME certificate for domains \"jellyfin.real-address.com,jf.real-address.com\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get \"https://acme-v02.api.letsencrypt.org/directory\": tls: failed to verify certificate: x509: certificate is valid for acme-v02-1.api.letsencrypt.org, acme-v02-2.api.letsencrypt.org, acme-v02-3.api.letsencrypt.org, acme-v02-4.api.letsencrypt.org, acme-v02-5.api.letsencrypt.org, acme-v02.api.letsencrypt.org, incident.letsencrypt.org, not step-ca" ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(`jellyfin.real-address.com`, `jf.real-address.com`)" routerName=jellyfin-real-address-https@docker providerName=cloudflare.acme

What version of Traefik are you using?

v2.11.0

What is your environment & configuration?

## Jellyfin Labels

x-nio_io_labels: &nio_io_labels
  ## HTTPS Service
  traefik.http.routers.jellyfin-https.service: jellyfin-https
  traefik.http.routers.jellyfin-https.rule: >-
    Host(`jellyfin-${DEVICE_IP:-ip_addr}.nip.io`, `jf-${DEVICE_IP:-ip_addr}.nip.io`, `jellyfin.nip.io`, `jf.nip.io`)
  traefik.http.routers.jellyfin-https.entrypoints: websecure
  traefik.http.routers.jellyfin-https.middlewares: jellyfin-mw
  traefik.http.routers.jellyfin-https.tls: true
  traefik.http.routers.jellyfin-https.tls.certresolver: step-ca
  traefik.http.services.jellyfin-https.loadbalancer.server.port: 8096
  # HTTP Service Allowed!
  traefik.http.routers.jellyfin-http.service: jellyfin-http
  traefik.http.routers.jellyfin-http.rule: >-
    Host(`jellyfin-${DEVICE_IP:-ip_addr}.nip.io`, `jf-${DEVICE_IP:-ip_addr}.nip.io`, `jellyfin.nip.io`, `jf.nip.io`)
  traefik.http.routers.jellyfin-http.entrypoints: web
  traefik.http.routers.jellyfin-http.middlewares: jellyfin-mw
  traefik.http.services.jellyfin-http.loadbalancer.server.port: 8096

## UDP

x-udp_labels: &udp_labels
  traefik.udp.routers.jellyfin-client-discovery.entrypoints: client_discovery
  traefik.udp.routers.jellyfin-client-discovery.service: jellyfin-client-discovery
  traefik.udp.services.jellyfin-client-discovery.loadbalancer.server.port: 7359

## Recommended by Jellyfin Docs

x-recommended_middleware_labels: &recommended_middleware_labels
  traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag: noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
  traefik.http.middlewares.jellyfin-mw.headers.frameDeny: 'true'
  traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff: 'true'
  traefik.http.middlewares.jellyfin-mw.headers.browserXSSFilter: 'true'
  traefik.http.services.jellyfin.loadBalancer.passHostHeader: 'true'

x-real_address_labels: &real_address_labels
  # HTTPS Service
  traefik.http.routers.jellyfin-real-address-https.service: jellyfin-real-address-https
  traefik.http.routers.jellyfin-real-address-https.rule: Host(`jellyfin.real-address.com`, `jf.real-address.com`)
  traefik.http.routers.jellyfin-real-address-https.entrypoints: websecure
  traefik.http.routers.jellyfin-real-address-https.middlewares: jellyfin-mw
  traefik.http.routers.jellyfin-real-address-https.tls: true
  traefik.http.routers.jellyfin-real-address-https.tls.certresolver: cloudflare
  traefik.http.services.jellyfin-real-address-https.loadbalancer.server.port: 8096
  # HTTP to HTTPS Redirect
  traefik.http.routers.jellyfin-real-address-http.rule: Host(`jellyfin.real-address.com`, `jf.real-address.com`)
  traefik.http.routers.jellyfin-real-address-http.entrypoints: web
  traefik.http.routers.jellyfin-real-address-http.middlewares: https_redirect

Traefik ENV Vars

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    environment:
      # LEGO_CA_CERTIFICATES: /shared_files/ca_certs/root_ca.crt
      # LEGO_CA_SERVER_NAME: step-ca
      SSL_CERT_FILE: /shared_files/ca_certs/root_ca.crt
      CLOUDFLARE_DNS_API_TOKEN: $CLOUDFLARE_DNS_API_TOKEN

Add more configuration information here.

# Static Conf
# Configure your CertificateResolver here...
# ---
certificatesResolvers:
  step-ca:
    acme:
      email: [email protected]
      storage: /shared_files/acme/acme.json
      caServer: "https://192.168.1.66:55888/acme/acme/directory"
      # caServer: "https://step-ca:55888/acme/acme/directory"
      httpChallenge:
        entryPoint: web
  cloudflare:
    acme:
      email: [email protected]
      storage: /shared_files/acme/cloudflare_dns_acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10

If applicable, please paste the log output in DEBUG level

No response
@ldez
Copy link
Contributor

ldez commented Apr 15, 2024

Hello,

can you try to set the env var LEGO_CA_SYSTEM_CERT_POOL to true?

@SolomonHD
Copy link
Author

Hi thanks for responding, I left it out of what I pasted but I tried that variable as well, no difference. I will try it again and let you know.

@ldez
Copy link
Contributor

ldez commented Apr 15, 2024

Another way is to add the Step-ca root CA to the system-wide trusted root list.

@SolomonHD
Copy link
Author

Doesn't that involve making a new image?

@ldez
Copy link
Contributor

ldez commented Apr 15, 2024

I don't try it but I think you can just mount the CA file.

@kevinpollet kevinpollet self-assigned this Apr 18, 2024
@ldez ldez assigned ldez and unassigned kevinpollet Apr 18, 2024
@ldez ldez linked a pull request Jun 14, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ldez ldez

Labels
area/acme kind/enhancement a new or improved feature. priority/P3 maybe
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: custom CA certificates by resolver ldez/traefik
4 participants
@kevinpollet @ldez @SolomonHD @traefiker