Traefik TLS challenge failure
Opened this issue · 0 comments
Looks like the folks over at Let's Encrypt somewhat recently decided to require that TLS challenges succeed from 5 locations around the globe before they will renew your cert. https://community.letsencrypt.org/t/unexpected-renewal-failures-during-april-2024-please-read-this/216830
Because I geoblock my NC instance for security reasons, the challenge is failing. After checking their forums, I think this problem affects more people than LE wants to admit. LE will not publish the IPs or countries they test from, so in order to make the cert verification more secure, they require my server to be less secure.
There is a DNS challenge option available that does not require directly connecting to the server, but it requires environment variables for the API key and account name to be added to the traefik container for it to work. I added the relevant DNS Challenge entries into traefik.yml by hand. If trying to repeat this from ansible, you'd need something for selecting your DNS provider as a variable for the playbook.
I tried adding the environment variables to the playbook, manually deleted the traefik container, and rerunning the playbook but looks like that also failed because LE was throwing acme: error: 400 afterward. Maybe it was the quotes?
docker_container:
name: traefik
image: traefik:{{ docker_traefik_image | default('latest') }}
restart_policy: unless-stopped
env:
NAMECHEAP_API_USER: "SOME_USER"
NAMECHEAP_API_KEY: "SOME_API_KEY"
networks:
- name: backend
- name: traefik
- name: dockerproxy
Because the cert is expiring very soon, for now I settled for disabling the geoblocking and letting it renew, then reenabling the geoblocking, but this isn't sustainable.
If someone who has a lot more experience than I with Traefik or ansible could chime in, I'd appreciate it.