Getting acme: Error 4 []03 - urn:ietf:params:acme:error:unauthorized - Invalid response from [acme_challenge_url]: 404
Closed this issue · 2 comments
Hi,
Since some time my rancher services can't renew nor generate new letsencrypt certificates, in any case, no matter the service already has a certificate or not, I'm getting this error on traefik logs:
11/28/2018 5:10:22 PMtime="2018-11-28T22:10:22Z" level=error msg="Unable to obtain ACME certificate for domains \"registry.domain.com\" detected thanks to rule \"Host:registry.domain.com\" : unable to generate a certificate for the domains [registry.domain.com]: acme: Error -> One or more domains had a problem:\n[registry.domain.com] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Invalid response from http://registry.domain.com/.well-known/acme-challenge/bzpnHsnW0EjLgPo6T5an8Mmvcmq9qaf_ywKuhVqmpSQ [xyz.xyz.xz.xyz]: 404\n"
It's a multiple server rancher 1.6 cluster with traefik installed through Rancher catalog, with no shared filesystem to share letsencrypt configurations. The only change done recently was to upgrade traefik from 1.6.x to 1.7.x. Some time after that I installed some new services, two of them got their cert and the last one didn't. After that I saw the previous error on the traefik logs for all services on any server.
Searching for a solution most of them point to check DNS records are pointing to the correct server, which they are, or to a routing problem when looking for the /.well-known/acme-challenge challenge URL.
Any idea what could be wrong ? or any workarounds ?
Thanks
Any comments ? or how could I backport to 1.6.x and test if it works again with that version ?
I see there's are TRAEFIK_DEBUG and TRAEFIK_LOG variables, how to set them ? they seem not available on the rancher catalog template page.