Discussion - Certificate seems expired | PlexGuide.com

Discussion Certificate seems expired

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

techystreamer

Active
Original poster
Feb 6, 2019
46
7
Certificate expired. From what I have read it looks like it is supposed to renew automatically. I tried to redeploy Traefik but does not deploy and logs say domain is not registered or does not have a zone file?
 

fishtek

Citizen
Feb 8, 2019
13
4
Certificate expired. From what I have read it looks like it is supposed to renew automatically. I tried to redeploy Traefik but does not deploy and logs say domain is not registered or does not have a zone file?
Did you (or anyone) ever get an answer to this? I've received an email from Let's Encrypt stating that my certificate will expire in 20 days, so I'm wondering what I should do as well. I'm using Traefik with Cloudflare, so perhaps I can just redeploy and it'll renew the certificate?
 

Admin9705

Administrator
Project Manager
Donor
Jan 17, 2018
5,156
2,112
there hasn't been any other feedback, but treafik renews it. if you use the traefik email correctly, the reminder from traefik means you'll be ok.
 

fishtek

Citizen
Feb 8, 2019
13
4
Thanks @Admin9705 , so it does look like Traefik is trying to renew it but failing to authenticate with the API, from the traefik log I see:

Code:
Unable to obtain ACME certificate for domains \">>>REMOVED<<<<\" : unable to generate a certificate for the domains [>>>REMOVED<<<<.tk]: acme: Error -> One or more domains had a problem:\n[>>>REMOVED<<<<.tk] [>>>REMOVED<<<<.tk] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 401: invalid credentials
So I tried setting my Cloudflare API key and Cloudflare email again, and then redeploying traefik, however the issue still happens. I then tried those same credentials from the command line using curl to hit a few Cloudflare APIs and they worked fine.

I did notice another thread here at plexguide from @ZyFinity which seems like the same issue I'm having... I wonder if it is because we were both trying to use domains that are .tk It seems from this thread that Cloudflare may not allow that anymore. It sounds like there might be a manual way to do it, so I'll dig into that and see if I can figure it out.


DOMAIN NAME REMOVED
 
Last edited by a moderator:
  • Like
Reactions: 1 user

Admin9705

Administrator
Project Manager
Donor
Jan 17, 2018
5,156
2,112
ya that i couldn't tell you. i know with using godaddy and using only.com's i havent come across.
 

Datamonkeh

Data Hoarding Primate
Project Manager
Donor
Donor
Jan 20, 2018
832
384
Can confirm GD works with other TLD’s I’ve tried, I had issues with previous registrars, but seeing as GD offered a free years extension if I moved over, I figured that offset the slightly higher cost and gave it a try. No issues since, just GD are a company I try and avoid based on previous experiences, but they then purchased the company who purchased the company I used to use, so meh.
 
  • Haha
Reactions: 1 user

Edrock200

MVP
Staff
Nov 17, 2019
541
195
Starting sometime around April of this year, cloudflare stopped supporting .tk root domains and several others via their API interface:
 

fishtek

Citizen
Feb 8, 2019
13
4
Yeah I'm pretty sure that them blocking API access for .tk and other "free" domains is the issue, just threw me because of how traefik was reporting it as a 401 invalid creds instead of the underlying error about not allowing certain domains over the api.

Anyway my solution for now is to use certbot to manually get a certificate from Let's Encrypt, and then start traefik myself with docker-compose and tell it to just use the local certificates. Certainly not as awesome as having PG manage it, but it'll work for now. I think longer term it might be cool to update PG to support locally supplied certificates, it could maybe be added as an additional provider in the list with the rest? Perhaps when PG 10 gets stable I can look into helping contribute to a feature like that.

For now here is my docker-compose.yml in case anyone else runs into this:
YAML:
version: "3.3"

services:

    traefik:
        image: "traefik:v1.7"
        restart: on-failure
        container_name: "traefik"
        networks:
            - plexguide
       ports:
            - "80:80"
            - "443:443"
        environment:
            - "PUID=1000"
            - "PGID=1000"
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
            - "/etc/localtime:/etc/localtime"
            - "/path/to/my/config/traefik.toml:/etc/traefik/traefik.toml"
            - "/path/to/certbot/config/live/cooldomain.tk:/etc/certs:ro"

networks:
    plexguide:
        external:
            name: plexguide
For the traefik.toml I copied the one from plexguide at /opt/appdata/traefik/traefik.toml and deleted the sections with the acme stuff (which is for auto-getting and renewing the certs) and replaced it with:
INI:
[[tls.certificates]]
  certFile = "/etc/certs/fullchain.pem"
  keyFile = "/etc/certs/privkey.pem"
Hope that helps someone else who runs into this!
 
  • Like
Reactions: 1 user

ZyFinity

Active
Nov 22, 2019
42
8
Thanks @Admin9705 , so it does look like Traefik is trying to renew it but failing to authenticate with the API, from the traefik log I see:

Code:
Unable to obtain ACME certificate for domains \">>>REMOVED<<<<\" : unable to generate a certificate for the domains [>>>REMOVED<<<<.tk]: acme: Error -> One or more domains had a problem:\n[>>>REMOVED<<<<.tk] [>>>REMOVED<<<<.tk] acme: error presenting token: cloudflare: failed to create TXT record: error from makeRequest: HTTP status 401: invalid credentials
So I tried setting my Cloudflare API key and Cloudflare email again, and then redeploying traefik, however the issue still happens. I then tried those same credentials from the command line using curl to hit a few Cloudflare APIs and they worked fine.

I did notice another thread here at plexguide from @ZyFinity which seems like the same issue I'm having... I wonder if it is because we were both trying to use domains that are .tk It seems from this thread that Cloudflare may not allow that anymore. It sounds like there might be a manual way to do it, so I'll dig into that and see if I can figure it out.


DOMAIN NAME REMOVED
Yep, it seems .tk domains have stopped working with CF (they did like 3 months ago but not anymore)
 

Datamonkeh

Data Hoarding Primate
Project Manager
Donor
Donor
Jan 20, 2018
832
384
Can’t remember if it was discord or here, but it was discussed multiple time’s a few months back when it first became a thing. I realise ‘free’ .tk’s are tempting and different people have different budgets and priorities, especially at the moment, but a few $ on a supported TLD for an easy life is probably a small price to pay.
 

bodgeup

Experienced
Staff
FreeLancer
Donor
Aug 12, 2018
96
32
Cloudflare banned those free TLD domain suffixes .TK .ML .CF .GA .GQ so they wont work via the traefik API so you have to add the TXT record for _acme-challenge manually looking at the Portainer Traefik container logs for the value to add when the cert is up for renewal! Or do what i did and just use DuckDNS with Traefik and PG and then CNAME fwd your TK domain name to the Duckdns fqdn using the Orange CF proxy to get around the Cert SNI difference!
 

Recommend NewsGroups

      Up To a 58% Discount!

Trending