Discussion - Traefik unable to obtain ACME certificate for domains ... acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record | PlexGuide.com

Discussion Traefik unable to obtain ACME certificate for domains ... acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

nickel01

Citizen+
Original poster
Feb 6, 2019
17
0
Hi everyone - I have been running PG for over a year. I'm currently deployed on a local server in a VM. Suddenly, without any warning, the server rebooted last night (possibly due to a power failure), and when it rebooted Traefik was deployed incorrectly.

When I destroy and then deploy I get the following error in the traefik logs (accessed thru portainer)

time="2020-03-27T14:18:02-05:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.com\" : unable to generate a certificate for the domains [mydomain.com]: acme: Error -> One or more domains had a problem:\n[mydomain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record \"<<<<<removed for privacy>>>>>>\" found at _acme-challenge.mydomain.com, url: \n",
time="2020-03-27T14:26:22-05:00" level=warning msg="A new release has been found: 2.2.0. Please consider updating."

I have tried everything I could think of:
- generated new GoDaddy keys
- re-deployed / destroyed multiple times
- looked at the traefik .toml file

I cannot figure out what the issue can be.

Any help would be greatly appreciated
 

Admin9705

Administrator
Project Manager
Donor
Jan 17, 2018
5,156
2,112
goto godaddy and remove the .txt record sitting there and try to redeploy.
 

nickel01

Citizen+
Original poster
Feb 6, 2019
17
0
Did that and at least made progress by getting a new error:

time="2020-03-27T15:53:01-05:00" level=error msg="Unable to obtain ACME certificate for domains \"*.mydomain.com\" : unable to generate a certificate for the domains [*.mydomain.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: *.mydomain.com: see https://letsencrypt.org/docs/rate-limits/, url: "

Is this because I tried maybe 10+ times today? Any idea how long I have to wait for GoDaddy to allow me to run it again or I misinterepting this?
 

nickel01

Citizen+
Original poster
Feb 6, 2019
17
0
I tried a different domain and got the original error 403 again.

Not sure what is going on. Any thoughts?

(And I did add the two A records for * and @ before deploying. I used the same GoDaddy API key/secret that I newly generated earlier today as well. During the deploy traefik is making it into GoDaddy because I can see the null value TXT record _acme-challenge after it fails).

Exact new error (for myotherdomain):

time="2020-03-27T16:49:12-05:00" level=error msg="Unable to obtain ACME certificate for domains \"*.myotherdomain.com\" : unable to generate a certificate for the domains [*.myotherdomain.com]: acme: Error -> One or more domains had a problem:\n[*.myotherdomain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect TXT record \"w9gsDb7H0UYWUrErFaqaFefSpeurzGjfyi1WT6GX6Go\" found at _acme-challenge.myotherdomain.com, url: \n"
 

Admin9705

Administrator
Project Manager
Donor
Jan 17, 2018
5,156
2,112
That was the problem I normally ran into. For PGX, I updating it to Traefik 2.2 and hopefully most of those issues go away. It's basically traefik talking to godaddy and checking if it's able to write a file. If unable to, it's why the error.
 

ramir0

Noobz
Apr 14, 2019
2
0
Have the same problem. So Admin9705 your solution is to update traefik to the latest version (2.2) and that should solve the problem by then being able to talk to godaddy?
Many thanks for your answer!
 

Admin9705

Administrator
Project Manager
Donor
Jan 17, 2018
5,156
2,112
No. In pgx I'm putting more checkers to see why it's failing. For example, it runs a dig command to make sure you have the correct up address pointing. I couldn't tell you why in this case. I just ran GoDaddy with 1.7 and works fine. Normally it's a bad API key or failing to point domain to your ip. Or domain typo.
 

nickel01

Citizen+
Original poster
Feb 6, 2019
17
0
Is it possible that PGShield is getting in the way somehow? With the new/myother domain I get the error noted above and with mydomain (the original) I'm getting the too many Let'sEncrypt issue.

BUT

I noticed that if I go to portainer.mydomain.com when Traefik is INCORRECTLY DEPLOYED I am getting the browser phishing scam error: NET::ERR_CERT_AUTHORITY_INVALID. If I force it to proceed I can still hit the subdomains.

Totally puzzled at this point.
 

bodgeup

Experienced
Staff
FreeLancer
Donor
Aug 12, 2018
99
33
see my post here!
 

ramir0

Noobz
Apr 14, 2019
2
0
Hello everyone, I still have the issue that i can't get the ACME certificate with PG. I read a few posts about the issue that Cloudflare banned those free TLD domain suffixes but i use a .CH domain and godaddy, so that should not be the problem right? Do you guys have any other idea what the problem could be? I am trying to solve this since march. It worked for a year. Did a full reinstallation of my VM but that didn't help. Have the Wildcard, correct IP, Key and Secret set.

Very thankfull for any support here.
 

bodgeup

Experienced
Staff
FreeLancer
Donor
Aug 12, 2018
99
33
What Firewall is in front of your Instance?? Generally, if its just Cert probs and your sure the API is setup correctly API creds e.g. its a Firewall blocking the API in some manner, also have you checked your TLD url and app Urls in an Inprivate browser session to make sure your browser cache isnt the issue as Certs can get cached also check both urls as one may have a valid cert whereas the other the default Traefik Cert. You mentioned your DNS is Godaddy so can I assume your only using Godaddy for DNS hosting? Lastly whats your Traefik Container Logs telling you?? Personally Ive found once you have done a Traefik Deployment you really need to reboot your server to work out the cert bugs here and there plus the ACME cert bot is on a CRON task so will retry the cert request on startup, ive seen this on my own instance Traefik Deploys but Incorrectly so a reboot fixes the incorrectly part sometimes. But whatever you do dont keep hitting the Traefik Deploy option as you only need to deploy once then rebooting will restart the bots.

Just from my experience......
 

Recommend NewsGroups

      Up To a 58% Discount!

Trending