my goal is to be able to obtain certificates for "internal" domains using traefik. With "internal", I mean there is no public A record. For this reason, I won't be able to use the http challenge offered by letsencrypt. Therefore, I am trying to configure traefik's certresolver to use the dns01 challenge.
What I have achieved so far:
- bind is configured to accept dynamic updates using the key
traefik-key
- adding and removing TXT records using the key mentioned above with
nsupdate works
What does not work:
- traefik is not able to successfully request a certificate:
[WARN] [sub.example.com] acme: cleaning up failed: rfc2136: failed to remove: DNS update failed: dns: bad signature "
Enabling the dns01 challenge should be easy:
certificatesResolvers:
myresolver:
acme:
email: [email protected]
storage: /etc/traefik/acme.json
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
dnsChallenge:
provider: rfc2136
Those environment variables are set within the traefik container (key is obviously not the real one):
RFC2136_NAMESERVER=ns1.example.com
RFC2136_TSIG_ALGORITHM=hmac-sha256.
RFC2136_TSIG_KEY=traefik-key
RFC2136_TSIG_SECRET=GWyS8tTnqO2idhxXnC8Vtc+tY5cMaKA/9RLpSlMeqKM=
What is the matter with my configuration? Do I maybe still need an A record?
Bad signature sounds like an issue with TSIG, but I can't find it and as already mentioned, the key/secret combination works with nsupdate.
Not to mention, there isn't any entry in the log of the nameserver about a successful/failed attempt to add a TXT record. Only when I omit the TSIG configuration, it returns the status NOTIMP instead of the message above.
Thank you for your help!
