Join Log in
Score:0
LorneCash avatar Server

Traefik on Synology: LetsEncrypt says it has DNS issues but the certificate file looks valid

om flag
LorneCash

My curent Network:

Router         - 192.168.1.1   (static)
Windows PC     - 192.168.1.10  (static)
Synology NAS   - 192.168.1.11  (static)
DockerPihole   - 192.168.1.12  (macvlan-static)
DockerUnbound  - 192.168.1.13  (macvlan-static)
DockerTraefik  - 192.168.1.14  (macvlan-static)

Docker Bridge Network (For Traefik to work)

DockerTraefik  - 192.168.10.2  (bridge-static)
DockerNginx1   - 192.168.10.10 (bridge-static)
DockerNginx2   - 192.168.10.20 (bridge-static)
  • I'm running Docker on my Synology NAS
  • I'm running DNS on my Synology NAS (the builtin DNS app) Pi-Hole, Unbound, and Traefik are running in a shared macvlan.
  • I created a bridge network for Traefik to connect to each container.
  • I'm configuring Labels on each container's stack in portainer to handle the Traefik configuration.
  • I'm trying to follow the tutorial here https://youtu.be/wLrmmh1eI94 but this was not on a synology so it's slightly different.
  • Although I do own the domain I'm trying to use, my understanding is that it shouldn't be necessary as long as I can point to my Synology DNS server which handles that domain.

The main differnece is that the Synology is already using 80 and 443 so my solution was to put Traefik in a macvlan so I didn't have port conflicts.

I got most everything working but I'm having trouble figuring out this one (hopefully last) thing. In the Traefik logs I can see that letsencrypt.org is having problems with my DNS.

Here's the error for the log:

level=error
msg=Unable to obtain ACME certificate for domains "nginx2.mydomain.com": 
    unable to generate a certificate for the domains [nginx2.mydomain.com]:
error: one or more domains had a problem:
      [nginx2.mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nginx2.mydomain.com
      - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for nginx2.mydomain.com
      - check that a DNS record exists for this domain
providerName=staging.acme
routerName=nginx2@docker
rule=Host(`nginx2.mydomain.com`)
ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory

I've setup the DNS in the Synology and have my router set to have the Synology as my first DNS server. When I ping nginx2.mydomain.com from my PC and it returns the IP of the DockerTraefik container 192.168.1.14. I believe this is the correct behavior.

Also when I look in my acme.json file (which was empty) I see that it has been populated with a certificate that says "status": "valid" (staging for now, production is empty). I believe this is the correct behavior.

I'm not sure what I'm missing but when I browse to nginx2.mydomain.com the certificate in the browser says

Issued to: TRAEFIK DEFAULT CERT Issued by: TRAEFIK DEFAULT CERT

I'm expecting it to say: Issued to: nginx2.mydomain.com Issued by: (STAGING)...

Here are my goals:

  1. (done) Access my Docker containers by name. ex: nginx.mydomain.com
  2. (done) Access my Docker containers without DNS (in case of issues). ex: 192.168.1.14:10080
  3. Browser says "secure" when I access my containers by name.
  4. I may want to expose one or two of them externally later so keeping that option easily available is key but ATM I plan to use a VPN for everything.

Problems I've solved so far:

  1. I can't give Traefik direct access to 80/443 because the NAS is using those ports.
    • I put Traefik in a macvlan network
  2. Containers couldn't ping their parent
    • By adding ports to the stack(ex: "Ports:/n - 180:80/n - 1443") it allowed me to access the container directly with DNS (goal #2) and also fixed the ping issue to the parent.
244
0 + 3
pt flag
larsks
Your hostname needs to be resolvable *by letsencrypt*. From your description here it sounds like that's not the case.
0
Reply
LorneCash avatar
om flag
LorneCash
I had to create a macvlan for Traefik because I'm running docker on my Synology (80 and 443 are already used). I think what's compounding my problem is that I'm also using the Synology as my DNS server. I've tried everything I can find and I can't seem to come up with a way to get Traefik to ping the Synology again which is both the Docker host and the DNS server. I keep getting an error from letsencrypt that it can't find the domain which makes sense because I can't ping the DNS server from Traefik. (Or at least I think that's what the problem is) Any help would be greatly appreciated.
0
Reply
pt flag
larsks
The hostname needs to be *globally* resolvable (that is, by anyone on the internet). This doesn't have anything to do with Traefik; this is how LetsEncrypt operates -- the LetsEncrypt servers need to be able to translate your hostname into an IP address in order to connect and verify the HTTP challenge.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.