0

I'm trying to setup Traefik for https, in docker. But I get the error:

traefik | time="2020-07-10T11:33:46Z" level=error msg="Unable to obtain ACME certificate for domains "my.domain.com": unable to generate a certificate for the domains [my.domain.com]: error: one or more domains had a problem:\n[my.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Missing acmeValidationV1 extension., url: \n" routerName=project_name@docker rule="Host(my.domain.com)" providerName=myresolver.acme

I have looked for solutions by searching on the terms "Incorrect validation certificate for tls-alpn-01 challenge" and "Missing acmeValidationV1 extension" but haven't been able to find anything that solves my problem.

Here is the complete docker-compose file:

version: "3"

services:
  traefik:
    image: "traefik:v2.2"
    container_name: "traefik"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:8082"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=me@email.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "8082:8082"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  project_name:
    container_name: project_name
    build:
      context: .
      dockerfile: Dockerfile
    volumes:
      - ./:/app
    command: sh -c "uvicorn src.main:app --host=0.0.0.0 --port=8000"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.project_name.rule=Host(`my.domain.com`)"
      - "traefik.http.routers.project_name.entrypoints=websecure"
      - "traefik.http.routers.project_name.tls.certresolver=myresolver"
      - "traefik.http.services.project_name.loadbalancer.server.port=8000"
Anonymous Entity
  • 101
  • 1

2 Answers2

0

I am not using Traefik, but I received the "Missing acmeValidationV1 extension" error with my acme-tls/1 client.

The workaround I found was to configure my web server with MaxProtocol "TLSv1.2" (effectively disabling "TLSv1.3")

In TLSv1.3, the certificate extensions are sent in Encrypted Extensions

I have not yet worked out what piece(s) of the chain is not handling this well. (Let's Encrypt or the dehydrated client or my webserver or the underlying TLS library)

[Edit] after renewal, now forced renewal (dehydrated -x) works with TLSv1.3 (?!) My original certificate had expired, if that makes any difference.

[Edit] it appears that validation was not being forced. With dehydrated -x --force-validation I found that I was still testing against --ca letsencrypt-test. After using the simple responder at https://github.com/dehydrated-io/dehydrated/blob/master/docs/tls-alpn.md instead of my own acme-tls/1 APLN responder, my own acme-tls/1 ALPN responder also works with forced validation. ... I am not certain why things are now working, but figured I would update this post with alternatives that others can try.

Community
  • 1
gstrauss
  • 221
  • 1
  • 5
0

New answer: If you turn on additional trace, you might find (as I did) that the "Missing acmeValidationV1 extension" is due to the app responding to the TLS-ALPN-01 (ALPN "acme-tls/1") request with the wrong certificate, instead of sending the generated ACME challenge certificate containing the id-pe-acmeIdentifier extension.

gstrauss
  • 221
  • 1
  • 5