error on letsencrypt certificate renewal

[masavini]

hi,
my website has been running fine on https for almost 3 months but i just found out that the certificate is about to expire and traefik is not able to renew it.

the docker logs show this error:

time="2023-09-24T15:48:59Z" level=error msg="Error renewing certificate from LE: {app.pintable.it []}, error: one or more domains had a problem:\n[app.pintable.it] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 79.11.135.62: Fetching http://app.pintable.it/.well-known/acme-challenge/8jpbQOhaOQ8j0t1-c5tOjXmKrPY0a6VK9mhyy_CmpUw: Error getting validation data, url: \n" providerName=letsencrypt.acme

traefik container was set up using cookiecutter-django template. this is my docker compose configuration:

  traefik:
    build:
      context: .
      dockerfile: ./compose/production/traefik/Dockerfile
    image: pintable_production_traefik
    depends_on:
      - django
    volumes:
      - production_traefik:/etc/traefik/acme
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"

and this is traefik configuration file:

log:
  level: INFO

entryPoints:
  web:
    # http
    address: ":80"
    http:
      # https://docs.traefik.io/routing/entrypoints/#entrypoint
      redirections:
        entryPoint:
          to: web-secure

  web-secure:
    # https
    address: ":443"

certificatesResolvers:
  letsencrypt:
    # https://docs.traefik.io/master/https/acme/#lets-encrypt
    acme:
      email: "[email protected]"
      storage: /etc/traefik/acme/acme.json
      # https://docs.traefik.io/master/https/acme/#httpchallenge
      httpChallenge:
        entryPoint: web

http:
  routers:
    web-secure-router:
      rule: "Host(`app.pintable.it`)"
      entryPoints:
        - web-secure
      middlewares:
        - csrf
      service: django
      tls:
        # https://docs.traefik.io/master/routing/routers/#certresolver
        certResolver: letsencrypt

    web-media-router:
      rule: "Host(`app.pintable.it`) && PathPrefix(`/media/`)"
      entryPoints:
        - web-secure
      middlewares:
        - csrf
      service: django-media
      tls:
        certResolver: letsencrypt

  middlewares:
    csrf:
      # https://docs.traefik.io/master/middlewares/headers/#hostsproxyheaders
      # https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
      headers:
        hostsProxyHeaders: ["X-CSRFToken"]

  services:
    django:
      loadBalancer:
        servers:
          - url: http://django:5000

    django-media:
      loadBalancer:
        servers:
          - url: http://nginx:80

providers:
  # https://docs.traefik.io/master/providers/file/
  file:
    filename: /etc/traefik/traefik.yml
    watch: true

can you please help me addressing this issue?
thanks

[JamesParrott]

Double check your IP address is correct. It's probably just a connection issue.

There are thousands of hits for the same error message (acme: error: 400 :: urn:ietf:params:acme:error:connection). https://www.google.com/search?q=acme%3A+error%3A+400+%3A%3A+urn%3Aietf%3Aparams%3Aacme%3Aerror%3Aconnection

Just a heads up - change to letsencrypt staging before carrying out more than a couple of iterations, to avoid hitting letsencrypt's rate limit.

It's a little trickier to set up the kid and hmacEncoded values under eab in traefik.yml (I unfortunately had to resort to hard coding them and commiting them - I'd love to know if anyone can get trafik to read env variables).

But I've found using ZeroSSL for acme certs far less troublesome than letsencrypt:

[masavini]

hi, thanks for your reply.
the ip is right. here is curl output:

$ curl -v https://app.pintable.it
*   Trying 79.11.135.62:443...
* Connected to app.pintable.it (79.11.135.62) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=app.pintable.it
*  start date: Jul  4 14:03:24 2023 GMT
*  expire date: Oct  2 14:03:23 2023 GMT
*  subjectAltName: host "app.pintable.it" matched cert's "app.pintable.it"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://app.pintable.it/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: app.pintable.it]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.3.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: app.pintable.it
> User-Agent: curl/8.3.0
> Accept: */*
> 
< HTTP/2 302 
< content-language: en
< content-type: text/html; charset=utf-8
< cross-origin-opener-policy: same-origin
< date: Fri, 29 Sep 2023 12:22:55 GMT
< location: /accounts/login/?next=/
< referrer-policy: origin
< server: gunicorn
< strict-transport-security: max-age=60; includeSubDomains; preload
< vary: Accept-Language, Cookie
< x-content-type-options: nosniff
< x-frame-options: DENY
< content-length: 0
< 
* Connection #0 to host app.pintable.it left intact

[masavini]

my BAD!!
a few weeks ago i had to replace the router and i forgot to reopen port 80...
opened the port, restarted the container and the certificate was properly renewed.
thanks for your help!

[JamesParrott]

I've messed up the ports before myself. I wish I remembered and suggested that.

Glad you managed to fix it. Well done.