What would be the way to best analyse why a certificate is not obtained pls?
I have “server1.domain.com” as FQDN and several sub domains such as mail.domain.com and cloud.domain.com. The subdomains HAVE obtained a correct certificate by setting the switch in the settings page of the instance. The main domain however “domain.com” is listed as not having obtained a certificate. I removed the listing (waste bin) and tried to add it again. It says obtaining… and later on NOT obtained.
Nope, that did not help. All DNS settings are like other domains on NS8 (separate) cluster and with same domain provides, Nameservers etc are all the same.
This is the error I was able to copy: (some adjustments for privacy)
{“context”:{“action”:“set-certificate”,“data”:{“fqdn”:“mydomain.com”,“sync”:true},“extra”:{“description”:“Processing”,“eventId”:“7f1328cf-70c6-4e6a-8145-xxxxxxxxxxxx”,“logs”:{“instance”:“traefik1”,“path”:“?searchQuery=&context=module&selectedAppId=traefik1&followLogs=false&startDate=2024-01-05&startTime=19%3A38&autoStartSearch=true”},“title”:“Request certificate for mydomain.com”},“id”:“822675bb-62d1-4cde-a2a8-xxxxxxxxxxxx”,“parent”:“”,“queue”:“module/traefik1/tasks”,“timestamp”:“2024-01-05T18:38:48.649476253Z”,“user”:“admin”},“status”:“aborted”,“progress”:99,“subTasks”:[],“validated”:true,“result”:{“error”:“”,“exit_code”:2,“file”:“task/module/traefik1/822675bb-62d1-4cde-a2a8-xxxxxxxxxxxx”,“output”:{“obtained”:false}}}
They are set correctly with the domain name provider and locally. However. where does the domain name “host-26437.ns8.test” come from?
I have set all correct FQDN setting of the (single node) cluster and where required. Still when visiting the main domain “mydomain.com” the certificate that is served is for “host-26437.ns8.test” and not for “mydomain.com”. I don’t know where this comes from or how to resolve/prevent this.
Not being an expert on NS8 (understatement!) ; had my fights with Let’s Encrypt myself. For me (among my stupidity) it was NS8 tried to request a cert for it’s own hostname. Which I did not expect.
In the cluster-admin, if you go to Settings > TlS Certificate does it state you expect (i.e the domains configured in DNS) ?
I did that too several time, but did not want to exceed Let’s Encrypts cycles. For the life of me I can’t figure it out. I’ll DM you for some private details If I may?
somehow it seem to be impossible to request an certificate for the main domain without specifying a host meaning host.example.com works, example.com not
In the log: (as this is plaintext changed the domain name to XXXX)
2024-01-10T13:22:35+01:00 [1:traefik1:traefik] time="2024-01-10T12:22:35Z" level=error msg="Unable to obtain ACME certificate for domains \"XXXX.nl\"" rule="Host(`XXXX.nl`)" providerName=acmeServer.acme error="unable to generate a certificate for the domains [XXXX.nl]: error: one or more domains had a problem:\n[XXXXX.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2a02:9e0:9000::11: Invalid response from http://XXXXX.nl/.well-known/acme-challenge/d6OBYUdxbIuh88QhRxRCy6GJdgUmgJHI78nfzRejMtg: 404\n" ACME CA="https://acme-v02.api.<mark>lets</mark>encrypt.org/directory" routerName=webserver1-XXXXX.nl-https@file
Thanks, but I did extensive tests already. It now becomes problematic for I can not use NS8 in production due to this issue. Not blaming NS8, but other tetst installs did not have this issue
At least in your case, for domain havak.nl I found both IPv4 and IPv6 records pointing to (apparently) different systems. The ACME challenge may fail for this?
sogo.havak.nl has address 82.170.191.242
havak.nl has address 82.170.191.242
havak.nl has IPv6 address 2a02:9e0:9000::11