Timeout error does not help. Any acmeCA error message from logs?
no, I dont see any new errors in logs since
This list of names is very long. Apart from nv.twr.cz I think you can safely remove also the names for nextcloud, collabora and mattermost because they are web applications, they define an HTTP route, and their names do not be to be requested also from TLS certificates page with Let’s Encrypt.
If Let’s Encrypt requirements are met for all of those names, manually delete redundant entries from the Traefik’s configuration with a simple text editor, e.g.:
runagent -m traefik1 vi configs/_default_cert.yml
3 Likes
Thanks, the manual deletion worked well.
So if I understand well, when in settings of these web applications (mattermost, collabora, nextcloud…) the Lets Encrypt switch is on, I should not request their FQDN certificate in Traefik?
1 Like
Great, that’s good news.
Yes, that’s correct. The apps automatically obtain their own certificate so there’s no need to request it manually.
1 Like
But will it work so even if some of these apps (eg. nextcloud in my case) are intended just for intranet use and their respective http routes access is limited to local network?
Yes, limiting the access in http routes should have no impact on obtaining certificates.
2 Likes
I want just add that we recently released a validation procedure fix in TLS certificates page that now forbids to do it. It is a known problem, described here: Avoid multiple TLS certificates for the same server name · Issue #7383 · NethServer/dev · GitHub
Now many are experiencing issues with removed DNS records and stale certificates that fail to be renewed. We’ll try to reproduce and fix this new bug: TLS certificate removal blocked by NXDOMAIN · Issue #7530 · NethServer/dev · GitHub.
2 Likes
I think I could reproduce the issue:
- Request LE certs one.example.com, two.example.com and three.example.com
- Create host http routes using the same domains for the LE certs.
- As I used a wildcard DNS I blocked two.example.com by Threat Shield DNS on NethSec to simulate NXDOMAIN
- Deleting the cert two.example.com isn’t working
Error in UI: (Something went wrong)
<3>Timeout after about 30 seconds. Certificate not obtained for ['one.example.com', 'three.example.com']. <3>
Error in journalctl:
ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [one.example.com]: error: one or more domains had a problem:\n[one.example.com] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:tls :: 1.2.3.4: remote error: tls: no application protocol\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["one.example.com"] providerName=acmeServer.acme routerName=_validation000@file rule="Host(`one.example.com`) && Path(`/_validation000`)"
1 Like