Cert issues with cloudflare&traefik

louism873 · October 16, 2024, 8:13pm

Hello everyone, i have just set up my miab instance. but I’m having issues with the cert provisioning. i have other services running on my network so i use traefik. i think this is interfering with the cert process as it redirects all traffic to https. i cannot change this without taking all my other services offline. This is the error i am getting:

“Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: *** Type: unauthorized Detail: ..*.**: Invalid response from *****/.well-known/acme-challenge/o-yFUanRteUz7RG5JBDAtnR_vE70GYUPn_GS26NaXmM: 404”

i’ve put *'s in as i cannot post links yet.

does anyone have any ideas that could help me? i’d really appreciate it.

stylnchris · October 16, 2024, 10:47pm

are you proxying though cloudflare?

If so that would be unsupported and most likely will break the ability for Certbot to work.

solution: dont proxy dns entries for domain though cloudflare related to the mailserver.

louism873 · October 17, 2024, 12:45am

hiya,
thanks for your reply.
no, the proxy is not enabled, just DNS only. i’ll redact and post a pic.

louism873 · October 17, 2024, 1:19am

vele · October 17, 2024, 10:38am

Is this a new MIAB install? Is propagation finished? Check DNS propagation(https://www.whatsmydns.net/) and try later. I see TTL is 1 day in the screenshot that is 24 hours.

louism873 · October 17, 2024, 11:07am

thanks for your reply. it’s a fairly new install, about a week. i attach results of that check.

vele · October 17, 2024, 4:38pm

I suppose you are using the External DNS option i.e. MIAB is not managing your DNS settings.
Please read carefully which records need to be replicated on Cloudflare. Please REMOVE if you have enabled DNSSEC record from your domain registrar FIRST. Try to provision the certificates after the DNS has propagated depending on the TTL on Cloudflare. Otherwise let MIAB manage your dns settings and for this you only need 2 A records ns1.box and ns2.box and 2 NS records ns1.yourdomain.com and ns2.yourdomain.com at the registrar.

The ACME challenge only works over htttp so you need to remove all redirects.

louism873 · October 17, 2024, 4:42pm

that is correct. I can’t let MIAB manage dns as the ports cannot be forwarded as ports 80 and 443 are in use for my other services(on a different domain) that run through traefik. I have not set up DNSSEC yet.

vele · October 17, 2024, 4:45pm

Setup your other services in MIAB’s Custom DNS? Is this a possibility?

louism873 · October 17, 2024, 4:49pm

i’ll have a look into it, do you think it would work as the other services are using a different domain?

vele · October 17, 2024, 4:54pm

Just add the new domains via MIAB>> Users>> Add New User>> user@newdomain.com

It will update the dns and add the new domain. Of course you need to point the domains to the MIAB IP, both A and AAAA records, at the registrar. No need for new glue records for the additional domains. Read the setup guide >> how to add multiple domains to MIAB.

louism873 · October 17, 2024, 4:56pm

lovely, thanks very much for your help Vele. i’ll let you know how it goes