Can't get a valid DNS for sub-domains

yukyolol · June 13, 2024, 3:25pm

Hello. I’m new and learning to use the tool. I’ve followed the official docker installation guide.

I’ve tried to run it using the traefik docker-compose but I had some issues with the API_KEY and API_SECRET from godaddy, so I decided to go with Let’s encrypt instead I think its a lot easier and faster than provider wildcards.

This is my docker-compose config:

version: "3.3"

services:
  mongodb:
    image: mongo
    restart: always
    command: "--bind_ip_all --replSet rs0"
    environment:
      - MONGO_REPLICA_SET_NAME=rs0
    volumes:
      - mongodb_data:/data/db

  mongosetup:
    image: mongo
    depends_on:
      - mongodb
    restart: "no"
    command: >
      mongosh --host mongodb:27017 --eval 
      '
      db = (new Mongo("mongodb:27017")).getDB("openflow");
      config = {
      "_id" : "rs0",
      "members" : [
        {
          "_id" : 0,
          "host" : "mongodb:27017"
        }
      ]
      };
      rs.initiate(config);
      '

  traefik:
    image: traefik:v2.5
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.address=:80"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=xxxxx@xxxxxxx.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--log.level=DEBUG"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
    ports:
      - "80:80"
      - "443:443"
    restart: always
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  rabbitmq:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.rabbitmq.rule=Host(`mq.openflow.xxxxxxxxxxxxxx.com`)"
      - "traefik.http.routers.rabbitmq.entrypoints=websecure"
      - "traefik.http.routers.rabbitmq.tls.certresolver=myresolver"
      - "traefik.http.services.rabbitmq.loadbalancer.server.port=15672"
    image: rabbitmq:3-management
    restart: always

  api:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`openflow.xxxxxxxxxxxxxx.com`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=myresolver"
      - "traefik.http.services.api.loadbalancer.server.port=3000"
      - "traefik.frontend.passHostHeader=true"
    image: openiap/openflow
    deploy:
      replicas: 1
    pull_policy: always
    restart: always
    depends_on:
      - rabbitmq
      - mongodb
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - auto_create_users=true
      - auto_create_domains=
      - domain=openflow.xxxxxxxxxxxxxx.com
      - protocol=https
      - agent_oidc_userinfo_endpoint=http://api:3000/oidc/me
      - agent_oidc_issuer=https://openflow.xxxxxxxxxxxxxx.com/oidc
      - agent_oidc_authorization_endpoint=https://openflow.xxxxxxxxxxxxxx.com/oidc/auth
      - agent_oidc_token_endpoint=http://api:3000/oidc/token
      - agent_docker_entrypoints=web,websecure
      - agent_docker_certresolver=myresolver
      - amqp_url=amqp://guest:guest@rabbitmq
      - mongodb_url=mongodb://mongodb:27017
      - mongodb_db=openrpa
      - aes_secret=O1itlrmA47WzxPj95YHD2sZs7IchYaQI25mQ

volumes:
  mongodb_data:
    driver: local

I was able to connect my local machine running RPA to IAP using my domain, my domain works with https, etc.

But I get these two error logs in docker:

traefik-1     | time="2024-06-13T15:09:30Z" level=error msg="Unable to obtain ACME certificate for domains \"shrill-paper-43df.openflow.xxxxxxxxxxxxxx.com\": unable to generate a certificate for the domains [shrill-paper-43df.openflow.xxxxxxxxxxxxxx.com]: error: one or more domains had a problem:\n[shrill-paper-43df.openflow.xxxxxxxxxxxxxx.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for shrill-paper-43df.openflow.xxxxxxxxxxxxxx.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for shrill-paper-43df.openflow.xxxxxxxxxxxxxx.com - check that a DNS record exists for this domain\n" providerName=myresolver.acme routerName=shrill-paper-43df@docker rule="Host(`shrill-paper-43df.openflow.xxxxxxxxxxxxxx.com`)"
traefik-1     | time="2024-06-13T15:09:32Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/363459363987"
traefik-1     | time="2024-06-13T15:09:32Z" level=error msg="Unable to obtain ACME certificate for domains \"mq.openflow.xxxxxxxxxxxxxx.com\": unable to generate a certificate for the domains [mq.openflow.xxxxxxxxxxxxxx.com]: error: one or more domains had a problem:\n[mq.openflow.xxxxxxxxxxxxxx.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for mq.openflow.xxxxxxxxxxxxxx.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for mq.openflow.xxxxxxxxxxxxxx.com - check that a DNS record exists for this domain\n" rule="Host(`mq.openflow.xxxxxxxxxxxxxx.com`)" providerName=myresolver.acme routerName=rabbitmq@docker

Shrill-paper-34df it’s NODERED:

This is my two entries in Godaddy:

and

Any ideas?

Allan_Zimmermann · June 13, 2024, 4:28pm

hey
you created the dns entries wrong.
you create one A record for the “api”
openflow.XXX.com
and one for all services creates as children of the main domain
*.openflow.XXX.com

you blurred some of the images, but i THINK what you did is created

openflow.XXX.com
*.XXX.com

that is why traefik is complaining. It cannot resolve shrill-paper-43df.openflow.xxxxxxxxxxxxxx.com and mq.openflow.xxxxxxxxxxxxxx.com

you forgot to remove the domain in last code block ( under But I get these two error logs in docker: )

yukyolol · June 13, 2024, 4:35pm

Thanks for the response @Allan_Zimmermann

So what I did is:
I created two new DNS settings in my domain (godady):
A → MY VPS IP (x.x.x.x) → openflow.mydomain.com (mydomain is xxxxxxxx)

CNAME → * → openflow.mydomain.com.

What is wrong in my config?

Thanks!

Allan_Zimmermann · June 13, 2024, 4:48pm

change * to *.openflow

yukyolol · June 13, 2024, 5:02pm

Thanks. Fixed. I got a valid SSL now for nodered and mq.xxxxxxx.com (I can’t access this URL). I guess mq.xxxxxxx.com is an internal tool that the app uses but not exposed to internet, right?

Thanks!

system · June 16, 2024, 5:03pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.