Unable to obtain ACME certificate for domains "grpc.test-openiap.testdomain.com": unable to generate a certificate for the domains [grpc.test-openiap.testdomain.com]: error: one or more domains had a problem:\n[grpc.test-openiap.testdomain.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for grpc.test-openiap.testdomain.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for grpc.test-openiap.testdomain.com - check that a DNS record exists for this domain\n" providerName=myresolver.acme ACME CA=“https://acme-v02.api.letsencrypt.org/directory” routerName=grpc-router@docker rule="Host(grpc.test-openiap.testdomain.com)
What it means?, That I need to add the two reference DNS records to test-openiap.testdomain.com?
Is it the fix for the issue or are there any other steps involved to make this setup works?
I was making reference to a fix for the issue I am getting. I will follow your recommendation to make it works.
I already created the two records as explained at using-custom-domain-names, however the error message I am getting is about grpc.test-openiap.testdomain.com (seems like grpc is the prefix for the service), that’s my confusion.
I am sorry if I’m misunderstanding what you are writing. I assumed from your original post that:
You did a search and replace on localhost.openiap.io to test-openiap.testdomain.com
In the interface for you public facing DNS of testdomain.com you added test-openiap.testdomain.com pointing to the public accessible Ip of the server with docker
and *.test-openiap.testdomain.com as a CNAME pointing to test-openiap.testdomain.com.
In that case, anyone in the world should be able to resolve both test-openiap.testdomain.com and anything-you-want.test-openiap.testdomain.com
therefore grpc.test-openiap.testdomain.com should be covered by the CNAME and resolve to the public IP of your docker server.
If not, what part of the above is wrong (did you not do or did something different )?
Yes, that exactly what I should have, because I created a ticket giving the instructions to my IT team to look at the docs and setup the domains and the corresponding DNS records explicitly, that’s why I am assuming the records already exist, I will be verify with them and post here the results.
Thank you so much, you as always available to help.
Regards
Yes exactly what I was missing, we are using a DNS provider route53 in AWS, for that reason we couldn’t make it works with docker-compose-letsencrypt.yml.
I’ll setup the deployment using DNS01 challenges to solve the problem.
Thanks you so much and have a wonderful weekend,
I will post the results here.
Regards
Http01 requires a public ip and dns pointing that ip ( does not matter where dns is hosted, but must be a public domain )
Dns01 does NOT require public ip, but requires dns is hosted at a supported provider.
If you have public ip, use http01 its much simpler.
If you dont have public ip on the server, and cannot use a supported dns provider skip using https all together.
PS: route53 is supported for dns01 but i highly recommend you use http01 if you have a public ip on the server ( and port 80 and 443 open )
That’s the setup I already tested from the beginning docker-compose-letsencrypt.yml. I got the message referenced above in Traefik because the second CNAME DNS record wasn’t created correctly. I fixed that issue however now I am getting next error message:
time="2023-08-25T17:09:18Z" level=error msg="Unable to obtain ACME certificate for domains \"test-openiap.testdomain.com\": unable to generate a certificate for the domains [test-openiap.testdomain.com]: error: one or more domains had a problem:\n[test-openiap.testdomain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge\n" providerName=myresolver.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=http-router@docker rule="Host(`test-openiap.testdomain.com`)"
We have a load balancer with a dynamic public IP. What my team and I think if that, maybe when traefik try to create the DNS certificate, more than one call to that domain is performed and a new different IP is returned each time, causing the failure in that process.
We are going to assign an static IP to the load balancer and test it again.
Notes: .testdomain.com already has a current DNS certificate, we just created a new subdomain test-openiap.testdomain.com for this setup.
Disable it. You cannot use proxy as part of the ACME negotiation for ssl certificates.
Plus, that is redundant, that is what traefik does ( being reverse proxy )
They just confirmed that Route53 doesn’t work like a Cloudflare proxy that is sitting in front of your traffic protecting it. It is just redirecting the traffic to the load balancer which sends to the server.
Then, for our current openiap setup, we are not using a proxy, but using a dynamic IP, however it doesn’t change to frequently. Sorry for the misinformation.
Then I am out of idears.
If you google “ Cannot negotiate ALPN protocol” you will find 2-3 hits on page one related to aws, all talking anout proxys or firewall policies.
If docker+traefik is published unrestricted on the internet with port 80 and 443 open, it will work out of the box.
Having dynamic ips is not an issue as long as the dns name requested resolves to the same IP as the server that it is sending the request from. So just make sure to have a very low TTL in the SOA record and for the two records pointing to the docker server ( for requesting cert it just needs to match while doing the request for the certificate(s), so once every 3 months )
Hi Alan, we finally were able to deploy Openiap https using docker-compose-letsencrypt.yml, as you told it works out of the box without any issues, we had and issue in our load balancer and environment configuration and for some reason wasn’t allowing letsencrypt create the certificate.
Thank you so much for your help and this awesome framework!
Regards