Multiple errors / Not understanding how to use this with Traefik

[a-camacho]

Hi guys,

I'm using Traefik (last version) with multiple services on a Debian machine with Docker Swarm.
When setting up an error page for all my traefik routers, I would need a wildcard certificate for *.mydomain.com

I saw that one way of doing this, keeping self-hosted, was to deploy acme-dns.

What I did :

1. Deployed acme-dns on my traefik stack like this :

  acmedns:
    image: joohoi/acme-dns:latest
    ports:
      - "5443:443"
      - "5080:80"
      - "53:53/udp"
      - "53:53"
    networks:
      - traefik-public
    volumes:
      - acmedns_config:/etc/acme-dns:ro
      - acmedns_data:/var/lib/acme-dns
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.acme_dns.rule=Host(`auth.mydomain.com`)"
        - "traefik.http.routers.acme_dns.entrypoints=websecure"
        - "traefik.http.routers.acme_dns.tls=true"
        - "traefik.http.routers.acme_dns.tls.certresolver=myresolver"
        - "traefik.http.services.acme_dns.loadbalancer.server.port=80"

My acme-config is like this :

[general]
# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
# In this case acme-dns will error out and you will need to define the listening interface
# for example: listen = "127.0.0.1:53"
listen = "127.0.0.1:53"
# protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
protocol = "both"
# domain name to serve the requests off of
domain = "auth.mydomain.com"
# zone name server
nsname = "auth.mydomain.com"
# admin email address, where @ is substituted with .
nsadmin = "myemail.me.com"
# predefined records served in addition to the TXT
records = [
    # domain pointing to the public IP of your acme-dns server 
    "auth.mydomain.com. A XX.XXX.XXX.22",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "auth.mydomain.com. NS auth.mydomain.com.",
]
# debug messages from CORS etc
debug = true

[database]
# Database engine to use, sqlite3 or postgres
engine = "sqlite3"
# Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
connection = "/var/lib/acme-dns/acme-dns.db"
# connection = "postgres://user:password@localhost/acmedns_db"

[api]
# listen ip eg. 127.0.0.1
ip = "0.0.0.0"
# disable registration endpoint
disable_registration = false
# listen port, eg. 443 for default HTTPS
port = "80"
#port = "80"

# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
#tls = "letsencryptstaging"
tls = "none"

# only used if tls = "cert"
tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
# only used if tls = "letsencrypt"
acme_cache_dir = "api-certs"
# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
notification_email = "[email protected]"
# CORS AllowOrigins, wildcards can be used
corsorigins = [
    "*"
]
# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

[logconfig]
# logging level: "error", "warning", "info" or "debug"
loglevel = "debug"
# possible values: stdout, TODO file & integrations
logtype = "stdout"
# file path for logfile TODO
# logfile = "./acme-dns.log"
# format, either "json" or "text"
logformat = "text"

In my Traefik container I have :

    environment:
      - "ACME_DNS_API_BASE=https://auth.mydomain.com"
      - "ACME_DNS_STORAGE_PATH=/acme-dns.json"

In my Traefik configuration I have :

  myresolver-dns:
    acme:
      email: "[email protected]"
      storage: "acme-dns.json"
      dnsChallenge:
        provider: acme-dns
        delayBeforeCheck: 0

My DNS configuration (on my host, Infomaniak.com) is :

auth            3600 IN NS    auth.mydomain.com.
_acme-challenge 3600 IN CNAME 5183ea08-6f3d-43d5-b914-9d3374d1fc03.auth.mydomain.com.

I was able to use this command to create an user :
curl -s -X POST https://auth.mydomain.com/register |python3 -m json.tool

I used those values to setup my _acme-challenge CNAME on my host DNS.

My problem is that I think I do not completely understand how this should be used.
Watching the video on https://github.com/joohoi/acme-dns, I tried to register (successful) and then update.

When updating I got the error Forbidden.

Now when trying to even register a new user I got :

curl -s -X POST https://auth.mydomain.com/register |python3 -m json.tool
Expecting value: line 1 column 1 (char 0)

Would someone help me understand and point me to the right direction ?

My objective is to use a wildcard certificate on a service declared like this :

  errors_custom:
    image: tarampampam/error-pages:latest
    restart: unless-stopped
    networks:
      - traefik-public
    environment:
      - "TEMPLATE_NAME=shuffle"
      - "SHOW_DETAILS=true"
    deploy:
      labels:
        # Traefik - CatchAll router for error handling
        - "traefik.http.routers.traefik_catchall.rule=HostRegexp(`^.+.mydomain.com$$`)"
        - "traefik.http.routers.traefik_catchall.entrypoints=websecure"
        - "traefik.http.routers.traefik_catchall.tls=true"
        - "traefik.http.routers.traefik_catchall.tls.certresolver=myresolver-dns"
        - "traefik.http.routers.gitlab.tls.domains[0].main=mydomain.com"
        - "traefik.http.routers.gitlab.tls.domains[0].sans=*.mydomain.com"
        - "traefik.http.routers.traefik_catchall.priority=1"
        - "traefik.http.services.traefik_catchall.loadbalancer.server.port=8080"
        - "traefik.http.routers.traefik_catchall.service=traefik_catchall"

Thank you very very much (for reading this until this point at least) !

[a-camacho]

(Note 1) I cannot create in my host DNS both :

• NS entry : auth.mydomain.com -> auth.mydomain.com
• CNAME entry : *.mydomain.com -> {server_public_ip}

(Note 2) The DNS auth.mydomain.com only seems to work on my network

curl -s -X POST https://auth.mydomain.com/register works on my machine, but does not work when using CURL tools online. I get the error : Could not resolve the host name. Error code: 1006