action icon indicating copy to clipboard operation
action copied to clipboard
verified publisher icon pullpreview

Problem with Wildward Certificats

Open Akecel opened this issue 1 year ago • 3 comments

We currently use pullpreview for our preview environments and it works perfectly. We've set up our Https (as well as a loadbalencer) using traefik to manage our multiple sub-domains.

However, the limitations of LetsEncrypt can be problematic so we've chosen to upgrade to a Wildcard certificate, but I seem to be getting an error with my.pullpreview.com and I can't work out where this is coming from. Here is the error in question when Traefik tries to generate the certs:

level=error msg="[.......] error: one or more domains had a problem: [*.customdomain.com] propagation: time limit exceeded: last error: dial udp: lookup ns-0.my.pullpreview.com. on 127.0.0.11:53: no such host

We use traefik and route35 as providers for the DNS Challenge :

            # Entrypoints configuration
            - "--entrypoints.web.address=:80"
            - "--entrypoints.websecure.address=:443"

            # Let's Encrypt configuration
            - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
            - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=route53"
            - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0"
            - "[email protected]"
            - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"

            # Set up the TLS configuration for our websecure listener
            - "--entrypoints.websecure.http.tls=true"
            - "--entrypoints.websecure.http.tls.certResolver=myresolver"
            - "--entrypoints.websecure.http.tls.domains[0].main=${PULLPREVIEW_PUBLIC_DNS}"
            - "--entrypoints.websecure.http.tls.domains[0].sans=*.${PULLPREVIEW_PUBLIC_DNS}"

And for each service (or for each sub-domain on certain services) of the docker-compose, I have this configuration :

            - "traefik.enable=true"
            - "traefik.http.routers.js-app.tls=true"
            - "traefik.http.routers.js-app.rule=Host(`app.${PULLPREVIEW_PUBLIC_DNS}`)"
            - "traefik.http.routers.js-app.entrypoints=websecure"
            - "traefik.http.routers.js-app.tls.certresolver=myresolver"
            - "traefik.http.services.js-app.loadbalancer.server.port=3000"

At first I thought it was more to do with traefik or my configuration (which is possible) but given that the error mentions my.pullpreview.com even though we're using a custom domain, it seems strange to me and I'm wondering if the pullpreview system isn't involved in this problem.

Any idea of what's going wrong here ? (or what I am doing wrong ?)

Thank you in advance if any help can be provided :D

Akecel avatar Apr 16 '24 14:04 Akecel

Hi @Akecel, not sure what's going on here. It looks like something is trying to resolve the nameserver (ns-0) of my.pullpreview.com, but I don't see why, since you say you are using custom domain for your instances. Any chance to increase the Traefik logger level to see what's happening?

crohr avatar Apr 16 '24 14:04 crohr

Hi @crohr !

Unfortunately I'm already in debug mode:

- "--log.level=DEBUG"

Here is my complete log file if it helps to understand : traefik.log

Akecel avatar Apr 17 '24 09:04 Akecel

@Akecel were you able to find a solution?

crohr avatar Aug 24 '24 08:08 crohr