github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-09 07:15:04 -05:00
Code Issues 94 Packages Projects Releases 48 Wiki Activity

Having issues Wildcard Config for DNS-01 Challenge #307

New Issue
Open
opened 2025-11-13 11:56:18 -06:00 by GiteaMirror · 10 comments
GiteaMirror commented 2025-11-13 11:56:18 -06:00
Owner
Copy Link

Originally created by @3ct0pl4sm on GitHub (May 4, 2025).

Originally assigned to: @oschwartz10612 on GitHub.

Hi,
I'm trying to configure Wildcard Config for DNS-01 Challenge but I keep having the same error despite all of my attemps :

{"level":"error","providerName":"letsencrypt.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"letsencrypt.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"next-router@file","rule":"Host(domain.com) && !PathPrefix(/api/v1)","error":"cannot get ACME client cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN,CLOUDFLARE_ZONE_API_TOKEN","domains":["domain.com","*.domain.com"],"time":"2025-05-04T17:56:58Z","message":"Unable to obtain ACME certificate for domains"}

Cloudflare API Key is mentionned in docker-compose.yml as it is here :
https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs#wildcard-config-for-dns-01-challenge
this way :

  traefik:
    image: traefik:v3.3.6
    container_name: traefik
    restart: unless-stopped
    network_mode: service:gerbil
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --configFile=/etc/traefik/traefik_config.yml
    environment:
      CLOUDFLARE_DNS_API_TOKEN: "token"
    volumes:
      - ./config/traefik:/etc/traefik:ro
      - ./config/letsencrypt:/letsencrypt

Can someone help me ?

Originally created by @3ct0pl4sm on GitHub (May 4, 2025). Originally assigned to: @oschwartz10612 on GitHub. Hi, I'm trying to configure Wildcard Config for DNS-01 Challenge but I keep having the same error despite all of my attemps : > {"level":"error","providerName":"letsencrypt.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"letsencrypt.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"next-router@file","rule":"Host(`domain.com`) && !PathPrefix(`/api/v1`)","error":"cannot get ACME client cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN,CLOUDFLARE_ZONE_API_TOKEN","domains":["domain.com","*.domain.com"],"time":"2025-05-04T17:56:58Z","message":"Unable to obtain ACME certificate for domains"} Cloudflare API Key is mentionned in docker-compose.yml as it is here : [https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs#wildcard-config-for-dns-01-challenge](url) this way : ``` traefik: image: traefik:v3.3.6 container_name: traefik restart: unless-stopped network_mode: service:gerbil depends_on: pangolin: condition: service_healthy command: - --configFile=/etc/traefik/traefik_config.yml environment: CLOUDFLARE_DNS_API_TOKEN: "token" volumes: - ./config/traefik:/etc/traefik:ro - ./config/letsencrypt:/letsencrypt ``` Can someone help me ?
GiteaMirror added the enhancement label 2025-11-13 11:56:18 -06:00
GiteaMirror commented 2025-11-13 11:56:19 -06:00
Author
Owner
Copy Link

@boomam commented on GitHub (May 4, 2025):

Are you using the in-built Traefik deployment, or an existing Traefik deployment?

@boomam commented on GitHub (May 4, 2025): Are you using the in-built Traefik deployment, or an existing Traefik deployment?
GiteaMirror commented 2025-11-13 11:56:19 -06:00
Author
Owner
Copy Link

@3ct0pl4sm commented on GitHub (May 4, 2025):

Are you using the in-built Traefik deployment, or an existing Traefik deployment?

I'm using the built-in deployment.

I was restarting wrong the stack, I've figured it out, but now i've this error :

cloudflare: failed to create TXT record

@3ct0pl4sm commented on GitHub (May 4, 2025): > Are you using the in-built Traefik deployment, or an existing Traefik deployment? I'm using the built-in deployment. I was restarting wrong the stack, I've figured it out, but now i've this error : `cloudflare: failed to create TXT record`
GiteaMirror commented 2025-11-13 11:56:19 -06:00
Author
Owner
Copy Link

@3ct0pl4sm commented on GitHub (May 4, 2025):

I managed to make it work.
Thanks for your time and your answers.

@3ct0pl4sm commented on GitHub (May 4, 2025): I managed to make it work. Thanks for your time and your answers.
GiteaMirror commented 2025-11-13 11:56:19 -06:00
Author
Owner
Copy Link

@thimplicity commented on GitHub (May 7, 2025):

I managed to make it work. Thanks for your time and your answers.

Struggling with this - how did you make it work?

@thimplicity commented on GitHub (May 7, 2025): > I managed to make it work. Thanks for your time and your answers. Struggling with this - how did you make it work?
GiteaMirror commented 2025-11-13 11:56:19 -06:00
Author
Owner
Copy Link

@boomam commented on GitHub (May 8, 2025):

I managed to make it work. Thanks for your time and your answers.

Struggling with this - how did you make it work?

You need to set your traefik config to use DNS for its certificate challenge type.
Edit your Traefik configuration or your Traefik labels to use DNS challenge instead of the default HTTP challenge.

Pangolin has some ok docs on the process here

@boomam commented on GitHub (May 8, 2025): > > I managed to make it work. Thanks for your time and your answers. > > Struggling with this - how did you make it work? You need to set your traefik config to use DNS for its certificate challenge type. Edit your Traefik configuration or your Traefik labels to use [DNS challenge](https://doc.traefik.io/traefik/https/acme/#dnschallenge) instead of the default HTTP challenge. Pangolin has some ok docs on the process [here](https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs#wildcard-config-for-dns-01-challenge)
GiteaMirror commented 2025-11-13 11:56:19 -06:00
Author
Owner
Copy Link

@HWiese1980 commented on GitHub (May 20, 2025):

I have a problem with the Pangolin docs around this. The docs have the base domain in the next-router rule. However, the installer puts the pangolin web frontend subdomain in the next-router. This discrepancy leads to confusion. Just going with the docs, adding the domains to the tls subsection leads to errors (404 on the frontend after restarting the stack).

@HWiese1980 commented on GitHub (May 20, 2025): I have a problem with the Pangolin docs around this. The docs have the base domain in the next-router rule. However, the installer puts the pangolin web frontend subdomain in the next-router. This discrepancy leads to confusion. Just going with the docs, adding the domains to the `tls` subsection leads to errors (404 on the frontend after restarting the stack).
GiteaMirror commented 2025-11-13 11:56:20 -06:00
Author
Owner
Copy Link

@HWiese1980 commented on GitHub (May 20, 2025):

Maybe someone could resolve this discrepancy? That would be awesome. I have my troubles figuring it out.

@HWiese1980 commented on GitHub (May 20, 2025): Maybe someone could resolve this discrepancy? That would be awesome. I have my troubles figuring it out.
GiteaMirror commented 2025-11-13 11:56:20 -06:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jun 4, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

@github-actions[bot] commented on GitHub (Jun 4, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2025-11-13 11:56:20 -06:00
Author
Owner
Copy Link

@HWiese1980 commented on GitHub (Jun 4, 2025):

Has anyone already looked into it? The documentation seems to be off here.

@HWiese1980 commented on GitHub (Jun 4, 2025): Has anyone already looked into it? The documentation seems to be off here.
GiteaMirror commented 2025-11-13 11:56:20 -06:00
Author
Owner
Copy Link

@mort666 commented on GitHub (Jun 13, 2025):

@HWiese1980 @thimplicity So something that I add to the certificatesResolvers section to make sure to add DNS resolvers that point to ones outside of my infrastructure. For some reason especially when running in docker traefik will mess up and fail to complete the certificate creation/renewal process if doing DNS-01 and it resolves against the docker inbuilt resolver. So basically my certificatesResolvers section looks something like:

certificatesResolvers:
  letsencrypt:
    acme:
      email: hostmaster@example,com
      storage: /letsencrypt/acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
        resolvers:
          - 1.1.1.1:53
          - 8.8.8.8:53
@mort666 commented on GitHub (Jun 13, 2025): @HWiese1980 @thimplicity So something that I add to the certificatesResolvers section to make sure to add DNS resolvers that point to ones outside of my infrastructure. For some reason especially when running in docker traefik will mess up and fail to complete the certificate creation/renewal process if doing DNS-01 and it resolves against the docker inbuilt resolver. So basically my certificatesResolvers section looks something like: ```yaml certificatesResolvers: letsencrypt: acme: email: hostmaster@example,com storage: /letsencrypt/acme.json caServer: https://acme-v02.api.letsencrypt.org/directory dnsChallenge: provider: cloudflare delayBeforeCheck: 0 resolvers: - 1.1.1.1:53 - 8.8.8.8:53 ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#307
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?