Problem with SSL in Digital Ocean when not using DNS by DO

Hi, everyone!

There is a good instruction “Using Custom Domains and SSL with Let’s Encrypt and Traefik”.
I have managed to configure a website on Digital Ocean with it and it works well.

But what if I don’t want to add a domain in DO?
In other words, I don’t want to manage DNS with DO.
I want to keep DNS handling on the domain registrar side. And just make an A-record that points to the DO server.

In this case some problems appear.
Website successfully shown in HTTP. But it seems like Traefik can’t install an SSL-certificate in this case. So no HTTPS.

How can I handle this?

Hi,

By default, Traefik uses the HTTP challenge for fetching Let’s Encrypt certificates - this means you can use any DNS provider you wish, as long as the DNS record points to your server’s IP address.

I suggest restarting Traefik to see if it initiates the Let’s Encrypt challenge. I’m unsure of the exact command to restart Traefik (as I don’t use Wappler’s deployment), so I suggest restarting the entire machine and see if Traefik magically brings HTTPS once the VPS boots up again :slight_smile:

Thank you for suggestion! I tried to restart the Machine, but it didn’t change a thing.



Click this button, see if you can see Traefik logs:

There is a long initial log regarding my different efforts.

Here are the last two records, most of the past are mostly similar.
As seen, first I tried subdomain, then I just tried main domain.
(I changed site URL in the log)

traefik | time=“2021-12-16T07:35:19Z” level=error msg=“Unable to obtain ACME certificate for domains “subdomain.sitename.ru”: unable to generate a
certificate for the domains [subdomain.sitename.ru]: error: one or more domains had a problem:\n[subdomain.sitename.ru] acme: error: 400 :: urn:iet
f:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for subdomain.sitename.ru - check that a DNS record exists for this domain, url: \n” pr
oviderName=leresolver.acme routerName=squiz-online__do_prod_web-secure@docker rule=“Host(subdomain.sitename.ru)”

traefik | time=“2021-12-16T07:35:19Z” level=error msg=“Unable to obtain ACME certificate for domains “sitename.ru”: unable to generate a certi
ficate for the domains [sitename.ru]: error: one or more domains had a problem:\n[sitename.ru] acme: error: 403 :: urn:ietf:params:acme:erro
r:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url: \n” providerName=leresolver.acme routerName=squiz-onli
ne__prod_do_web-secure@docker rule=“Host(sitename.ru)”

Though I can paste all complete log too if it helps.

Well have you setup your new DNS well to point the domain to the DO IP address?

And are those DNS servers you use assigned officially to that domain?

Yes, it seems like DNS pointed to IP correctly. Because the website itself shows. It just doesn’t have SSL-certificate.

image

image

image

Oh, I noticed that the AAAA-record was wrong.
Changed it, though I don’t know if it can affect anything.

Well just to be sure you might want to ping those names to make sure you get the right up back.

Also note that dns changes might take up to 24 hours to be changed globally.

If all is set then a simple redeploy should do.

1 Like

Definitely, Let’s Encrypt (and any other software) would attempt to reach the IPv6 address first, reaching the wrong server. Sounds like you’re headed for a success now!

1 Like

Looks like DNS have been changed.

Redeploy doesn’t help.

I think I need to test the issue from scratch with a new project, new domain and new Droplet.

Ahh, understood. I hope you are right!
So I’ll wait till AAAA changes take action and then will test it again

Indeed, there was a problem with a wrong AAAA record. Now everything is alright!
@Apple @George Thank you for help and sorry for bothering :slight_smile:

1 Like