ACME challenge going to HTTPS with Invalid response

Traefik Traefik v2
1

Hi,
when adding new domain (in this example domain.cz) to Traefik I have a failure getting a certificate.
Log:

time="2024-04-27T06:31:10Z" level=error msg="Unable to obtain ACME certificate for domains \"domain.cz\": unable to generate a certificate for the domains [domain.cz]: error: one or more domains had a problem:\n[domain.cz] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2001:1528:240::1f: Invalid response from https://domain.cz/.well-known/acme-challenge/Rq_00QFe7fx6H_9ZQJkxcyAP81rECH7ypC2ubsHVlJ4: 404\n" routerName=eiri-server@docker rule="Host(`domain.cz`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme

My traefik.yml:

api:
  dashboard: true

entryPoints:
  web:
    address: :80

  websecure:
    address: :443
    http:
      middlewares:
        - secureHeaders@file
        - nofloc@file
      tls:
        certResolver: letsencrypt

pilot:
  dashboard: false

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"

  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: dasim@dasim.cz
      storage: ./letsencrypt-acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: web

My dynamic config:

# Dynamic configuration
http:
  middlewares:
    nofloc:
      headers:
        customResponseHeaders:
          Permissions-Policy: "interest-cohort=()"
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000

    # UserName : dasim
    # Password : del.
    user-auth:
      basicAuth:
        users:
          - "dasim:$apr1$dtmv0g2n$ekbopY/Iz7PWfZBj8GDxW1"

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

FWIW docker-compose for traefik:

services:
  traefik:
    image: traefik:v2.11
    # Enables the web UI and tells Traefik to listen to docker
    command:
      - --api.insecure=true
      - --providers.docker
    restart: always
    # security_opt:
    #   - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      # - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/letsencrypt-acme.json:/letsencrypt-acme.json
      # # Add folder with dynamic configuration yml
      - ./data/configurations:/configurations
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.dasim.cz`)"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

Thanks for any advice!

2

Start with this:.

You can only have a single type of static config: traefik.yml, command line or env vars (doc ). Decide for one.

Make sure the (sub-)domain points to your Traefik server IP.

Assuming you add an additional new domain, where are the labels for your new service?