Adding a third TLD, only subdomains work. TLD returns 404

Traefik Traefik v2
, ,
1

I am trying to add a third TLD to my Traefik config but cannot seem to get it to work. I have two domains already working with wildcards ($DOMAIN1 and $DOMAIN2), however when adding the third domain, only subdomains work (i.e. shop.$DOMAIN3 works, but $DOMAIN3 does not work).

What I have tried:

  • From working container A, set router rule=host to $DOMAIN3
    • Result: Traefik returns 404
  • From working container A, set router rule=host to $DOMAIN2
    • Result: Traefik works and returns site
  • From working container A, set router rule=host to shop.$DOMAIN3
    • Result: Traefik works and returns site

labels:

 - "traefik.enable=true"

 ## HTTP Routers Auth
 - "traefik.http.routers.flame-rtr.entrypoints=https"
 - "traefik.http.routers.flame-rtr.rule=Host(`$DOMAIN2`)"
 - "traefik.http.routers.flame-rtr.tls=true"
 - "traefik.http.routers.flame-rtr.priority=90"
 ## Middlewares
 - "traefik.http.routers.flame-rtr.middlewares=chain-no-auth@file"
 ## HTTP Services
 - "traefik.http.routers.flame-rtr.service=flame-svc"
 - "traefik.http.services.flame-svc.loadbalancer.server.port=5005"

 ## HTTP Routers Auth
 - "traefik.http.routers.flamefish-rtr.entrypoints=https"
 - "traefik.http.routers.flamefish-rtr.rule=Host(`flame.$DOMAIN3`)"
 - "traefik.http.routers.flamefish-rtr.tls=true"
 - "traefik.http.routers.flamefish-rtr.priority=90"
 ## Middlewares
 - "traefik.http.routers.flamefish-rtr.middlewares=chain-no-auth@file"
 ## HTTP Services
 - "traefik.http.routers.flamefish-rtr.service=flame-svc"

 ## HTTP Routers Auth
 - "traefik.http.routers.flamefish2-rtr.entrypoints=https"
 - "traefik.http.routers.flamefish2-rtr.rule=Host(`$DOMAIN3`)"
 - "traefik.http.routers.flamefish2-rtr.tls=true"
 - "traefik.http.routers.flamefish2-rtr.priority=90"
 ## Middlewares
 - "traefik.http.routers.flamefish2-rtr.middlewares=chain-no-auth@file"
 ## HTTP Services
 - "traefik.http.routers.flamefish2-rtr.service=flame-svc"

In the case above, the "$DOMAIN2" (flame-rtr) and the "flame.$DOMAIN3" (flamefish-rtr) works, but the "$DOMAIN3" (flamefish2-rtr) does not work.

This tells me that the certs are being retrieved properly so it's unlikely to be on the lets encrypt side, as when I view flame.$DOMAIN3, the cert is valid and has passed issuing.

So then I go to the traefik docker-compose file

labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
#- "traefik.http.routers.http-local.entrypoints=http"
#- "traefik.http.routers.http-local.rule=HostRegexp({lanhost:.*.lan})"
#- "traefik.http.routers.http-local.priority=100"

 - "traefik.http.routers.http-catchall.entrypoints=http"
 - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+.$DOMAIN1}`,`{host:.+.$DOMAIN2}`,`{host:.+.$DOMAIN3}`)"
 - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
 - "traefik.http.routers.http-catchall.priority=99"
 - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 # HTTP Routers
 - "traefik.http.routers.traefik-rtr.entrypoints=https"
 - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAIN1`)"
 - "traefik.http.routers.traefik-rtr.tls=true"
 #- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
 - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAIN1"
 - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAIN1"
 - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAIN2"
 - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAIN2"
 - "traefik.http.routers.traefik-rtr.tls.domains[2].main=$DOMAIN3"
 - "traefik.http.routers.traefik-rtr.tls.domains[2].sans=*.$DOMAIN3"
 ## Services - API
 - "traefik.http.routers.traefik-rtr.service=api@internal"
 ## Middlewares
 - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"

The only thing I added was for the domains[2].main/sans to add the third domain. Otherwise domain[1] has been and continues to work without issue.

Checking a curl:

$ curl -v flame.$DOMAIN3
* Trying 172.92.xxx.xxx:80...
* TCP_NODELAY set
* Connected to flame.$DOMAIN3 (172.92.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: flame.$DOMAIN3
> User-Agent: curl/7.68.0
> Accept: /
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Location: https://flame.$DOMAIN3/
< Date: Thu, 25 Nov 2021 01:31:59 GMT
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host flame.$DOMAIN3 left intact

$ curl -v $DOMAIN3
* Trying 172.92.xxx.xxx:80...
* TCP_NODELAY set
* Connected to $DOMAIN3 (172.92.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: $DOMAIN3
> User-Agent: curl/7.68.0
> Accept: /
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Thu, 25 Nov 2021 01:34:18 GMT
< Content-Length: 19
<
\404 page not found
* Connection #0 to host $DOMAIN3 left intact

$ curl -v $DOMAIN2
* Rebuilt URL to: $DOMAIN2/
* Trying 172.92.xxx.xxx...
* TCP_NODELAY set
* Connected to $DOMAIN2 (172.92.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: $DOMAIN2
> User-Agent: curl/7.58.0
> Accept: /
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Thu, 25 Nov 2021 01:42:54 GMT
< Content-Length: 19
<
\404 page not found
* Connection #0 to host $DOMAIN2 left intact

The only thing I suspect right now is that I'm missing an acme_challenge in my DNS records for $DOMAIN3, but for the life of me can't figure out how to add the acme challenge.

I'm not exactly sure what I should be looking for in the docker logs or in the traefik.log

Any help would be amazing. This is driving me insane, why this TLD don't work whereas my original second one does.