Attached containers, ACME issues (certificate requests for unknown reason)

Traefik Traefik v3 (latest)
,
1

Hello
I have the Traefik 3.4.1 running in Docker on Debian 12
Full config attached [https://pastebin.com/mdkrJauK](https://pastebin.com/mdkrJauK)
Mentioned traefik-dynamic.yml is blank file

And I have another container with nginx attached the same network

Full config for Traefik:
[root@vm-server03 traefik]# cat docker-compose.yml

John Dow

202506211936

configs:
traefik-dynamic.yml:
file: ./traefik-dynamic.yml

networks:
proxy:
name: proxy
attachable: true

services:
traefik:
image: traefik:v3.4.1
configs:
- traefik-dynamic.yml
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- ./letsencrypt:/letsencrypt
- ./logs/:/var/log/traefik/
- ./config/:/etc/traefik/
ports:
- 10.10.0.45:80:80 # HTTP entrypoint
- 10.10.0.45:443:443 # HTTPS entrypoint
networks:
- proxy
command:
- "--log=true"
- "--log.level=DEBUG"
- "--accesslog=true"
- "--log.maxage=1"
- "--log.maxbackups=1"
- "--log.maxsize=10"
- "--accesslog.filepath=/var/log/traefik/access.log"
- "--accesslog.addinternals=true"
- "--accesslog.fields.defaultmode=keep"
- "--accesslog.fields.headers.defaultmode=keep"
- "--global.checknewversion=false"
- "--global.sendanonymoususage=false"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.network=proxy"
- "--providers.file.filename=/traefik-dynamic.yml"
- "--providers.file.watch=true"
- "--entryPoints.web.address=:80"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--entryPoints.websecure.address=:443"
- "--entryPoints.websecure.http.tls=true"
- "--entryPoints.websecure.http.tls.certResolver=myresolver"
- "--api=true"
- "--api.debug=true"
- "--api.dashboard=true"
- "--certificatesResolvers.myresolver.acme.email=john_dow@gmail.com"
- "--certificatesResolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
labels:
- traefik.enable=true

Entrypoints

Routers

  - traefik.http.routers.api.entrypoints=websecure
  - traefik.http.routers.api.rule=Host(`vm-server03.tornado.net`) || Host(`nginx.tornado.net`) && (PathPrefix(`/dashboard`))

Middleware

  - traefik.http.routers.api.middlewares=myauth
  - 'traefik.http.middlewares.myauth.basicauth.users=<login>:<password>'

Services

  - traefik.http.routers.api.service=api@internal

whoami:
image: traefik/whoami:v1.10
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(vm-server03.tornado.net) || Host(nginx.tornado.net) && (PathPrefix(/whoami))
- traefik.http.services.whoami.loadbalancer.server.port=80
- traefik.http.routers.whoami.middlewares=myauth2
- 'traefik.http.middlewares.myauth2.basicauth.users=:'

Full config attached
https://pastebin.com/85aEQvrL

After another container with nginx started I see message in log:

'''traefik-1 | 2025-06-22T15:53:47+03:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:484 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [nginx-entrypoint-nginx]: acme: error: 400 :: POST :: :: Invalid identifiers requested :: Cannot issue for "nginx-entrypoint-nginx": Domain name needs at least one dot" ACME CA==["nginx-entrypoint-nginx"] providerName=myresolver.acme routerName=websecure-traefik-http-router@docker rule=Host(nginx-entrypoint-nginx)'''

Can you explain me, reasons for this message?
Why my config request certs for nginx-entrypoint-nginx?

2

Use 3 backticks before and after code/config to make it more readable and preserve spacing, which is important in yaml.

It seems somewhere in your configs you have a hostname without a dot. Strange to share all configs inline, but not the relevant one of nginx.

Note that Traefik dashboard also needs /api.

Also note that PathPrefix() and stripPrefix usually do not work with GUI web apps, unless some kind of "base" path can be set.

They usually assume they are root, initial page loads, but wants dependencies like /static/script.js, which can’t be loaded because they don’t match the rule.

1 Like
3

Note that to share a Docker network, it needs to be created externally or needs to be using attachable: true. But a secondary compose file needs to use external: true to access a already created Docker network.

1 Like
5

Now I have next sutuation

''' [root@vm-server03 traefik]# cat docker-compose.yml ### Jon Dow ### 202506241106 ### disabled IPV6 ### deleted internal name (w\o DNS record)

configs:
traefik-dynamic.yml:
file: ./traefik-dynamic.yml

networks:
proxy:
name: proxy
attachable: true
enable_ipv6: false

services:
traefik:
image: traefik:v3.4.1
configs:
- traefik-dynamic.yml
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- ./letsencrypt:/letsencrypt
- ./logs/:/var/log/traefik/
- ./config/:/etc/traefik/
ports:
- 10.10.0.45:80:80 # HTTP entrypoint
- 10.10.0.45:443:443 # HTTPS entrypoint
networks:
- proxy
command:
- "--log=true"
- "--log.level=DEBUG"
- "--accesslog=true"
- "--log.maxage=1"
- "--log.maxbackups=1"
- "--log.maxsize=10"
- "--accesslog.filepath=/var/log/traefik/access.log"
- "--accesslog.addinternals=true"
- "--accesslog.fields.defaultmode=keep"
- "--accesslog.fields.headers.defaultmode=keep"
- "--global.checknewversion=false"
- "--global.sendanonymoususage=false"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.network=proxy"
- "--providers.file.filename=/traefik-dynamic.yml"
- "--providers.file.watch=true"
- "--entryPoints.web.address=:80"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--entryPoints.websecure.address=:443"
- "--entryPoints.websecure.http.tls=true"
- "--entryPoints.websecure.http.tls.CertResolver=myresolver"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesResolvers.myresolver.acme.email=jhondow@gmail.com"
- "--certificatesResolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--api=true"
- "--api.debug=true"
- "--api.dashboard=true"
labels:
- traefik.enable=true

Entrypoints

Routers

  - traefik.http.routers.api.entrypoints=websecure
  - traefik.http.routers.api.rule=Host(`nginx.tornado.net`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

Middleware

  - traefik.http.routers.api.middlewares=myauth
  - 'traefik.http.middlewares.myauth.basicauth.users=<login>:<password>'

Services

  - traefik.http.routers.api.service=api@internal

whoami:
image: traefik/whoami:v1.10
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(nginx.tornado.net) && (PathPrefix(/whoami))
- traefik.http.services.whoami.loadbalancer.server.port=80
- traefik.http.routers.whoami.middlewares=myauth2
- 'traefik.http.middlewares.myauth2.basicauth.users=:'
'''

''' [root@vm-server03 nginx-pacer]# cat docker-compose.yml ### Jhon Dow ### 202506221049 ### simple nginx pacer

networks:
proxy:
name: proxy
attachable: true

services:
nginx-e_name:
image: nginx
container_name: nginx-c_name
restart: unless-stopped
environment:
TZ: "Europe/Moscow"
ports:
- ":80"
volumes:
- ./etc/nginx:/etc/nginx/
- ./etc/static:/etc/static
labels:
- "traefik.enable=true" # Enable Traefik routing for this container
- "traefik.http.routers.nginx.rule=Host(nginx.tornado.net) && (PathPrefix(/pacer))"
- "traefik.http.routers.traefik-http-router.middlewares=nginx-middleware"
- "traefik.http.middlewares.nginx-middleware.stripprefix.prefixes=/pacer"
- "traefik.http.services.nginx.loadbalancer.server.port=80" # Nginx runs on port 80

networks:
  - proxy

'''

traefik-traefik-1 | 2025-06-24T13:08:29+03:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:484 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [nginx-e-name-nginx-pacer]: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Invalid identifiers requested :: Cannot issue for \"nginx-e-name-nginx-pacer\": Domain name needs at least one dot" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["nginx-e-name-nginx-pacer"] providerName=myresolver.acme routerName=websecure-traefik-http-router@docker rule=Host(`nginx-e-name-nginx-pacer`)
6

Use 3 backticks before and after code/config to make it more readable and preserve spacing, which is important in yaml.