Hi,
first : im fairly new to technical pc and networking and all the developement and all the stuff that is around website security and proxy stuff.
my knowledge is 2/10 up to now.
my goal run 2 wordpress into container with custom nodejs. my son goal, run as many minecraft as possible until it saturate.
my daughter.. she want her blog... wordpress once again.
my wife want his own website too.
so now nothing else work..
I had a good friend who was a network administrator. He helped me set up my home network for both personal and enterprise-level development. Unfortunately, he passed away around four months ago, and since then, I’ve been left alone trying to manage a setup I don’t fully understand and since all my cert expired last month, i had good plan to fix my networking and make this more efficent.
so here my config, sorry if it a bit unclear.
My main router is: opnsense:
10.0.100.1 - opnsense.domain.com
Type: Physical Dell Server R620
RAM: 256 GB
Status: Online
VLAN 10 → 10.0.10.0/24 : Physical PCs in the house (me & my wife for controlling the network)
VLAN 20 → 10.0.20.0/24 : My son's work computer
VLAN 30 → My wife's work computer
VLAN 40 → My own work computer
VLAN 50 → (Reserved or unspecified)
VLAN 100 → 10.0.100.0/24 : Physical servers & access points
in AP, there many vlan associate diwht different name that point toward everyone ip to prevent security.
here my opnsense
[igb1_Fred_physical_vlan10] lan = VLAN 10 → 10.0.10.0/24 : Physical PCs in the house (me)
igb1
[igb1_v50_Fred_Server_v50] opt7 = my 10.0.50.1/24 = my lxc container are there with my vm for my business and development.
vlan0.1.50 igb1_Fred_Server (Parent: igb1, Tag: 50)
[igb1_v80_Sarah_Server] opt10 10.0.80.1/24 = my wife physical srv and work srv are there.
vlan0.1.80 igb1_Sarah_Server (Parent: igb1, Tag: 80)
my son network and his private minecraft srv
[igb2_Jonathan] opt2
igb2
[igb2_v60_Jonathan_Server] opt8
vlan0.1.60 igb2_Jonathan_Server (Parent: igb1, Tag: 60)
my daughter pc and his game srv for minecraft.
[igb3_Jayden] opt3
igb3
[igb3_v70_Jayden_Server] opt9
vlan0.1.70 igb3_Jayden_Server (Parent: igb1, Tag: 70)
it was planned for business people logging from AP to have internet with captive portal that will come to business house. it doesnt work properly yet.
[igb4_Guest] opt4
igb4
-----
all my physical srv are there with physical physical AP, Rpi2,
vlan 100 = 10.0.100.1/24 : ipv6: 2001:470:b185:100::1
[igb7_MGMT] opt1
igb7
I have multiple physical Dell servers with 1024 GB of RAM each. Here’s how they are configured:
| Hostname | IP Address | Port | Role | Status |
|---|---|---|---|---|
alpha.domain.com |
10.0.100.10 |
8006 | Proxmox physical server |  Running |
bravo.domain.com |
10.0.100.11 |
8006 | Proxmox physical server | Running |
pbs.domain.com |
10.0.100.12 |
8006 | Proxmox Backup Server | Running |
karen.domain.com |
10.0.100.13 |
8006 | Proxmox physical server |  Not yet active |
laylah.domain.com |
10.0.100.14 |
8006 | Proxmox physical server | Not yet active |
In early 2023, we created an LXC container to run Nginx Proxy Manager (NPM), which handled reverse proxies and wildcard SSL certificates through my domain.com. Everything was working great until 4 days ago.
After discussing with ChatGPT, I learned that Cloudflare can automatically manage SSL certificates for my domain. I also found out that OPNsense can handle certificate renewal automatically for all my domain and my son and wife domain aswell.
Since I barely knew Linux and had only basic Windows knowledge at the time, I gradually learned how to:
- Create and manage basic LXC containers,
- Understand VLAN basics and ssh. im lost into ca certificate authorities, and all that stuffs lol. dns nightmare to understand lol.
- Set up VM networking
- Brand new to work with Docker and Ubuntuand linux in general.
Eventually, ChatGPT recommended that I switch to Traefik combined with Docker Swarm for easier certificate and service management since i have a nasty complex network at home and at business and since i struggle to take care of ssl properly on stress period if everything shutdown or is not accessible.,
If that can assign automatically and properly like npm used to do, and i need to do the less config to make thing work, the better is.
so i create 2 ubuntu vm and with docker and ubuntu02 swarm and first thing i installed is traefik..
so i shutdown npm, since it use 80 and 443, i cloned the rule in opnsense and change for the ip of traefik. i think nat is done properly too since i clone it too.
now the problem is , all my other vm or container that arent into docker or swarm or outside of the same vm that is 10.0.50.80/24 as docker doesnt get certificate automatically or not at all.
here my log error. :
traefik_traefik.1.45rlk89vjwzx@budget01 | 2025-07-22T01:59:24Z ERR Unable to obtain ACME certificate for domains error="cannot get ACME client cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY or some credentials information are missing: CLOUDFLARE_DNS_API_TOKEN,CLOUDFLARE_ZONE_API_TOKEN" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["cloud.domain.com"] providerName=le.acme routerName=cloud@file rule=Host(`cloud.domain.com`)
root@budget01:/opt/traefik# tree /opt/traefik/
tree /opt/traefik/
root@budget01:/opt/traefik# tree /opt/traefik/
/opt/traefik/
├── acme
│ └── acme.json
├── acme.json
├── certs
│ ├── cert.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ ├── local.crt
│ └── local.key
├── docker-compose.yml
├── dynamic
│ ├── alpha.yaml
│ ├── lxc-services.yml
│ ├── mail.yaml
│ ├── opnsense.yaml
│ └── tls.yml.bak
├── dynamic.yaml
├── letsencrypt
│ └── acme.json
├── private
│ └── privkey.pem
└── traefik.yml
acme.json
{
"letsencrypt": {
"Account": {
"Email": "emailhere@domain.com",
"Registration": {
"body": {
"status": "valid"
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/111111111"
},
"PrivateKey": "key here it's valid==",
"KeyType": "4096"
},
"Certificates": null
}
}
alpha.yaml
http:
routers:
alpha-router:
rule: "Host(`alpha.domain.com`)"
entryPoints:
- websecure
service: alpha-service
tls:
certResolver: le
services:
alpha-service:
loadBalancer:
servers:
- url: "https://10.0.100.10:8006"
serversTransport: insecure-skip
serversTransports:
insecure-skip:
insecureSkipVerify: true
lxc-services.yml
http:
routers:
mail:
rule: "Host(`mail.domain.com`)"
entryPoints: [websecure]
service: mail
tls:
certResolver: le
opnsense:
rule: "Host(`opnsense.domain.com`)"
entryPoints: [websecure]
service: opnsense
tls:
certResolver: le
cloud:
rule: "Host(`cloud.domain.com`)"
entryPoints: [websecure]
service: cloud
tls:
certResolver: le
pgm:
rule: "Host(`pmg.domain.com`)"
entryPoints: [websecure]
service: pgm
tls:
certResolver: le
services:
mail:
loadBalancer:
servers:
- url: "http://10.0.50.29"
opnsense:
loadBalancer:
servers:
- url: "http://10.0.100.1"
cloud:
loadBalancer:
servers:
- url: "http://10.0.50.41"
pmg:
loadBalancer:
servers:
- url: "http://10.0.50.33"
mail.yaml
http:
routers:
mail-router:
rule: "Host(`mail.domain.com`)"
entryPoints:
- websecure
service: mail-service
tls:
certResolver: le # DNS challenge (Cloudflare)
services:
mail-service:
loadBalancer:
servers:
- url: "https://10.0.50.29"
serversTransport: allow-insecure
serversTransports:
allow-insecure:
insecureSkipVerify: true
opnsense.yaml
http:
routers:
opnsense-router:
rule: "Host(`opnsense.domain.com`)"
entryPoints:
- websecure
service: opnsense-service
tls:
certResolver: le
services:
opnsense-service:
loadBalancer:
servers:
- url: "http://10.0.100.1:443"
/letsencrypt
acme.json
{
"le": {
"Account": {
"Email": "heremailhereisvalid@domain.com",
"Registration": {
"body": {
"status": "valid"
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1111111111"
},
"PrivateKey": "key here",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "whoami.domain.com"
},
"certificate": "key here",
"Store": "default"
},
{
"domain": {
"main": "traefik.domain.com"
},
"certificate": "key here",
"key": "key here",
"Store": "default"
}
]
}
}
.env
CLOUDFLARE_EMAIL=emailhereisvalid@domain.com
CF_API_KEY=886756f3fc45d1cf0fd3cc40c917e319b8901
CF_DNS_API_TOKEN=ekrB7ECUSc_UT2ldQTm64MMlWAqiATRzg3F7dwuA
docker-compose.yml
version: "3.8"
services:
traefik:
image: traefik:v3.4.4
command:
- "--api.dashboard=true"
- "--log.level=INFO"
- "--providers.swarm=true"
- "--providers.swarm.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.le.acme.dnschallenge=true"
- "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=10"
#- "--certificatesresolvers.le.acme.httpchallenge=true"
#- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.le.acme.email=emailhereisvalid@domain.com"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--providers.file.directory=/dynamic"
- "--providers.file.watch=true"
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
- TRAEFIK_LOG_LEVEL=DEBUG}
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./dynamic:/dynamic
networks:
- traefik-public
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=le"
- "traefik.http.routers.traefik.middlewares=auth,ipallowlist"
- "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$BJhib8pa$$cswpEBr0eqvQWgww12rzb/"
- "traefik.http.middlewares.ipallowlist.ipallowlist.sourcerange=10.0.0.0/24,127.0.0.1"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
whoami:
image: traefik/whoami
networks:
- traefik-public
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.tls.certresolver=le"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami.middlewares=ipallowlist"
- "traefik.http.middlewares.ipallowlist.ipallowlist.sourcerange=10.0.0.0/24,127.0.0.1"
volumes:
letsencrypt:
networks:
traefik-public:
external: true
dymanic.yaml
http:
routers:
opnsense-router:
rule: "Host(`opnsense.domain.com`)"
service: opnsense-service
entryPoints:
- websecure
tls:
certResolver: le
alpha-router:
rule: "Host(`alpha.domain.com`)"
service: alpha-service
entryPoints:
- websecure
tls:
certResolver: le
services:
opnsense-service:
loadBalancer:
servers:
- url: "http://10.0.100.1"
alpha-service:
loadBalancer:
servers:
- url: "https://10.0.100.10:8006"
tls:
certificates:
- certFile: "/etc/traefik/certs/fullchain.pem"
keyFile: "/etc/traefik/private/privkey.pem"
traefik.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
api:
dashboard: true
log:
level: INFO
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: traefik-public
file:
directory: /etc/traefik/dynamic
watch: true
certificatesResolvers:
le:
acme:
email: "emailhereisvalid@domain.com"
storage: "/letsencrypt/acme.json"
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 0
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
what im trying to do
every new vm or lxc container created need to get add to this traefik to get ssl et https all the time. i dont mind adding it to the list manually if i created a new container.
the traefik suggestion and docker withproxmox was chatgpt idea because i need to create automatic https sub domain for my projet.
also my son got on same public ip blabla.domain2.com , he also hosting tons of minecraft.
he want to use https://pterodactyl.io/ to host them but we dont know how to setup security lol.
he into 10.0.60.1/24 for his srv.
so if someone can point me toward the good and proper traefik setup and remove all the crap files i've created over the last weeks with chatpt. i dont understand most part of it.
so far only traefik show my traefik.domain.com and whoami.domain.com
all the rest show defaul traefik certificat and doesnt get them from traefik.
my dns server is 10.0.100.1 incase that matter, this is unbound.
cloudflarre is in full https mode unless this matter ?
all email and key are not valid into this post. i modified them.
i can open any port and all port are open to the world.
. im so confuse atm and totally lost.