Set up traefik based on simple Traefik example.
The containers run successfully and I can see traefik has written a certificate in acme.json. Unfortunately bumping into an annoying basicauth issue, where my credentials aren't being accepted and requested after each submit.
Got the below errors showing in traefik.log and assume related to the login issue. How do I fix this?
2024-02-25T13:00:35+01:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:399 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.continental34.com]: error: one or more domains had a problem:\n[traefik.continental34.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.continental34.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.continental34.com`)
2024-02-25T13:01:12+01:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:399 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.continental34.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.continental34.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.continental34.com`)
And the full Docker config listed below:
version: '3.9'
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: always
ports:
- 8008:80
- 8443:443
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/letsencrypt:/letsencrypt
- ./traefik/logs:/logs
command:
- --api.dashboard=true
- --log.level=DEBUG
- --log.filepath=/logs/traefik.log
- --accesslog=true
- --accesslog.filepath=/logs/access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=user@continental34.com
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.myresolver.acme.tlschallenge=true
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.continental34.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$12345$$6789
whoami:
image: traefik/whoami:v1.8
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.continental34.com`) || Host(`www.whoami.continental34.com`)
- traefik.http.services.mywhoami.loadbalancer.server.port=80
- traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
- traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
- traefik.http.routers.mywhoami.middlewares=mywwwredirect
networks:
proxy:
name: proxy
You don’t use any Cloudflare proxy or tunnel?
Maybe try en-/dis-abling cname:
CNAME support
CNAME are supported (and sometimes even encouraged), but there are a few cases where they can be problematic.
If needed, CNAME support can be disabled with the following environment variable:
LEGO_DISABLE_CNAME_SUPPORT=true
Update: remove www.whoami.continental34.com or create a matching DNS entry.
And you reached the LE usage limits, might need to wait 7 days.
Yes I temporarily disabled cloudflare proxy for testing purposes. When I enable CF proxy for the A & CNAME I get the following timeout in Chrome:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Once I toggle this back to DNS only then traefik & whoami work fine without basic auth. Is this related to the LE timeout or a different problem?
@bluepuma77 my understanding is also that I can't use wildcards and proxy with TLS, so my reasoning was not to enable it yet and switch to dnschallenge in traefik / cloudflare once things are starting to work. Just so I get this correctly, is my current basicauth issue caused by the LE usage limit or not?
Your help is as always welcome 
In general those two are independent.
The password has to be in hashed format in dynamic config. Furthermore, when in labels, every $ has to be escaped with another $.
That's exactly my thought and worry here. I've generated a bunch of passwords over the past weeks with the following command:
htpasswd -nb admin password
No luck and I'm also escaping 3 times each password with another $ in labels section. Even when using the exact same credentials from your simple example I'm getting the same basicauth error... It's driving me nuts by now 
Desperately want to fix this, where do I take things from here?
Originally wrote that I stated credentials in command section, this is in labels
This does not work for you?
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
It’s the simplest user:test, pass:test example.
Nope - I have the exact same 5 lines now. In return I get the following in traefik.log:
2024-02-28T10:01:44+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
This how my current docker compose looks like:
version: '3.9'
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: always
ports:
- 8008:80
- 8443:443
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/letsencrypt:/letsencrypt
- ./traefik/logs:/logs
command:
- --api.dashboard=true
- --log.level=DEBUG
- --log.filepath=/logs/traefik.log
- --accesslog=true
- --accesslog.filepath=/logs/access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=user@continental34.com
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.myresolver.acme.tlschallenge=true
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.continental34.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
whoami:
image: traefik/whoami:v1.8
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.continental34.com`)
- traefik.http.routers.mywhoami.entrypoints=websecure
- traefik.http.routers.mywhoami.tls.certresolver=myresolver
networks:
proxy:
name: proxy
Also just did a system prune --all, removed containers and built compose again. Will it help if I share the full log?
It works, I think you got confused by the special ports 
https://traefik.continental34.com:8443/dashboard/
https://whoami.continental34.com:8443
Note that httpChallenge needs port 80 and tlsChallenge needs port 443. If you can't use those, then you need to use more complex dnsChallenge.
I know those links work because I've been using that all the time. The problem is that basicauth is not working on the traefik link. But if I understand you correctly that's caused by tlschallenge requiring port 443 (which is already taken by another nginx server).
So I've rebuilt everything again, commented the tls section out and replaced it for the dns values. Still getting the same issue when accessing:
https://traefik.continental34.com:8443/dashboard/
Is the link wrong, or should I change something else? Arghhh 
Revised command & labels below:
command:
- --api.dashboard=true
- --log.level=DEBUG
- --log.filepath=/logs/traefik.log
- --accesslog=true
- --accesslog.filepath=/logs/access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
# - --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=user@continental34.com
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --certificatesresolvers.myresolver.acme.tlschallenge=true
# DNS CHALLENGE
- --certificatesresolvers.myresolver.acme.dnschallenge=true
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
environment:
- CF_API_EMAIL=${CFEMAIL}
- CF_DNS_API_TOKEN=${CFAPI}
# - LEGO_DISABLE_CNAME_SUPPORT=true
Works for me, got asked for user/pass, entered test/test and the Traefik dashboard was shown - in your server 
Haha ok, so I was doing something really stupid. Basically I thought that the hash was the actual password. Thanks for clarifying that 
I've reset the password, reverted back to tlschallenge and basicauth is indeed working:
2024-02-28T15:05:25+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
Only one ERR remaining in my log now, how do I fix this one?
2024-02-28T15:04:06+01:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:399 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.continental34.com]: error: one or more domains had a problem:\n[traefik.continental34.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 24.132.61.220: Connection refused\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.continental34.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.continental34.com`)
In the end I got the cloudflare dns challenge also working and it was not related to configuration issues in traefik. There were two other issues at play directly in cloudflare:
- My api token was not working properly, after creating a new one the dns challenge also started working properly.
- My edge certificates were getting a timeout validation error in cloudflare. Disabling the universal SSL settings for 15 min and re-enabling them afterwards again solved that. Then the whole setup started working like a magic, also behind proxy.
@bluepuma77 shoutout to you for helping me out a lot in this process 
The simplified config was super valuable (incl reading a lot of the traefik docs) and taught me a lot about how traefik really works in the end.