I try to connect my home-assistant service via traefik v3. The http router definition is in the file
http.routers.default.yml
routers:
harouter:
rule: "Host(`home.xxx.xxx`)"
entryPoints:
- web
service: haservice
tls:
certResolver: http_resolver
services:
haservice:
loadBalancer:
servers:
- url: "http://192.168.178.12:8123"
passHostHeaders: true
my traefik configuration
api:
dashboard: true
metrics:
prometheus:
addRoutersLabels: true
certificatesResolvers:
http_resolver:
acme:
email: "xxxx"
storage: "/etc/traefik/acme_letsencrypt.json"
httpChallenge:
entryPoint: web
tls_resolver:
acme:
email: "xxxx"
storage: "/etc/traefik/tls_letsencrypt.json"
tlsChallenge: {}
entryPoints:
ping:
address: ':88'
web:
address: ':80'
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ':443'
http:
middlewares:
- default@file
- traefik-bouncer@file
git-ssh:
address: ":22"
http:
middlewares:
- traefik-bouncer@file
ping:
entryPoint: "ping"
global:
checknewversion: true
sendanonymoususage: false
providers:
docker:
endpoint: "tcp://socket-proxy:2375"
exposedByDefault: false
network: "proxy"
file:
directory: "/etc/traefik/dynamic_conf"
watch: true
providersThrottleDuration: 10s
log:
level: DEBUG
filePath: "/var/log/traefik/traefik.log"
format: text
accessLog:
filePath: "/var/log/traefik/access.log"
format: text
bufferingSize: 50
fields:
defaultMode: keep
the log says
2025-12-03T01:18:26+01:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:276 > TLS: strict SNI enabled - No certificate found for domain: "home.xxx.xxx", closing connection
2025-12-03T01:18:26+01:00 DBG log/log.go:245 > http: TLS handshake error from 46.142.152.133:64934: tls: no certificates configured
My networks.yml compose file is
networks:
crowdsec:
name: ${NETWORKS_CROWDSEC_NAME:-crowdsec}
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: ${NETWORKS_CROWDSEC_SUBNET_IPV4:-172.31.64.0/18}
- subnet: ${NETWORKS_CROWDSEC_SUBNET_IPV6:-fd00:1:be:a:7001:0:3e:6000/116}
attachable: true
proxy:
name: ${NETWORKS_PROXY_NAME:-proxy}
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: ${NETWORKS_PROXY_SUBNET_IPV4:-172.31.128.0/18}
- subnet: ${NETWORKS_PROXY_SUBNET_IPV6:-fd00:1:be:a:7001:0:3e:7000/116}
attachable: true
socket_proxy:
name: ${NETWORKS_SOCKET_PROXY_NAME:-socket_proxy}
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: ${NETWORKS_SOCKET_PROXY_SUBNET_IPV4:-172.31.192.0/18}
- subnet: ${NETWORKS_SOCKET_PROXY_SUBNET_IPV6:-fd00:1:be:a:7001:0:3e:8000/116}
attachable: true
internal: true
What am i missing ?
kemal.secer:
What am i missing ?
You missed to share your Traefik compose file
Note that you let your "harouter" only listen on web, but web entrypoint always redirects to websecure, so the router will never be reached (httpChallenge should still work).
Why do you have 2 certResolvers anyway?
My traefik compose file
services:
traefik:
container_name: traefik
depends_on:
crowdsec:
condition: service_healthy
socket-proxy:
condition: service_healthy
env_file: ${ABSOLUTE_PATH}/data/traefik/.env
hostname: ${SERVICES_TRAEFIK_HOSTNAME:-traefik}
healthcheck:
test: ["CMD", "traefik", "healthcheck", "--ping"]
timeout: 1s
interval: 10s
retries: 3
start_period: 10s
image: traefik:3.5
labels:
traefik.enable: "true"
traefik.http.routers.traefik-dashboard.entrypoints: websecure
traefik.http.routers.traefik-dashboard.middlewares: traefik-dashboard-auth@file
traefik.http.routers.traefik-dashboard.rule: HOST(`traefik.xxx.xxx`)
traefik.http.routers.traefik-dashboard.service: api@internal
traefik.http.routers.traefik-dashboard.tls: "true"
traefik.http.routers.traefik-dashboard.tls.certresolver: tls_resolver
traefik.http.services.traefik-dashboard.loadbalancer.sticky.cookie.httpOnly: "true"
traefik.http.services.traefik-dashboard.loadbalancer.sticky.cookie.secure: "true"
traefik.http.routers.pingweb.rule: PathPrefix(`/ping`)
traefik.http.routers.pingweb.service: ping@internal
traefik.http.routers.pingweb.entrypoints: websecure
networks:
crowdsec:
ipv4_address: 172.31.127.253
ipv6_address: fd00:1:be:a:7001:0:3e:6ffe
proxy:
ipv4_address: 172.31.191.254
ipv6_address: fd00:1:be:a:7001:0:3e:7fff
socket_proxy:
ipv4_address: 172.31.255.253
ipv6_address: fd00:1:be:a:7001:0:3e:8ffe
ports:
- mode: host
target: 80
published: "80"
protocol: tcp
- mode: host
target: 443
published: "443"
protocol: tcp
- mode: host
target: 22
published: "22"
protocol: tcp
restart: unless-stopped
security_opt:
- no-new-privileges:true
volumes:
- /etc/localtime:/etc/localtime:ro
- ${ABSOLUTE_PATH}/data/traefik/traefik.yml:/etc/traefik/traefik.yml
- ${ABSOLUTE_PATH}/data/traefik/.htpasswd:/etc/traefik/.htpasswd
- ${ABSOLUTE_PATH}/data/traefik/certs/acme_letsencrypt.json:/etc/traefik/acme_letsencrypt.json
- ${ABSOLUTE_PATH}/data/traefik/certs/tls_letsencrypt.json:/etc/traefik/tls_letsencrypt.json
- ${ABSOLUTE_PATH}/data/traefik/dynamic_conf:/etc/traefik/dynamic_conf:ro
- ${ABSOLUTE_PATH}/logs/traefik/:/var/log/traefik/
I have two resolvers, because
Again: why? I never needed two resolvers. You need one resolver to create the certs.
Is http.routers.default.yml read by Traefik providers.file, does harouter show up in logs?
My log-file says:
16 2025-12-04T03:28:19+01:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:206 > Starting provider *file.Provider
17 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:207 > *file.Provider provider configuration config={"directory":"/etc/tr aefik/dynamic_conf","watch":true}
18 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf
19 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/http.middlewares.authelia.yml
20 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/http.middlewares.default-security-he aders.yml
21 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/http.middlewares.default.yml
22 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/http.middlewares.gzip.yml
23 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/http.middlewares.traefik-bouncer.yml
24 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/http.middlewares.traefik-dashboard-auth.yml
25 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/http.routers.default.yml
26 2025-12-04T03:28:19+01:00 DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/dynamic_conf/tls.yml
As stated on line 25, the file http.routers.default.yml is added to the watcher and so i assume that the file is taken into process.
But NO the harouter doesn't appears in the logs.
Meanwhile I've changed the http.routers.default.yml to:
routers:
harouter:
rule: "Host(`home.secer.info`)"
entryPoints:
- websecure
service: haservice
tls:
certResolver: tls_resolver
services:
haservice:
loadBalancer:
servers:
- url: "http://192.168.178.12:8123"
passHostHeaders: true
Try to update Traefik to latest version v3.6.2
Updated traefik to v3.6.2. But unfortunately no difference
It seems strange that the router is not listed. Try to set log.level=DEBUG and log.format=json, that lists all recognized routers for me.
I set log.level=DEBUG and log.format=json , vacuumed previous logs and made a clean start up with only the core services. All additional services are suspended, as they are not important for now.
i wasn’t able to paste the traefik.log here (its a bit long).
So here is the hastebin
