Certificat Dnschallenge and some others problems

freyer · January 28, 2025, 8:43pm

Hello,

I'm trying to accomplish the following:

I have a functional Docker Swarm cluster with three nodes, each running as a virtual machine on the same bare-metal host.

For the past few days, I've been working on setting up a Traefik stack within this swarm. Previously, I had a standalone Traefik 2.0 instance successfully managing multiple services using Traefik's capabilities. Unfortunately, I lost the machine and its configuration one day, so I'm essentially starting from scratch.

Now, I'm trying to set this up using Traefik 3.0 in Docker Swarm. My goal is to use the DNS challenge to obtain a wildcard SSL certificate. I'm using a Swiss domain provider called Infomaniak for this purpose.

Here's my current stack configuration:


services:
  whoami:
    image: traefik/whoami
    networks:
      - traefik-public
    ports:
      - "8888:80"
    deploy:
      mode: global
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=web"
      - "traefik.http.routers.whoami.rule=Host(`whoami.morannon.ch`)"
      - "traefik.http.routers.whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.whoami-secure.rule=Host(`whoami.morannon.ch`)"
      - "traefik.http.routers.whoami.middlewares=whoami-ipallowlist@docker"
      - "traefik.http.routers.whoami-secure.middlewares=whoami-ipallowlist@docker"
      - "traefik.http.middlewares.whoami-ipallowlist.ipallowlist.sourcerange=REDACTED"
      - "traefik.http.routers.whoami.service=whoami@docker"
      - "traefik.http.services.whoami.loadbalancer.server.port=8888"
      - "traefik.http.routers.whoami-secure.tls=true"
      - "traefik.http.routers.whoami-secure.tls.certresolver=wildcardresolver"
      - "traefik.http.routers.whoami-secure.tls.domains[0].main=mydomain.ch"
      - "traefik.http.routers.whoami-secure.tls.domains[0].sans=*.mydomain.ch"
 
  traefik:
    image: traefik:v3.3.2
    environment:
      - INFOMANIAK_ACCESS_TOKEN=${INFOMANIAK_ACCESS_TOKEN}
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    deploy:
      mode: global
      placement:
        constraints:
          - node.role==manager
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /data/docker-volume/traefik/certificates:/certificates:rw
      - /data/docker-volume/traefik/logs:/logs:rw
      - /data/docker-volume/traefik/letsencrypt:/letsencrypt/:rw
    command:
      - --accesslog=true
      - --accesslog.filePath=/logs/access.log
      - --api.dashboard=true
      - --api.insecure=true
      - --certificatesresolvers.wildcardresolver.acme.dnschallenge=true
      - --certificatesresolvers.wildcardresolver.acme.dnschallenge.provider=infomaniak
      - --certificatesresolvers.wildcardresolver.acme.dnschallenge.delaybeforecheck=60
      - --certificatesresolvers.wildcardresolver.acme.dnschallenge.resolvers=nsany1.infomaniak.com:53,nsany2.infomaniak.com:53
      - --certificatesresolvers.wildcardresolver.acme.storage=/certificates/acme.json
      - --certificatesresolvers.wildcardresolver.acme.certificatesduration=2160
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --log.level=DEBUG
      - --providers.swarm=true
      - --providers.docker=true
      - --providers.swarm.exposedByDefault=false
      - --providers.docker.exposedbydefault=false
      - --providers.swarm.network=traefik-public
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.ch`)"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.ch`)"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik.service=traefik@docker"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "traefik.http.routers.traefik-secure.tls.certresolver=wildcardresolver"
      - "traefik.http.routers.traefik.middlewares=traefik-ipallowlist@docker"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-ipallowlist@docker"
      - "traefik.http.middlewares.traefik-ipallowlist.ipallowlist.sourcerange=REDACTED"
    networks:
      - traefik-public


networks:
  traefik-public:
    external: true

This is the most stable version after several attempts.

Current Status:

Traefik successfully creates a DNS entry like _acme-something on my DNS provider.
I'm fairly certain Let's Encrypt is issuing a certificate because I received a soft ban due to hitting the rate limit (24 hours).
I can access the Traefik dashboard via http://<vm_ip>:8080 and the Whoami service via http://<vm_ip>:8888.

Problems Encountered:

On my Windows machine, I mapped traefik.mydomain.ch and whoami.mydomain.ch in the hosts file, but I'm unable to access these pages.
I can't reach any of my URLs outside my home network.
I suspect there's a missing or misconfigured element, but I haven't been able to identify it.

Below is a fresh log from today showing the rate limit error from Let's Encrypt.

More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2025-01-28T20:32:31Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator *aggregator.ProviderAggregator

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=websecure

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=traefik

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=web

2025-01-28T20:32:31Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config=

2025-01-28T20:32:31Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider

HTTPChallengeProvider={} ResolverName=wildcardresolver TLSChallengeProvider={} caServer=https://acme-v02.api.letsencrypt.org/directory certificatesDuration=2160 dnsChallenge={"delayBeforeCheck":"1m0s","propagation":{"delayBeforeChecks":"1m0s"},"provider":"infomaniak","resolvers":["nsany1.infomaniak.com:53","nsany2.infomaniak.com:53"]} keyType=RSA4096 storage=/certificates/acme.json store={}

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config=

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:232 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=wildcardresolver.acme

2025-01-28T20:32:31Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:884 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=wildcardresolver.acme

2025-01-28T20:32:31Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.Provider

defaultRule=Host(`{{ normalize .Name }}`) endpoint=unix:///var/run/docker.sock watch=true

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.Provider provider configuration config=

2025-01-28T20:32:31Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.SwarmProvider

defaultRule=Host(`{{ normalize .Name }}`) endpoint=unix:///var/run/docker.sock network=traefik-public refreshSeconds=15s watch=true

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.SwarmProvider provider configuration config=

2025-01-28T20:32:31Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config=

http={"middlewares":{"dashboard_redirect":{"redirectRegex":{"permanent":true,"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/"}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}}},"models":{"traefik":{"observability":{"accessLogs":true,"metrics":true,"tracing":true}},"web":{"observability":{"accessLogs":true,"metrics":true,"tracing":true}},"websecure":{"observability":{"accessLogs":true,"metrics":true,"tracing":true}}},"routers":{"api":{"entryPoints":["traefik"],"priority":9223372036854776000,"rule":"PathPrefix(`/api`)","ruleSyntax":"v3","service":"api@internal"},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"priority":9223372036854776000,"rule":"PathPrefix(`/`)","ruleSyntax":"v3","service":"dashboard@internal"}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"api":{},"dashboard":{},"noop":{}}} tcp={"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}} tls={} udp={}

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config=providerName=internal

http={} tcp={} tls={} udp={}

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config=providerName=wildcardresolver.acme

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pswarm.go:93 > Provider connection established with docker 27.5.0 (API 1.47) providerName=swarm

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:90 > Provider connection established with docker 27.5.0 (API 1.47) providerName=docker


2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=portainer-79221e6b61ea8f915e023bce04524ec7f20f5b4bfa88ec311b12f3ee979fda75 providerName=docker

http={"middlewares":{"traefik-ipallowlist":{"ipAllowList":{"sourceRange":[""]}},"whoami-ipallowlist":{"ipAllowList":{"sourceRange":[""]}}},"routers":{"traefik":{"entryPoints":["web"],"middlewares":["traefik-ipallowlist@docker"],"rule":"Host(`traefik.mydomain.ch`)","service":"traefik@docker"},"traefik-secure":{"entryPoints":["websecure"],"middlewares":["traefik-ipallowlist@docker"],"rule":"Host(`traefik.mydomain.ch`)","service":"traefik","tls":{"certResolver":"wildcardresolver"}},"whoami":{"entryPoints":["web"],"middlewares":["whoami-ipallowlist@docker"],"rule":"Host(`whoami.mydomain.ch`)","service":"whoami@docker"},"whoami-secure":{"entryPoints":["websecure"],"middlewares":["whoami-ipallowlist@docker"],"rule":"Host(`whoami.mydomain.ch`)","service":"whoami","tls":{"certResolver":"wildcardresolver","domains":[{"main":"mydomain.ch","sans":["*.mydomain.ch"]}]}}},"services":{"traefik":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://10.0.0.12:8080"}]}},"whoami":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://10.0.0.10:8888"}]}}}} tcp={} tls={} udp={}

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config=providerName=docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-traefik-l3s9abzf5pb3i6vmvnpa58a8t providerName=swarm

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-whoami-fswwhisrhkxzm4dygahmdcp3m providerName=swarm

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-whoami-qehuwhzb1iy2rdhi5zxqewgvi providerName=swarm

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-whoami-rf1xr46dpdzibfyl9kz9v56ty providerName=swarm

http={} tcp={} tls={} udp={}

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config=providerName=swarm

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=web routerName=whoami@docker serviceName=whoami@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=web routerName=whoami@docker serverName=9a8c8dada762a80d serviceName=whoami@docker target=http://10.0.0.10:8888

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=web middlewareName=whoami-ipallowlist@docker middlewareType=IPAllowLister routerName=whoami@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [REDACTED] entryPointName=web middlewareName=whoami-ipallowlist@docker middlewareType=IPAllowLister routerName=whoami@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=whoami-ipallowlist@docker routerName=whoami@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:313 > Creating load-balancer entryPointName=web routerName=traefik@docker serviceName=traefik@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:350 > Creating server entryPointName=web routerName=traefik@docker serverName=e7f4290579ee4aaf serviceName=traefik@docker target=http://10.0.0.12:8080

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=web middlewareName=traefik-ipallowlist@docker middlewareType=IPAllowLister routerName=traefik@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [REDACTED] entryPointName=web middlewareName=traefik-ipallowlist@docker middlewareType=IPAllowLister routerName=traefik@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=traefik-ipallowlist@docker routerName=traefik@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=websecure middlewareName=traefik-ipallowlist@docker middlewareType=IPAllowLister routerName=traefik-secure@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [REDACTED] entryPointName=websecure middlewareName=traefik-ipallowlist@docker middlewareType=IPAllowLister routerName=traefik-secure@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=traefik-ipallowlist@docker routerName=traefik-secure@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=websecure middlewareName=whoami-ipallowlist@docker middlewareType=IPAllowLister routerName=whoami-secure@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [REDACTED] entryPointName=websecure middlewareName=whoami-ipallowlist@docker middlewareType=IPAllowLister routerName=whoami-secure@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=whoami-ipallowlist@docker routerName=whoami-secure@docker

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for whoami.mydomain.ch with TLS options default entryPointName=websecure

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.mydomain.ch with TLS options default entryPointName=websecure

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:470 > Trying to challenge certificate for domain [traefik.mydomain.ch] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=wildcardresolver.acme routerName=traefik-secure@docker rule=Host(`traefik.mydomain.ch`)

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940 > Looking for provided certificate(s) to validate ["mydomain.ch" "*.mydomain.ch"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=wildcardresolver.acme

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940 > Looking for provided certificate(s) to validate ["traefik.mydomain.ch"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=wildcardresolver.acme routerName=traefik-secure@docker rule=Host(`traefik.mydomain.ch`)

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:986 > Domains need ACME certificates generation for domains "mydomain.ch,*.mydomain.ch". ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.ch","*.mydomain.ch"] providerName=wildcardresolver.acme

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:706 > Loading ACME certificates [mydomain.ch *.mydomain.ch]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=wildcardresolver.acme

2025-01-28T20:32:31Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:984 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.mydomain.ch"] providerName=wildcardresolver.acme routerName=traefik-secure@docker rule=Host(`traefik.mydomain.ch`)

2025-01-28T20:32:32Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:270 > Building ACME client... providerName=wildcardresolver.acme

2025-01-28T20:32:32Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:276 > https://acme-v02.api.letsencrypt.org/directory providerName=wildcardresolver.acme

2025-01-28T20:32:33Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:457 > Register... providerName=wildcardresolver.acme

2025-01-28T20:32:33Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:317 > Using DNS Challenge provider: infomaniak providerName=wildcardresolver.acme

2025-01-28T20:32:33Z DBG github.com/go-acme/lego/v4@v4.21.0/log/logger.go:48 > [INFO] [mydomain.ch, *.mydomain.ch] acme: Obtaining bundled SAN certificate lib=lego

2025-01-28T20:32:33Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [mydomain.ch *.mydomain.ch]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-01-29 11:56:53 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.ch","*.mydomain.ch"] providerName=wildcardresolver.acme routerName=whoami-secure@docker rule=Host(`whoami.mydomain.ch`)

2025-01-28T20:32:36Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""

2025-01-28T20:32:36Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""

2025-01-28T20:32:46Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-traefik-l3s9abzf5pb3i6vmvnpa58a8t providerName=swarm

2025-01-28T20:32:46Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-whoami-fswwhisrhkxzm4dygahmdcp3m providerName=swarm

2025-01-28T20:32:46Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-whoami-qehuwhzb1iy2rdhi5zxqewgvi providerName=swarm

2025-01-28T20:32:46Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=traefik-whoami-rf1xr46dpdzibfyl9kz9v56ty providerName=swarm

http={} tcp={} tls={} udp={}

bluepuma77 · January 29, 2025, 6:52am

In Docker Swarm, the labels need to go inside the deploy section.

Remove providers.docker, unless you really want to discover additional only-local running containers.

Note that in Docker Swarm, when you don’t set ports into host mode, an additional ingress network will be created, which will forward incoming requests round-robin to the nodes.

Check simple Traefik Swarm example.

system · February 1, 2025, 11:20am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Struggling with Traefik, Wildcard LE certs and Portainer Traefik v3 (latest) letsencrypt-acme	2	84	February 15, 2025
How to configure docker lable to generate Wildcard Certificate Traefik v2 docker-swarm	1	655	September 24, 2019
Letsencrypt, DNS01, wildcards, docker.. how do i get it to work? Traefik v2 docker , docker-swarm , letsencrypt-acme	0	550	May 27, 2020
Let's encrypt for a lot of domains automatically Traefik v2 docker , docker-swarm , letsencrypt-acme	14	4152	October 23, 2023
SSL certificate not working for a service using Traefik in Docker Swarm Traefik v2 docker-swarm	2	51	January 22, 2025

Certificat Dnschallenge and some others problems

Current Status:

Problems Encountered:

Related topics