Hi all,
I'm trying to setup a home server with various docker containers and want to make some of them (Obsidian, Zotero, Calibre-Web) publicly available on subdomains, e.g. obsidian.example.com, and use a Cloudflare tunnel to avoid opening local ports. I'm currently stuck on an error message from the cloudflared tunnel. It seems that the certificate is for another address. I think I'm missing a setting in my Traefik configuration, but I'm not sure where to look.
(example.com is just a placeholder for this post)
tunnel | 2025-02-10T21:56:26Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <something>.traefik.default, not *.example.com" connIndex=1 event=1 ingressRule=0 originService=https://reverse-proxy
tunnel | 2025-02-10T21:56:26Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <something>.traefik.default, not *.example.com" connIndex=1 dest=https://test.example.com/favicon.ico event=0 ip=198.41.200.63 type=http
The compose file:
networks:
traefik:
external: true
cftunnel:
services:
reverse-proxy:
container_name: reverse-proxy
image: traefik:v3.3
command:
- "--api.dashboard=true"
- "--log.level=DEBUG"
# - "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.file.directory=/config"
- "--providers.file.watch=true"
# Allow self-signed certificates
- "--serversTransport.insecureSkipVerify=true"
# HTTP entrypoint
- "--entrypoints.web.address=:80"
# HTTPS entrypoint
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.certresolver=letsencrypt"
# Redirect to websecure
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# TLS
- "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/letsencrypt.json"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=300"
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53"
- "--certificatesresolvers.cloudflare.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host('traefik.example.com')"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.routers.traefik-secure.tls=true"
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_API_KEY=${CF_API_KEY}
ports:
# HTTP port
- "80:80"
# HTTPS port
- "433:433"
networks:
- traefik
- cftunnel
volumes:
- ./letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./cloudflare:/cloudflare
- ./acme:/etc/traefik/acme
- ./config:/config
tunnel:
container_name: tunnel
image: cloudflare/cloudflared:latest
restart: unless-stopped
command: "tunnel --no-autoupdate run"
environment:
- NO_AUTOUPDATE=true
- TUNNEL_TOKEN=${CF_TUNNEL_TOKEN}
networks:
- cftunnel
testapp:
image: traefik/whoami:latest
deploy:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.testapp.rule=Host('test.example.com')"
- "traefik.http.routers.testapp.entrypoints=websecure"
- "traefik.http.routers.testapp.tls=true"
- "traefik.http.services.testapp.loadbalancer.server.port:80"
- "traefik.http.routers.traefik.tls.domains[0].main=example.com"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.example.com"
networks:
- traefik
Cloudflare DNS setup:
Type Name Content Proxy Status TTL
A ftp <an IP> Proxied Auto
AAAA ftp <an IP> Proxied Auto
CNAME test <tunnel ID>.cfargotunnel.com Proxied Auto
CNAME traefik <tunnel ID>.cfargotunnel.com Proxied Auto
Cloudflare tunnel (healthy):
Public Hostname Path Service Origin configurations
*.example.com * https://reverse-proxy 1
Additional application settings > TLS > Origin Server Name: *.example.com