Cloudflared failed to verify certificate x509

loweruppercase · February 11, 2025, 8:18am

Hi all,

I'm trying to setup a home server with various docker containers and want to make some of them (Obsidian, Zotero, Calibre-Web) publicly available on subdomains, e.g. obsidian.example.com, and use a Cloudflare tunnel to avoid opening local ports. I'm currently stuck on an error message from the cloudflared tunnel. It seems that the certificate is for another address. I think I'm missing a setting in my Traefik configuration, but I'm not sure where to look.

(example.com is just a placeholder for this post)

tunnel         | 2025-02-10T21:56:26Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <something>.traefik.default, not *.example.com" connIndex=1 event=1 ingressRule=0 originService=https://reverse-proxy
tunnel         | 2025-02-10T21:56:26Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <something>.traefik.default, not *.example.com" connIndex=1 dest=https://test.example.com/favicon.ico event=0 ip=198.41.200.63 type=http

The compose file:

networks:
  traefik:
    external: true
  cftunnel:

services:
  reverse-proxy:
    container_name: reverse-proxy
    image: traefik:v3.3
    command:
      - "--api.dashboard=true"
      - "--log.level=DEBUG"

#      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/config"
      - "--providers.file.watch=true"

      # Allow self-signed certificates
      - "--serversTransport.insecureSkipVerify=true"

      # HTTP entrypoint
      - "--entrypoints.web.address=:80"

      # HTTPS entrypoint
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"

      # Redirect to websecure
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

      # TLS
      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/letsencrypt.json"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=300"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53"

      - "--certificatesresolvers.cloudflare.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.api.rule=Host('traefik.example.com')"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.routers.api.entrypoints=web"
        - "traefik.http.routers.traefik-secure.tls=true"

    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}

    ports:
      # HTTP port
      - "80:80"
      # HTTPS port
      - "433:433"

    networks:
      - traefik
      - cftunnel

    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./cloudflare:/cloudflare
      - ./acme:/etc/traefik/acme
      - ./config:/config

  tunnel:
    container_name: tunnel
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: "tunnel --no-autoupdate run"
    environment:
      - NO_AUTOUPDATE=true
      - TUNNEL_TOKEN=${CF_TUNNEL_TOKEN}
    networks:
      - cftunnel

  testapp:
    image: traefik/whoami:latest
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik"

        - "traefik.http.routers.testapp.rule=Host('test.example.com')"
        - "traefik.http.routers.testapp.entrypoints=websecure"
        - "traefik.http.routers.testapp.tls=true"

        - "traefik.http.services.testapp.loadbalancer.server.port:80"

        - "traefik.http.routers.traefik.tls.domains[0].main=example.com"
        - "traefik.http.routers.traefik.tls.domains[0].sans=*.example.com"
    networks:
      - traefik

Cloudflare DNS setup:

Type 	Name 	 Content 			                        Proxy Status 	TTL
A	        ftp             <an IP>				                Proxied		Auto
AAAA	ftp             <an IP>				                Proxied		Auto
CNAME 	test           <tunnel ID>.cfargotunnel.com 	Proxied 	        Auto
CNAME	traefik       <tunnel ID>.cfargotunnel.com	Proxied		Auto

Cloudflare tunnel (healthy):

Public Hostname	Path	Service			        Origin configurations
*.example.com	*	        https://reverse-proxy	1

Additional application settings > TLS > Origin Server Name: *.example.com

bluepuma77 · February 11, 2025, 12:06pm

loweruppercase:

      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=300"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53"

      - "--certificatesresolvers.cloudflare.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

Decide for one challenge type, remove httpchallenge and dnschallenge=true (as it might overwrite previous set values).

loweruppercase · February 11, 2025, 12:47pm

Hi,
Thanks for the response. Alas, removing both lines, which I assume automatically selects the dns-challenge as the challenge type (no further http-challenge found in the file), does not resolve the certificate error. I have added the logs from traefik regarding the certificate problem.

reverse-proxy  | 2025-02-11T12:38:45Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "*.example.com"
reverse-proxy  | 2025-02-11T12:38:45Z DBG log/log.go:245 > http: TLS handshake error from 172.23.0.2:51966: remote error: tls: bad certificate
tunnel         | 2025-02-11T12:38:45Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <long string>.traefik.default, not *.example.com" connIndex=0 event=1 ingressRule=0 originService=https://reverse-proxy
tunnel         | 2025-02-11T12:38:45Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <long string>.traefik.default, not *.example.com" connIndex=0 dest=https://test.example.com/ event=0 ip=198.41.200.193 type=http

cglatot · March 1, 2025, 10:45pm

Did you ever resolve this? I'm now having the same issue.

EDIT: Actually resolved this myself. I hadn't set up the routers to actually use the certResolver. Just declaring the certResolver and adding it to the https entrypoint isn't enough, you need to declare it on each of your routers that has it's own subdomain.
I don't know how this hasn't been an issue before now, as I've had this setup for a long time lol.

Topic		Replies	Views
Traefik will not use Cloudflare origin certificate Traefik v3 (latest) docker	5	417	January 10, 2025
Traefik + cloudflared with full strict tunnel on docker Traefik v2 docker	0	2491	January 24, 2023
Setting up Traefik with Cloudflare and Origin Certificates Traefik v3 (latest) docker	1	968	October 11, 2024
Traefik 2 Setup with Cloudflare/Let's Encrypt issue/ Traefik v2 docker	0	1876	December 19, 2021
Can't Obtain Cert Traefik v2 docker	0	314	May 14, 2021

Cloudflared failed to verify certificate x509

Related topics