Cloudflared failed to verify certificate x509

Hi all,

I'm trying to setup a home server with various docker containers and want to make some of them (Obsidian, Zotero, Calibre-Web) publicly available on subdomains, e.g. obsidian.example.com, and use a Cloudflare tunnel to avoid opening local ports. I'm currently stuck on an error message from the cloudflared tunnel. It seems that the certificate is for another address. I think I'm missing a setting in my Traefik configuration, but I'm not sure where to look.

(example.com is just a placeholder for this post)

tunnel         | 2025-02-10T21:56:26Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <something>.traefik.default, not *.example.com" connIndex=1 event=1 ingressRule=0 originService=https://reverse-proxy
tunnel         | 2025-02-10T21:56:26Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <something>.traefik.default, not *.example.com" connIndex=1 dest=https://test.example.com/favicon.ico event=0 ip=198.41.200.63 type=http

The compose file:

networks:
  traefik:
    external: true
  cftunnel:

services:
  reverse-proxy:
    container_name: reverse-proxy
    image: traefik:v3.3
    command:
      - "--api.dashboard=true"
      - "--log.level=DEBUG"

#      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/config"
      - "--providers.file.watch=true"

      # Allow self-signed certificates
      - "--serversTransport.insecureSkipVerify=true"

      # HTTP entrypoint
      - "--entrypoints.web.address=:80"

      # HTTPS entrypoint
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"

      # Redirect to websecure
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

      # TLS
      - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/letsencrypt.json"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=300"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53"

      - "--certificatesresolvers.cloudflare.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.api.rule=Host('traefik.example.com')"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.routers.api.entrypoints=web"
        - "traefik.http.routers.traefik-secure.tls=true"

    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}

    ports:
      # HTTP port
      - "80:80"
      # HTTPS port
      - "433:433"

    networks:
      - traefik
      - cftunnel

    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./cloudflare:/cloudflare
      - ./acme:/etc/traefik/acme
      - ./config:/config

  tunnel:
    container_name: tunnel
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: "tunnel --no-autoupdate run"
    environment:
      - NO_AUTOUPDATE=true
      - TUNNEL_TOKEN=${CF_TUNNEL_TOKEN}
    networks:
      - cftunnel

  testapp:
    image: traefik/whoami:latest
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik"

        - "traefik.http.routers.testapp.rule=Host('test.example.com')"
        - "traefik.http.routers.testapp.entrypoints=websecure"
        - "traefik.http.routers.testapp.tls=true"

        - "traefik.http.services.testapp.loadbalancer.server.port:80"

        - "traefik.http.routers.traefik.tls.domains[0].main=example.com"
        - "traefik.http.routers.traefik.tls.domains[0].sans=*.example.com"
    networks:
      - traefik

Cloudflare DNS setup:

Type 	Name 	 Content 			                        Proxy Status 	TTL
A	        ftp             <an IP>				                Proxied		Auto
AAAA	ftp             <an IP>				                Proxied		Auto
CNAME 	test           <tunnel ID>.cfargotunnel.com 	Proxied 	        Auto
CNAME	traefik       <tunnel ID>.cfargotunnel.com	Proxied		Auto

Cloudflare tunnel (healthy):

Public Hostname	Path	Service			        Origin configurations
*.example.com	*	        https://reverse-proxy	1

Additional application settings > TLS > Origin Server Name: *.example.com

Decide for one challenge type, remove httpchallenge and dnschallenge=true (as it might overwrite previous set values).

Hi,
Thanks for the response. Alas, removing both lines, which I assume automatically selects the dns-challenge as the challenge type (no further http-challenge found in the file), does not resolve the certificate error. I have added the logs from traefik regarding the certificate problem.

reverse-proxy  | 2025-02-11T12:38:45Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "*.example.com"
reverse-proxy  | 2025-02-11T12:38:45Z DBG log/log.go:245 > http: TLS handshake error from 172.23.0.2:51966: remote error: tls: bad certificate
tunnel         | 2025-02-11T12:38:45Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <long string>.traefik.default, not *.example.com" connIndex=0 event=1 ingressRule=0 originService=https://reverse-proxy
tunnel         | 2025-02-11T12:38:45Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for <long string>.traefik.default, not *.example.com" connIndex=0 dest=https://test.example.com/ event=0 ip=198.41.200.193 type=http

Did you ever resolve this? I'm now having the same issue.

EDIT: Actually resolved this myself. I hadn't set up the routers to actually use the certResolver. Just declaring the certResolver and adding it to the https entrypoint isn't enough, you need to declare it on each of your routers that has it's own subdomain.
I don't know how this hasn't been an issue before now, as I've had this setup for a long time lol.