Dashboard just not working

Hey there,
I am migrating to traefik v2 right now, but I just cannot get the Dashboard working on a subdomain with https. When calling domain.tld:8080 with http I also cannot find the Route for the dashboard. When calling the subdomain, the default traefik certificate is delivered and after accepting the risk ... there is only the "404 Page not found" Page. Sad thing through, I see no difference between my version and most solutions provided here. Is here someone, who sees my mistake or can help me?

root@seoka ~ $ uname -a
Linux seoka.tld 4.19.76-1-lts #1 SMP Tue Oct 1 18:47:17 CEST 2019 x86_64 GNU/Linux
root@seoka ~ $ docker version
Client:
 Version:           19.03.2-ce
 API version:       1.40
 Go version:        go1.13
 Git commit:        6a30dfca03
 Built:             Tue Sep  3 23:41:01 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          19.03.2-ce
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13
  Git commit:       6a30dfca03
  Built:            Tue Sep  3 23:39:37 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.3.0.m
  GitCommit:        d50db0a42053864a270f648048f9a8b4f24eced3.m
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683
root@seoka ~ $ docker-compose version
docker-compose version 1.24.1, build unknown
docker-py version: 4.1.0
CPython version: 3.7.4
OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

root@seoka ~/docker/traefik $ ls
configuration.env  docker-compose.yml

root@seoka ~/docker/traefik $ cat configuration.env 
TRAEFIK_ACCESSLOG=true

TRAEFIK_ACCESSLOG_FILEPATH=/var/log/access.log

TRAEFIK_API=true
TRAEFIK_API_INSECURE=true #To be removed when working
TRAEFIK_PING=true

#TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=ssl-expiry@seoka.tld
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE=true
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT=http
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE=/etc/traefik/acme/acme.json
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_TLSCHALLENGE=false

TRAEFIK_ENTRYPOINTS_HTTP_ADDRESS=:80
TRAEFIK_ENTRYPOINTS_HTTPS_ADDRESS=:443

TRAEFIK_LOG_LEVEL=DEBUG

TRAEFIK_PROVIDERS_DOCKER=true
TRAEFIK_PROVIDERS_DOCKER_NETWORK=web
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false

root@seoka ~/docker/traefik $ cat docker-compose.yml 
version: '3.7'
services:
  traefik:
    image: traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.seoka.tld`) && (Path(`/dashboard`) || Path(`/api`))"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=test"
      - "traefik.http.routers.dashboard.entrypoints=https"
      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.middlewares.test.basicauth.users=changedUser:changedPasswordWithDoubled$$"
#      - "traefik.http.routers.dashboard.middlewares=authy"

      - "traefik.http.routers.https-redirect.rule=Host(`{any:.*}`)"
      - "traefik.http.routers.https-redirect.middlewares=https-redirect"
      - "traefik.http.routers.https-redirect.service=dummy"
      - "traefik.http.routers.https-redirect.entrypoints=http"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.services.dummy.loadbalancer.servers.url=localhost"
    ports:
      - myIp:80:80
      - myIp:443:443
      - 8080:8080
    networks:
      - web
    volumes:
      - "/srv/docker/traefikv2/acme:/etc/traefik/acme"
      - "/var/log/traefik_4xx:/var/log/access.log"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/etc/localtime:/etc/localtime:ro"
    hostname: traefik.seoka.tld
    restart: unless-stopped
    env_file:
      - configuration.env
    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 1m
      timeout: 10s
      retries: 5
      start_period: 30s

networks:
  web:
    external:
      name: web

root@seoka ~/docker/traefik $ curl https://traefik.seoka.tld -vvv
*   Trying myIp:443...
* TCP_NODELAY set
* Connected to traefik.seoka.tld (myIp) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
####################################################################
root@seoka ~/docker/traefik $ curl https://traefik.seoka.tld -vvvk
*   Trying myIp:443...
* TCP_NODELAY set
* Connected to traefik.seoka.tld (myIp) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Oct  4 16:42:37 2019 GMT
*  expire date: Oct  3 16:42:37 2020 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5563202cd7b0)
> GET / HTTP/2
> Host: traefik.seoka.tld
> User-Agent: curl/7.66.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404 
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Fri, 04 Oct 2019 16:43:42 GMT
< 
404 page not found
* Connection #0 to host traefik.seoka.net left intact

but

root@seoka ~/docker/traefik $ curl http://localhost:8080 -vvv
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Content-Type: text/html; charset=utf-8
< Location: /dashboard/
< Date: Fri, 04 Oct 2019 16:45:50 GMT
< Content-Length: 34
< 
<a href="/dashboard/">Found</a>.

* Connection #0 to host localhost left intact

Hello,

could you replace

- "traefik.http.routers.dashboard.rule=Host(`traefik.seoka.tld`) && (Path(`/dashboard`) || Path(`/api`))"

by

- "traefik.http.routers.dashboard.rule=Host(`traefik.seoka.tld`)"

or call curl https://traefik.seoka.tld/dashboard

Hello Idez,
thank you for the quick responce.
Of course, I can. But as this was one of my last trys (adding them), nothing changes.

root@seoka ~ $ curl https://traefik.seoka.tld -vvv
*   Trying myIp:443...
* TCP_NODELAY set
* Connected to traefik.seoka.tld (myIp) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@seoka ~ $ curl https://traefik.seoka.tld -vvvk
*   Trying myIp:443...
* TCP_NODELAY set
* Connected to traefik.seoka.tld (myIp) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Oct  5 16:32:08 2019 GMT
*  expire date: Oct  4 16:32:08 2020 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e6644e57b0)
> GET / HTTP/2
> Host: traefik.seoka.tld
> User-Agent: curl/7.66.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Sat, 05 Oct 2019 16:33:02 GMT
<
404 page not found
* Connection #0 to host traefik.seoka.tld left intact

there are several errors in you configuration:

- "traefik.http.routers.https-redirect.rule=Host(`{any:.*}`)"

must be

- "traefik.http.routers.https-redirect.rule=HostRegexp(`{any:.+}`)"

https://docs.traefik.io/v2.0/routing/routers/#rule

- "traefik.http.services.dummy.loadbalancer.servers.url=localhost"

must be

- "traefik.http.services.dummy.loadbalancer.server.url=:999"

https://docs.traefik.io/v2.0/routing/providers/docker/#routers

image: traefik

must be

image: traefik:v2.0.1
# or image: traefik:v2.0

https://docs.traefik.io/v2.0/getting-started/install-traefik/#use-the-official-docker-image

In summary, something like that :

version: '3.7'

services:
  traefik:
    image: traefik:v2.0.1
    command:
      # - --log.level=debug
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      # - --accesslog=true
      # - --accesslog.filepath=/var/log/access.log
      - --api=true
      - --ping=true
      - --providers.docker=true
      # - --providers.docker.network=web
      - --providers.docker.exposedbydefault=false
      # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      # - --certificatesresolvers.letsencrypt.acme.email=ssl-expiry@seoka.tld
      # - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      # - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http
      # - --certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json
      # - --certificatesresolvers.letsencrypt.acme.tlschallenge=false
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.docker.localhost`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      # - "traefik.http.routers.dashboard.middlewares=test"
      - "traefik.http.routers.dashboard.entrypoints=https"
      - "traefik.http.routers.dashboard.tls=true"
      # - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.middlewares.test.basicauth.users=changedUser:changedPasswordWithDoubled$$"

      - "traefik.http.routers.https-redirect.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.https-redirect.middlewares=https-redirect"
      - "traefik.http.routers.https-redirect.service=dummy"
      - "traefik.http.routers.https-redirect.entrypoints=http"

      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.services.dummy.loadbalancer.server.url=:999"
    ports:
      - 80:80
      - 443:443
    volumes:
      # - "/srv/docker/traefikv2/acme:/etc/traefik/acme"
      # - "/var/log/traefik_4xx:/var/log/access.log"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/etc/localtime:/etc/localtime:ro"

for the simplicity of the example, I made some changes but it's just to get a simplest example:

• I converted env vars to CLI
• I removed the network
• I replaced acme by self-signed cert
• I removed auth, access logs.

Thank you very much.

As redirection worked on other subdomains, I would never have searched for errors there (HSTS probably did this job on Client side already).
The complete dashboard part seems to be correct the whole time.

After applying the "must"`s - I need the configuration you removed for other reasons - it immediately worked.