The only difference between the "Dashboard Dynamic Configuration Examples“ - Docker example and the code below is that I added the two commented lines. Subdomain usage like traefik.domain is also according to docs pointed by you.
Commenting the 2 lines of code doesn't have any impact on the 404 result since in the logs traefik records that it defaulted to websecure because it didn't find any entrypoints for dashboard: time="2023-06-29T12:29:46Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web websecure]" routerName=dashboard
Perhaps it is important to mention that auth middleware works when accessing htps://traefik.domain.com/dashboard, login credentials are handled, and if correct the 404 is being displayed.
Many thanks to @bluepuma77 for helping out. Below is the final working solution for making traefik work with wildcard AlphaSSL and https traefik dashboard.
Main reason it didn't work is that my initial setup had twice labels like "traefik.http.routers.api ..." for different services, the traefik api once and then the hosted app's rest api. Solution was to basically use .api for traefiks api and to replace for my hosted apps api, api with .restApi
@bluepuma77 you are right. Thanks for pointing that out. Just tested the below version and it works!
I suppose, if you would agree, the reason why the dashboard wasn't visible in the first place is that I mistakenly also used the label "traefik.http.routers.api ..." for one of the other docker services, respectivly the hosted apps rest api not the traefiks api. The dashboard started working when the .api of the api service was renamed to .restApi and traefiks .api remained .api.
@bluepuma77 Cool, just took it out and the dashboard and authentication for the dashboard still works. So basically "traefik.http.routers.api.middlewares=auth" does the job and dashboard.middlewares is not needed anymore.
The docs pointed by you states the following for enableing traefiks api in production:
Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data. In production, it should be at least secured by authentication and authorizations.
If so, wouldn't it be better to totally disable the traefik api and dashboard? Is "at least secured" with the username and password enough? The reverse proxy still functions without the api ...