Situation: I can't get https certificate for local network using cloudflare ACME.
All attempts to requests to traefik via domain - I get defaul traefik certificate.
My system:
- TrueNAS Scale
- Portainer (installed via Apps in OS)
- Constant external IP
CloudFlare side:
- User API Token correct in env var and permission Zone:DNS:Edit for correct domain.
- API Token available in traefik container
- "A" record in CF is correct with external IP where is traefik.
- Email in env var correct, same I use for CF.
- acme.json - tried to remove many times and reboot rebuild container.
Also noticed that it doesn't create acme record in cloudflare web panel.
It's important to me that this is all laid out in docker compose. Without adding/editing configuration files. Please keep this in mind.
version: '3.9'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
command:
# EntryPoints
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
# Docker provider
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# DNS-01 challenge (Cloudflare)
- "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
#- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=60s"
# Logs & Dashboard
- "--log.level=DEBUG"
- "--api.dashboard=true"
ports:
- "80:80"
- "443:443"
dns:
- 1.1.1.1
- 8.8.8.8
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
- CF_API_EMAIL=${CF_API_EMAIL}
- TRAEFIK_CERTIFICATESRESOLVERS_CLOUDFLARE_ACME_EMAIL=${CF_API_EMAIL}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/***/traefik/letsencrypt:/letsencrypt
- /mnt/***/traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.MYDOMAIN.xyz`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" # admin:password
networks:
default:
Logs (INFO level. Debug contain to many symbols):
Last 2 raw - my request from local network to traefik.
In hosts file added: traefik.MYDOMAIN.xyz 192.###.###.###
2025-03-24T10:32:15Z INF Traefik version 3.3.4 built on 2025-02-25T10:11:01Z version=3.3.4
2025-03-24T10:32:15Z INF
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/
2025-03-24T10:32:15Z INF Starting provider aggregator *aggregator.ProviderAggregator
2025-03-24T10:32:15Z INF Starting provider *traefik.Provider
2025-03-24T10:32:15Z INF Starting provider *docker.Provider
2025-03-24T10:32:15Z INF Starting provider *acme.ChallengeTLSALPN
2025-03-24T10:32:15Z INF Starting provider *acme.Provider
2025-03-24T10:32:15Z INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
And here it's stack, even I send requests from local or external network.
(For local I get response with default cert)
P.S. Appealing here because I've tried everything and it's already day 3 of trying to win.
Please help me.