Domain not redirecting to Traefik dashboard

Hello,

I've installed Traefik V2 on my Raspberry Pi 4 using Docker following the tutorial on the website. Using the docker-compose file, I added my own domain and e-mail address. Locally, traffic works fine. I can access it using IP:8080. Ports 80 and 443 are forwarded and shown as open when Traefik is running.

My issue is that when I go to https://my.domain.com, I get this site I don't know the name of that shows me a bunch of information about the host (name, real IP address, IP within my local docker network, container ID, etc.) - stuff, that should not be online:

https://my.domain.com
Hostname: Container ID simple service
IP: 127.0.0.1
IP: IP of simple service
RemoteAddr: IP of traefik
GET / HTTP/1.1
Host: my.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6
Cache-Control: max-age=0
Dnt: 1
Sec-Ch-Ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"
Sec-Ch-Ua-Mobile: ?0
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: my actual IP
X-Forwarded-Host: my.domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: Container ID Traefik
X-Real-Ip: my actual IP

The SSL certificate is shown as valid, so I think the letsnecrpyt-part is working fine. Can anyone tell me why it's showing me that info and how I can get to the actual traefik dashboard using my domain?

Here the debug logs:

debug
time="2021-01-24T16:46:17Z" level=info msg="Configuration loaded from flags."


time="2021-01-24T16:46:17Z" level=info msg="Traefik version 2.4.0 built on 2021-01-19T17:26:51Z"


time="2021-01-24T16:46:17Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"myresolver\":{\"acme\":{\"email\":\"yyy@yyy.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"


time="2021-01-24T16:46:17Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"


time="2021-01-24T16:46:17Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"


time="2021-01-24T16:46:17Z" level=debug msg="Start TCP Server" entryPointName=traefik


time="2021-01-24T16:46:17Z" level=debug msg="Start TCP Server" entryPointName=websecure


time="2021-01-24T16:46:17Z" level=debug msg="Start TCP Server" entryPointName=web


time="2021-01-24T16:46:17Z" level=info msg="Starting provider *traefik.Provider {}"


time="2021-01-24T16:46:17Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"


time="2021-01-24T16:46:17Z" level=info msg="Starting provider *acme.Provider {\"email\":\"yyy@yyy.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"myresolver\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":2000000000},\"HTTPChallengeProvider\":{}}"


time="2021-01-24T16:46:17Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme


time="2021-01-24T16:46:17Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":2000000000}"


time="2021-01-24T16:46:17Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"acme-http\":{\"entryPoints\":[\"web\"],\"service\":\"acme-http@internal\",\"rule\":\"PathPrefix(`/.well-known/acme-challenge/`)\",\"priority\":2147483647},\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"services\":{\"acme-http\":{},\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"tls\":{}}" providerName=internal


time="2021-01-24T16:46:17Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme


time="2021-01-24T16:46:17Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" middlewareType=TracingForwarder entryPointName=web routerName=acme-http@internal middlewareName=tracing


time="2021-01-24T16:46:17Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery


time="2021-01-24T16:46:17Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder


time="2021-01-24T16:46:17Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder


time="2021-01-24T16:46:17Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=StripPrefix middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal


time="2021-01-24T16:46:17Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik


time="2021-01-24T16:46:17Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex


time="2021-01-24T16:46:17Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex


time="2021-01-24T16:46:17Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal


time="2021-01-24T16:46:17Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery


time="2021-01-24T16:46:17Z" level=debug msg="No default certificate, generating one"


time="2021-01-24T16:46:17Z" level=debug msg="Provider connection established with docker 20.10.2 (API 1.41)" providerName=docker


time="2021-01-24T16:46:17Z" level=debug msg="Filtering disabled container" container=xxx providerName=docker


time="2021-01-24T16:46:17Z" level=debug msg="Filtering disabled container" providerName=docker container=xxx


time="2021-01-24T16:46:17Z" level=debug msg="Filtering disabled container" providerName=docker container=xxx


time="2021-01-24T16:46:17Z" level=debug msg="Filtering disabled container" providerName=docker container=xxx


time="2021-01-24T16:46:17Z" level=debug msg="Filtering disabled container" providerName=docker container=xxx


time="2021-01-24T16:46:17Z" level=debug msg="Filtering disabled container" providerName=docker container=xxx


time="2021-01-24T16:46:17Z" level=debug msg="Filtering disabled container" providerName=docker container=xxx


time="2021-01-24T16:46:17Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-traefik\",\"rule\":\"Host(`xxx.xxx.com`)\",\"tls\":{\"certResolver\":\"myresolver\"}}},\"services\":{\"whoami-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.22.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker


time="2021-01-24T16:46:24Z" level=debug msg="No default certificate, generating one"


time="2021-01-24T16:46:25Z" level=debug msg="Adding certificate for domain(s) xxx.xxx.com"


time="2021-01-24T16:46:25Z" level=debug msg="No default certificate, generating one"


time="2021-01-24T16:46:27Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder routerName=dashboard@internal entryPointName=traefik


time="2021-01-24T16:46:27Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal middlewareType=StripPrefix


time="2021-01-24T16:46:27Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal


time="2021-01-24T16:46:27Z" level=debug msg="Creating middleware" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal entryPointName=traefik


time="2021-01-24T16:46:27Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal


time="2021-01-24T16:46:27Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal


time="2021-01-24T16:46:27Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik


time="2021-01-24T16:46:27Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery


time="2021-01-24T16:46:27Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" middlewareType=TracingForwarder entryPointName=web routerName=acme-http@internal middlewareName=tracing


time="2021-01-24T16:46:27Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web


time="2021-01-24T16:46:27Z" level=debug msg="No default certificate, generating one"


time="2021-01-24T16:46:30Z" level=debug msg="Adding certificate for domain(s) xxx.xxx.com"


time="2021-01-24T16:46:30Z" level=debug msg="No default certificate, generating one"


time="2021-01-24T16:46:32Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" entryPointName=web routerName=acme-http@internal middlewareName=tracing middlewareType=TracingForwarder


time="2021-01-24T16:46:32Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery


time="2021-01-24T16:46:32Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=api@internal middlewareType=TracingForwarder middlewareName=tracing entryPointName=traefik


time="2021-01-24T16:46:32Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing entryPointName=traefik routerName=dashboard@internal middlewareType=TracingForwarder


time="2021-01-24T16:46:32Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal middlewareType=StripPrefix


time="2021-01-24T16:46:32Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal


time="2021-01-24T16:46:32Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex


time="2021-01-24T16:46:32Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik


time="2021-01-24T16:46:32Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal


time="2021-01-24T16:46:32Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik


time="2021-01-24T16:46:32Z" level=debug msg="Creating middleware" routerName=whoami@docker serviceName=whoami-traefik middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure


time="2021-01-24T16:46:32Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=whoami@docker serviceName=whoami-traefik


time="2021-01-24T16:46:32Z" level=debug msg="Creating server 0 http://172.22.0.2:80" serviceName=whoami-traefik serverName=0 entryPointName=websecure routerName=whoami@docker


time="2021-01-24T16:46:32Z" level=debug msg="Added outgoing tracing middleware whoami-traefik" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=whoami@docker


time="2021-01-24T16:46:32Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery


time="2021-01-24T16:46:32Z" level=debug msg="No default certificate, generating one"


time="2021-01-24T16:46:36Z" level=debug msg="Adding route for xxx.xxx.com with TLS options default" entryPointName=websecure


time="2021-01-24T16:46:36Z" level=debug msg="Try to challenge certificate for domain [xxx.xxx.com] found in HostSNI rule" providerName=myresolver.acme routerName=whoami@docker rule="Host(`xxx.xxx.com`)"


time="2021-01-24T16:46:36Z" level=debug msg="Looking for provided certificate(s) to validate [\"xxx.xxx.com\"]..." providerName=myresolver.acme routerName=whoami@docker rule="Host(`xxx.xxx.com`)"


time="2021-01-24T16:46:36Z" level=debug msg="No ACME certificate generation required for domains [\"xxx.xxx.com\"]." providerName=myresolver.acme routerName=whoami@docker rule="Host(`xxx.xxx.com`)"


time="2021-01-24T16:47:28Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6\"],\"Cache-Control\":[\"max-age=0\"],\"Dnt\":[\"1\"],\"Sec-Ch-Ua\":[\"\\\"Google Chrome\\\";v=\\\"87\\\", \\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"87\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\"],\"X-Forwarded-Host\":[\"xxx.xxx.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"e8e9479d547b\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"xxx.xxx.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:57668\",\"RequestURI\":\"/\",\"TLS\":null}"


time="2021-01-24T16:47:28Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6\"],\"Cache-Control\":[\"max-age=0\"],\"Dnt\":[\"1\"],\"Sec-Ch-Ua\":[\"\\\"Google Chrome\\\";v=\\\"87\\\", \\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"87\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\"],\"X-Forwarded-Host\":[\"xxx.xxx.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"e8e9479d547b\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"xxx.xxx.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:57668\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://172.22.0.2:80"


time="2021-01-24T16:47:28Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6\"],\"Cache-Control\":[\"max-age=0\"],\"Dnt\":[\"1\"],\"Sec-Ch-Ua\":[\"\\\"Google Chrome\\\";v=\\\"87\\\", \\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"87\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\"],\"X-Forwarded-Host\":[\"xxx.xxx.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"e8e9479d547b\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"xxx.xxx.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:57668\",\"RequestURI\":\"/\",\"TLS\":null}"


time="2021-01-24T16:47:28Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/avif,image/webp,image/apng,image/*,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6\"],\"Cache-Control\":[\"no-cache\"],\"Dnt\":[\"1\"],\"Pragma\":[\"no-cache\"],\"Referer\":[\"https://xxx.xxx.com/\"],\"Sec-Ch-Ua\":[\"\\\"Google Chrome\\\";v=\\\"87\\\", \\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"87\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Fetch-Dest\":[\"image\"],\"Sec-Fetch-Mode\":[\"no-cors\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\"],\"X-Forwarded-Host\":[\"xxx.xxx.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"e8e9479d547b\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"xxx.xxx.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:57668\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"


time="2021-01-24T16:47:28Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/avif,image/webp,image/apng,image/*,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6\"],\"Cache-Control\":[\"no-cache\"],\"Dnt\":[\"1\"],\"Pragma\":[\"no-cache\"],\"Referer\":[\"https://xxx.xxx.com/\"],\"Sec-Ch-Ua\":[\"\\\"Google Chrome\\\";v=\\\"87\\\", \\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"87\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Fetch-Dest\":[\"image\"],\"Sec-Fetch-Mode\":[\"no-cors\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\"],\"X-Forwarded-Host\":[\"xxx.xxx.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"e8e9479d547b\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"xxx.xxx.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:57668\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}" ForwardURL="http://172.22.0.2:80"


time="2021-01-24T16:47:28Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/avif,image/webp,image/apng,image/*,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6\"],\"Cache-Control\":[\"no-cache\"],\"Dnt\":[\"1\"],\"Pragma\":[\"no-cache\"],\"Referer\":[\"https://xxx.xxx.com/\"],\"Sec-Ch-Ua\":[\"\\\"Google Chrome\\\";v=\\\"87\\\", \\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"87\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Fetch-Dest\":[\"image\"],\"Sec-Fetch-Mode\":[\"no-cors\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\"],\"X-Forwarded-Host\":[\"xxx.xxx.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"e8e9479d547b\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"xxx.xxx.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:57668\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"

Here the docker-compose.yml:

docker-compose.yml
version: "3.3"

services:

  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

Hello @AriaTwoFive,

Thanks for your interest in Traefik!

Regarding your current configuration, this is the expected behavior.
You are reaching the whoami service.

By configuring Traefik with "--api.insecure=true", the dashboard is automatically exposed on the "traefik" port which is 8080. You should be able to reach it with the IP of your server.

I recommend not exposing it this way if it's not what you want. To do that, just remove the api.insecure flag.

To expose the dashboard, you can add those labels to your Traefik service (and adapt them to what your are expecting):

- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`whoami.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls.certresolver=myresolver"
- "traefik.http.routers.dashboard.service=dashboard@internal"

If you removed the api.insecure flag, you'll also have to add the "--api.dashboard=true" flag.

To go further, please consider reading this part of the documentation.

[EDIT GRILLED :roll_eyes:]

Hi,

You have exposed your whoami container that return informations about your container. You followed the documentation so now you know it works, you can delete the whoami part :

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

And you can expose what you want, I suppose you want to use traefik.domain.tld to redirect on traefik 8080 port ?

So you should add those rules on your traefik part :

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
      - "traefik.http.routers.dashboard.service=dashboard@internal"

And remove :
--api.insecure=true

Hope it help

Thanks you two! I'm slowly beginning to understand how this works, but I'm not fully there yet. So I removed the things you guys mentioned and added the labels. I added what @rtribotte said:

traefik docker-compose
version: "3.3"

services:

  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=xxx@xxx.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.my.domain .com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=myresolver"
      - "traefik.http.routers.dashboard.service=api@internal"

    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/home/pi/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

I changed - "traefik.http.routers.dashboard.service=dashboard@internal" to api@internal, as that's what the documentation says.

A few questions came up:

  1. Do I need to use traefik.my.domain .com or my.domain.com in the dmains section?

  2. When going to https://my.domain .com, I still get an 404 error and unsecure certificate error. The log says this:

debug log
time="2021-01-25T15:26:32Z" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2021-01-25T15:26:35Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T15:26:38Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" entryPointName=web routerName=acme-http@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-01-25T15:26:38Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-01-25T15:26:38Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T15:26:42Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T15:26:45Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" entryPointName=web routerName=acme-http@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-01-25T15:26:45Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-01-25T15:26:45Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T15:26:46Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T15:27:19Z" level=debug msg="Serving default certificate for request: \"my.domain .com\""
time="2021-01-25T15:27:19Z" level=debug msg="http: TLS handshake error from xxx:xxx:xxx:xxx:xxxxx: remote error: tls: unknown certificate"
time="2021-01-25T15:27:21Z" level=debug msg="Serving default certificate for request: \"my.domain .com\""
time="2021-01-25T15:27:21Z" level=debug msg="http: TLS handshake error from xxx:xxx:xxx:xxx:xxxxx: remote error: tls: unknown certificate"
time="2021-01-25T15:27:21Z" level=debug msg="Serving default certificate for request: \"my.domain .com\""

I think the TLS error is the important part here. Googling this led me to this post. Since I want to automate this, the TLS documentation website led me to the Let's Encrypt Documentation page. TBH I'm having some trouble with the doumentation as basically in every paragraph I have to jump to another section of the documentation.

The "Enable ACME"-Config example is in my config already AFAIK. In the post I linked, they added something like the following to fix it. Is this something I have to add as well? I'm not quite sure where and how to..:

      tls:
        domains:
          - main: "sub.example .com"

(I've made a few spaces after the domains because as a new user I cannot post too many links :stuck_out_tongue: )

Edit: Ports 80 and 443 are opened. Checked with my DNS provider.

Hi @AriaTwoFive

You have put your router rules in the command section instead of labels.

Corrected
version: "3.3"

services:
  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=xxx@xxx.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    labels:
      traefik.enable: "true"
      traefik.http.routers.dashboard.rule: Host(`traefik.my.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      traefik.http.routers.dashboard.entrypoints: websecure
      traefik.http.routers.dashboard.tls.certresolver: myresolver
      traefik.http.routers.dashboard.service: api@internal

    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/home/pi/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

It's up to you. Personally I use a subdomain.

I believe this is related to the router definition not being in the labels section. Also there is a typo on the domain name, but that could be related to your obfuscation.

1 Like

Thank you, that fixed it! The SSL certificate is still not secure though. It still uses the default certificate, even though Let's Encrypt seems to work fine. I did delete the acme.json before restarting. Do I need an own certificate first? It creates the default one when the acme.json isn't there:

debug log
time="2021-01-25T17:56:41Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T17:56:42Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:56:42Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65034: remote error: tls: unknown certificate"
time="2021-01-25T17:56:44Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T17:56:47Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:56:47Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65035: remote error: tls: unknown certificate"
time="2021-01-25T17:56:47Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-01-25T17:56:47Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2021-01-25T17:56:47Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
time="2021-01-25T17:56:47Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2021-01-25T17:56:47Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-01-25T17:56:47Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
time="2021-01-25T17:56:47Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-01-25T17:56:47Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2021-01-25T17:56:47Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=acme-http@internal
time="2021-01-25T17:56:47Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
time="2021-01-25T17:56:47Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=dashboard@docker
time="2021-01-25T17:56:47Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-01-25T17:56:47Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T17:56:51Z" level=debug msg="No default certificate, generating one"
time="2021-01-25T17:56:52Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:56:52Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65036: remote error: tls: unknown certificate"
time="2021-01-25T17:56:54Z" level=debug msg="Adding route for xxx.xxx.com with TLS options default" entryPointName=websecure
time="2021-01-25T17:56:54Z" level=debug msg="Try to challenge certificate for domain [xxx.xxx.com] found in HostSNI rule" providerName=myresolver.acme routerName=dashboard@docker rule="Host(`xxx.xxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2021-01-25T17:56:54Z" level=debug msg="Looking for provided certificate(s) to validate [\"xxx.xxx.com\"]..." rule="Host(`xxx.xxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=myresolver.acme routerName=dashboard@docker
time="2021-01-25T17:56:54Z" level=debug msg="Domains [\"xxx.xxx.com\"] need ACME certificates generation for domains \"xxx.xxx.com\"." providerName=myresolver.acme routerName=dashboard@docker rule="Host(`xxx.xxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2021-01-25T17:56:54Z" level=debug msg="Loading ACME certificates [xxx.xxx.com]..." rule="Host(`xxx.xxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" providerName=myresolver.acme routerName=dashboard@docker
time="2021-01-25T17:56:57Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:56:57Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65037: remote error: tls: unknown certificate"
time="2021-01-25T17:57:02Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:02Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65038: remote error: tls: unknown certificate"
time="2021-01-25T17:57:07Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:07Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65039: remote error: tls: unknown certificate"
time="2021-01-25T17:57:12Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:12Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65040: remote error: tls: unknown certificate"
time="2021-01-25T17:57:17Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:17Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65041: remote error: tls: unknown certificate"
time="2021-01-25T17:57:22Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:22Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65045: remote error: tls: unknown certificate"
time="2021-01-25T17:57:27Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:27Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65053: remote error: tls: unknown certificate"
time="2021-01-25T17:57:32Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:32Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65054: remote error: tls: unknown certificate"
time="2021-01-25T17:57:37Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:37Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65055: remote error: tls: unknown certificate"
time="2021-01-25T17:57:42Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:42Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65058: remote error: tls: unknown certificate"
time="2021-01-25T17:57:47Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:47Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65059: remote error: tls: unknown certificate"
time="2021-01-25T17:57:52Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:52Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65063: remote error: tls: unknown certificate"
time="2021-01-25T17:57:57Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:57:57Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65064: remote error: tls: unknown certificate"
time="2021-01-25T17:57:57Z" level=debug msg="Building ACME client..." providerName=myresolver.acme
time="2021-01-25T17:57:57Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=myresolver.acme
time="2021-01-25T17:57:58Z" level=info msg=Register... providerName=myresolver.acme
time="2021-01-25T17:57:58Z" level=debug msg="legolog: [INFO] acme: Registering account for xxx@xxx.com"
time="2021-01-25T17:57:58Z" level=debug msg="Using HTTP Challenge provider." providerName=myresolver.acme
time="2021-01-25T17:57:58Z" level=debug msg="legolog: [INFO] [xxx.xxx.com] acme: Obtaining bundled SAN certificate"
time="2021-01-25T17:57:59Z" level=error msg="Unable to obtain ACME certificate for domains \"xxx.xxx.com\": unable to generate a certificate for the domains [xxx.xxx.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: xxx.xxx.com: see https://letsencrypt.org/docs/rate-limits/, url: " providerName=myresolver.acme routerName=dashboard@docker rule="Host(`xxx.xxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2021-01-25T17:58:02Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:02Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65065: remote error: tls: unknown certificate"
time="2021-01-25T17:58:07Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:07Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65066: remote error: tls: unknown certificate"
time="2021-01-25T17:58:09Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:09Z" level=debug msg="http: TLS handshake error from 67.205.165.53:53566: remote error: tls: bad certificate"
time="2021-01-25T17:58:12Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:12Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65067: remote error: tls: unknown certificate"
time="2021-01-25T17:58:17Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:17Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65068: remote error: tls: unknown certificate"
time="2021-01-25T17:58:22Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:22Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65069: remote error: tls: unknown certificate"
time="2021-01-25T17:58:27Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:27Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65072: remote error: tls: unknown certificate"
time="2021-01-25T17:58:32Z" level=debug msg="Serving default certificate for request: \"xxx.xxx.com\""
time="2021-01-25T17:58:32Z" level=debug msg="http: TLS handshake error from xxx.xxx.xxx.xxx:65074: remote error: tls: unknown certificate"

You've hit a rate limit.
Switch to the staging server until you can submit again. Make sure issuing staging server is working AOK before switching back.

1 Like

Your situation you could add another domain to your route so the set of domains and does not count as the same set of domains limit.

Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ www.example.com , example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

Change your rule to, and then switch to LE production CA when it is working.

      traefik.http.routers.dashboard.rule: Host(`traefik.my.domain.com`,`another.my.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
1 Like

Thank you guys, I'll take a look at those things later today!

Another question for my understanding: When I want to use "traefik. mydomain.xxx", where "mydomain. xxx" is the registered one at my DNS provider, do I need to register "traefik. mydomain.xxx" as well? Or for that matter anyservice.mydomain.xxx?

(Again, needed to put in some spaces and make the links weird, else it will be flagged as spam automatically)

You don't need to register it if you own the domain. More like create a new record. This could be an A(or AAAA ipv6) record to the ip address or a CNAME pointing to your existing domain/record.

The only rule here is that the name(s) must resolve to your instance of traefik that is completing the challenge.

1 Like

So far, I have managed to set everything up using a Domain I own. There are a few things I noticed now.

  1. Looking at the info log, it succeded in creating and validating my certificate:
Info Log
time="2021-01-26T01:13:27Z" level=info msg="Configuration loaded from flags."
time="2021-01-26T01:13:27Z" level=info msg="Traefik version 2.4.0 built on 2021-01-19T17:26:51Z"
time="2021-01-26T01:13:27Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2021-01-26T01:13:27Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2021-01-26T01:13:27Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2021-01-26T01:13:27Z" level=info msg="Starting provider *acme.Provider {\"email\":\"xxx@xxx.xcom\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"myresolver\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":2000000000},\"HTTPChallengeProvider\":{}}"
time="2021-01-26T01:13:27Z" level=info msg="Testing certificate renew..." providerName=myresolver.acme
time="2021-01-26T01:13:27Z" level=info msg="Starting provider *traefik.Provider {}"
time="2021-01-26T01:13:27Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":2000000000}"
time="2021-01-26T01:13:55Z" level=info msg=Register... providerName=myresolver.acme
time="2021-01-26T01:13:55Z" level=debug msg="legolog: [INFO] acme: Registering account for xxx@xxx.xcom"
time="2021-01-26T01:13:56Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] acme: Obtaining bundled SAN certificate"
time="2021-01-26T01:13:57Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxxxx"
time="2021-01-26T01:13:57Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] acme: Could not find solver for: tls-alpn-01"
time="2021-01-26T01:13:57Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] acme: use http-01 solver"
time="2021-01-26T01:13:57Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] acme: Trying to solve HTTP-01"
time="2021-01-26T01:14:42Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] The server validated our request"
time="2021-01-26T01:14:42Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] acme: Validations succeeded; requesting certificates"
time="2021-01-26T01:15:19Z" level=debug msg="legolog: [INFO] [traefik.xxx.xcom] Server responded with a certificate."
  1. When looking at the debug log, there are a bezillion TLS handshake falires, even after the certificates were validated:

https://controlc.com/86cf1f3d

  1. What is this strange IP at the end of the debug log? A quick trace only points me to Mountan View in the US, but without any information about it:
Debug log weird IP
time="2021-01-26T01:15:25Z" level=debug msg="No ACME certificate generation required for domains [\"traefik.xxx.xcom\"]." providerName=myresolver.acme routerName=dashboard@docker rule="Host(`traefik.xxx.xcom`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2021-01-26T01:17:14Z" level=debug msg="http: TLS handshake error from 107.178.239.209:19818: read tcp 172.22.0.2:443->107.178.239.209:19818: read: connection reset by peer"
time="2021-01-26T01:17:14Z" level=debug msg="http: TLS handshake error from 107.178.239.209:55823: EOF"
time="2021-01-26T01:17:15Z" level=debug msg="http: TLS handshake error from 107.178.239.209:49346: EOF"
time="2021-01-26T01:17:15Z" level=debug msg="http: TLS handshake error from 107.178.239.209:24817: read tcp 172.22.0.2:443->107.178.239.209:24817: read: connection reset by peer"
time="2021-01-26T01:17:15Z" level=debug msg="http: TLS handshake error from 107.178.239.209:24728: read tcp 172.22.0.2:443->107.178.239.209:24728: read: connection reset by peer"
time="2021-01-26T01:17:16Z" level=debug msg="http: TLS handshake error from 107.178.239.209:37591: EOF"
time="2021-01-26T01:17:16Z" level=debug msg="http: TLS handshake error from 107.178.239.209:39031: read tcp 172.22.0.2:443->107.178.239.209:39031: read: connection reset by peer"
time="2021-01-26T01:17:16Z" level=debug msg="http: TLS handshake error from 107.178.239.209:26358: read tcp 172.22.0.2:443->107.178.239.209:26358: read: connection reset by peer"
time="2021-01-26T01:17:17Z" level=debug msg="http: TLS handshake error from 107.178.239.209:55743: read tcp 172.22.0.2:443->107.178.239.209:55743: read: connection reset by peer"
time="2021-01-26T01:17:17Z" level=debug msg="http: TLS handshake error from 107.178.239.209:29957: read tcp 172.22.0.2:443->107.178.239.209:29957: read: connection reset by peer"
time="2021-01-26T01:17:18Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:19Z" level=debug msg="http: TLS handshake error from 107.178.236.1:21440: local error: tls: bad record MAC"
time="2021-01-26T01:17:19Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:19Z" level=debug msg="http: TLS handshake error from 107.178.236.1:46663: EOF"
time="2021-01-26T01:17:19Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:19Z" level=debug msg="http: TLS handshake error from 107.178.236.1:47366: EOF"
time="2021-01-26T01:17:19Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:20Z" level=debug msg="http: TLS handshake error from 107.178.236.1:20555: EOF"
time="2021-01-26T01:17:20Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:20Z" level=debug msg="http: TLS handshake error from 107.178.236.1:49454: EOF"
time="2021-01-26T01:17:20Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:20Z" level=debug msg="http: TLS handshake error from 107.178.236.1:58162: EOF"
time="2021-01-26T01:17:20Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:20Z" level=debug msg="http: TLS handshake error from 107.178.236.1:47768: EOF"
time="2021-01-26T01:17:20Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:21Z" level=debug msg="http: TLS handshake error from 107.178.236.1:35363: EOF"
time="2021-01-26T01:17:21Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:21Z" level=debug msg="http: TLS handshake error from 107.178.236.1:26519: EOF"
time="2021-01-26T01:17:21Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:21Z" level=debug msg="http: TLS handshake error from 107.178.236.1:36163: EOF"
time="2021-01-26T01:17:21Z" level=debug msg="Serving default certificate for request: \"xxx.xcom\""
time="2021-01-26T01:17:21Z" level=debug msg="http: TLS handshake error from 107.178.236.1:36594: read tcp 172.22.0.2:443->107.178.236.1:36594: read: connection reset by peer"
  1. I'm using basic auth now, but it's not asking me for the user and password when loading traefik.xxx.xcom. At least I understood the basic/digest auth as an authentication before getting access to the Dashboard:
docker-compose.yml
version: "3.3"

services:

  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=xxx@xxx.xcom"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    labels:
      traefik.enable: "true"
      traefik.http.routers.dashboard.rule: Host(`traefik.xxx.xcom`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      traefik.http.routers.dashboard.entrypoints: websecure
      traefik.http.routers.dashboard.tls.certresolver: myresolver
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.middlewares.traefik-auth.basicauth.users: testuser:testpassword

    ports:
      - "80:80"
      - "443:443"

    volumes:
      - "/home/pi/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

My research on problem 4) led me to this German tutorial, which ultimately led me to Routing - Routers - Middlewares in the documentations (cannot link it for whatever reason). Does it have anything to do with my issue?

Thanks for all your help guys! (Again, the links are in a weird way so nothing is marked as spam)

Welcome to the public internet, the handshake failure is from the remote client. In this case they are requesting a hostname not provisioned and the default certificate is the Traefik Default Certificate. So the clients throw this error.

If you're on a cloud provider platform, reuse of IPs can make this more prevalent. You can investigate the strict-sni-checking

You've create a middleware with that label, but it is not attached to a router.
traefik.http.routers.dashboard.middlewares: traefik-auth

Also note the password portion must be hashed: BasicAuth - Traefik

I'm wondering whether what I'm achieving to do is a good idea the way I planned to do it. I want to self-host some services (cloud, password manager, picture/gallary host) on my local Raspberry Pi. I do have a VPN (via my FritzBox) connection to my home network, so technically I don't need to open everything up to the internet.

The reason I wanted to do so was because I'm running everything in docker containers, and any time I'm looking how to implement SSL, I'm redirected to some sort of reverse proxy, may it be nginx, traefik or something else.

So, my question here would be:

Wouldn't it be better to just run all my self-hosted services locally without exposing them to the internet and therefore without SSL (unless I can figure out how I can add SSL to the docker containers) and access everything via a VPN connection to my home network when I'm outside?

Or, as I have been writing this, I had the idea of using traefik, but without exposing it to the internet. I could just use it as a reverse proxy locally in my home network and anytime I want to access one of those services, I just have to access them via traefik.

Yes. This would be recommended. in combination with:

1 Like