I struggled hours trying to understand what is wrong with my setup, until I discovered that removing the tls.certResolver
option (using an ACME provider) from my HTTP router is the key. But I don't understand why, please explain me what is going on... I need to reintroduce that option.
The problem: I am getting a 404 when trying to access my service
Consider the following:
-
I am working on a local development environment. I expect ACME protocol to fail: no problem
-
My initial setup involved several services, i cut them down to the essential: traefik and a webservice
./docker-compose.yml
services: traefik: image: traefik:v3.2 command: - "--accesslog=true" - "--accesslog.format=json" - "--api.debug=true" - "--api.insecure=true" - "--api=true" - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - "--certificatesresolvers.myresolver.acme.email=my@email.com" - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json" - "--entryPoints.web.address=:80" - "--entryPoints.websecure.address=:443" - "--log.level=DEBUG" - "--providers.file.directory=/etc/traefik" - "--providers.file.watch=true" - "--serverstransport.insecureskipverify" - "--tracing.otlp.http.endpoint=http://collector:4318/v1/traces" - "--tracing=true" volumes: - ./traefik:/etc/traefik ports: - "80:80" - "443:443" - "8080:8080" restart: "unless-stopped" fuertetop: build: context: ./fuertetop environment: PORT: "9999" ports: - "9999"
./traefik/base.yml
http: routers: fuertetop: entrypoints: - web - websecure rule: "Host(`www.fuertetop.com`) || Host(`fuertetop.com`)" service: fuertetop #tls: # certResolver: myresolver services: fuertetop: loadBalancer: servers: - url: http://fuertetop:9999/
-
When I uncomment the
tls.certResolver
option from by base.yml config, I can clearly see that the entrypoint does not match any service. This is reflected by the logs, which does not include anyServiceName
:{ "ClientAddr":"172.28.0.1:60366", "ClientHost":"172.28.0.1", "ClientPort":"60366", "ClientUsername":"-", "DownstreamContentSize":19, "DownstreamStatus":404, "Duration":36465, "GzipRatio":0, "OriginContentSize":0, "OriginDuration":0, "OriginStatus":0, "Overhead":36465, "RequestAddr":"www.fuertetop.com", "RequestContentSize":0, "RequestCount":2, "RequestHost":"www.fuertetop.com", "RequestMethod":"GET", "RequestPath":"/favicon.ico", "RequestPort":"-", "RequestProtocol":"HTTP/1.1", "RequestScheme":"http", "RetryAttempts":0, "SpanId":"42eb2cd422bfe363", "StartLocal":"2025-02-02T15:58:14.601864457Z", "StartUTC":"2025-02-02T15:58:14.601864457Z", "TraceId":"861ba7cd3adbde4018db8e7e2955c70f", "entryPointName":"web", "level":"info", "msg":"", "time":"2025-02-02T15:58:14Z" }
-
The dashboard, however, does not seem to indicate any problem with the chaining from Entrypoint to Router to Service:
-
It simply seem that the failing of the ACME protocol (as shown by the last line in the logs - which were too long to attach here) determines the unavailability of the service by the entrypoint