Hi, I have a problem with my Traefik configuration. I have it working for like two months and today I noticed that I can't connect to my website.
Here is error I'm getting
time="2022-05-08T00:28:58+02:00" level=info msg="Starting provider *file.Provider"
time="2022-05-08T00:28:58+02:00" level=info msg="Starting provider *traefik.Provider"
time="2022-05-08T00:28:58+02:00" level=info msg="Starting provider *acme.Provider"
time="2022-05-08T00:28:58+02:00" level=info msg="Testing certificate renew..." providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2022-05-08T00:28:58+02:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2022-05-08T00:28:58+02:00" level=info msg="Starting provider *docker.Provider"
time="2022-05-08T00:28:58+02:00" level=info msg="Starting provider *acme.Provider"
time="2022-05-08T00:28:58+02:00" level=info msg="Testing certificate renew..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=production.acme
time="2022-05-08T00:29:58+02:00" level=error msg="Unable to obtain ACME certificate for domains \"home.example.duckdns.org\": unable to generate a certificate for the domains [home.example.duckdns.org]: error: one or more domains had a problem:\n[home.example.duckdns.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 178.37.247.206: Invalid response from http://home.example.duckdns.org/.well-known/acme-challenge/G_x2gUe4-Ek-bwK39c2UtCLDteVHIZc5PNcqqp_SJvc: 404\n" routerName=homeassistant@file providerName=staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" rule="Host(`home.example.duckdns.org`)"
docker-compose.yml
version: "3.7"
services:
traefik:
image: traefik:latest
container_name: traefik
environment:
- TZ=Europe/Warsaw
ports:
- '80:80'
- '443:443'
- '8080:8080'
networks:
- traefik_default
volumes:
- /home/morgan/docker/traefik/config:/etc/traefik
- /home/morgan/docker/traefik/letsencrypt:/letsencrypt
- /home/morgan/docker/traefik/logs:/var/log/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: always
extra_hosts:
- host.docker.internal:172.17.0.1
homeassistant:
container_name: homeassistant
image: "homeassistant/home-assistant:latest"
volumes:
- /home/morgan/docker/homeassistant:/config
- /home/morgan/docker/homeassistant/media:/media
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
privileged: true
network_mode: host
environment:
- PUID=1000
- PGUID=1000
- TZ=Europe/Warsaw
expose:
- 8123
traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
log:
level: INFO # DEBUG, INFO, WARNING, ERROR, CRITICAL
format: common # common, json, logfmt
filePath: /var/log/traefik/traefik.log
accesslog:
format: common # common, json, logfmt
filePath: /var/log/traefik/access.log
api:
dashboard: true
insecure: true
# Entry Points configuration
# ---
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
certificatesResolvers:
staging:
acme:
email: ******
storage: /letsencrypt/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
production:
acme:
email: *****
storage: /letsencrypt/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
providers:
docker:
exposedByDefault: false # Default is true
file:
# watch for dynamic configuration changes
directory: /etc/traefik
watch: true
tls:
options:
default:
minVersion: VersionTLS13
sniStrict: true
http:
middlewares:
logowanie:
basicAuth:
users:
- "morgan:******"
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
#HSTS Configuration
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15768000
secHeaders2:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
customFrameOptionsValue: SAMEORIGIN
referrerPolicy: same-origin
#sslRedirect: true
#HSTS Configuration
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15768000
forceSTSHeader: true
#sslForceHost: true
browserXssFilter: true
customResponseHeaders:
server: "" # removes "Server" header
X-Powered-By: "" # Removes X-Powered-By
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
#https://securityheaders.com/ is camera+mic enough?
Permissions-Policy: camera=('self'), microphone=('self'), autoplay=('self'), payment=(), screen-wake-lock=('self'), geolocation=()
Feature-Policy: "camera 'self'; microphone 'self'; payment 'none'; screen-wake-lock 'self'; geolocation 'none'; usb 'none'; vr 'none';"
routers:
homeassistant:
entryPoints:
- "web"
- "websecure"
rule: "Host(`home.example.duckdns.org`)"
middlewares:
- secHeaders
service: homeassistant
tls:
certResolver: staging
services:
homeassistant:
loadBalancer:
servers:
- url: "http://192.168.1.200:8123"
HA configuration.yaml
default_config:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.200
- 172.0.0.0/24
I don't know what the problem might be, this setup was working for two months without any problems. I also have some other containers, but they don't have problems getting certificates (I removed acme.json file and other containers got their certificates only HA is not working). Port 80 and 443 if forwarded on my router