p1rps01
December 13, 2023, 11:27pm
1
Hi. I am currently receiving the following error message in my logs:
time="2023-12-14T15:32:03-05:00" level=debug msg="Trying to challenge certificate for domain [dozzle.rpsmediaserver.com] found in HostSNI rule" rule="Host(`dozzle.rpsmediaserver.com`)" routerName=dozzle@docker providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-12-14T15:32:03-05:00" level=debug msg="Trying to challenge certificate for domain [dockerrproxy.rpsmediaserver.com] found in HostSNI rule" routerName=dockerrproxy@docker rule="Host(`dockerrproxy.rpsmediaserver.com`)" providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-12-14T15:32:03-05:00" level=debug msg="Looking for provided certificate(s) to validate [\"dockerrproxy.rpsmediaserver.com\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=dockerrproxy@docker rule="Host(`dockerrproxy.rpsmediaserver.com`)" providerName=letsencrypt.acme
time="2023-12-14T15:32:03-05:00" level=debug msg="No ACME certificate generation required for domains [\"dockerrproxy.rpsmediaserver.com\"]." rule="Host(`dockerrproxy.rpsmediaserver.com`)" providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=dockerrproxy@docker
time="2023-12-14T15:32:03-05:00" level=debug msg="Looking for provided certificate(s) to validate [\"dozzle.rpsmediaserver.com\"]..." rule="Host(`dozzle.rpsmediaserver.com`)" routerName=dozzle@docker providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-12-14T15:32:03-05:00" level=debug msg="No ACME certificate generation required for domains [\"dozzle.rpsmediaserver.com\"]." providerName=letsencrypt.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" rule="Host(`dozzle.rpsmediaserver.com`)" routerName=dozzle@docker```
How do i resolve these errors?
Robert
p1rps01
December 13, 2023, 11:27pm
2
Below is traefik.yml file content:
checkNewVersion: true
sendAnonymousUsage: true
serversTransport:
insecureSkipVerify: true
entryPoints:
# Not used in apps, but redirect everything from HTTP to HTTPS
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
forwardedHeaders:
trustedIPs: &trustedIps
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http2:
maxConcurrentStreams: 250
# HTTPS endpoint, with domain wildcard
https:
address: :443
http:
tls:
# Generate a wildcard domain certificate - change webdomain to your domain name
certResolver: letsencrypt
domains:
- main: "webdomain.com"
sans:
- "*.webdomain.com"
middlewares:
- default-security-headers@file
forwardedHeaders:
# Reuse list of Cloudflare Trusted IP's above for HTTPS requests
trustedIPs: *trustedIps
http2:
maxConcurrentStreams: 250
providers:
# File provider for connecting things that are outside of docker / defining middleware
# Docker provider for connecting all apps that are inside of the docker network
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
network: "reverse_proxy" # Add Your Docker Network Name Here
# defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.webdomain.com`)"
swarmMode: false
swarmModeRefreshSeconds: 15s
exposedByDefault: false
# endpoint: "tcp://dockerrproxy:2375" # Uncomment if you are using docker socket proxy
# Default host rule to containername.domain.example
# defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.home.redacted.net`)"
# defaultRule: "(Host(`home.redacted.net`) && PathPrefix(`/{{ index .Labels \"com.docker.compose.service\"}}`))"
file:
filename: "/etc/traefik/dynamic/config.yml"
# directory: /etc/traefik/dynamic
watch: true
providersThrottleDuration: 2s
api:
dashboard: true # Enable traefik ui
insecure: true
debug: true
ping: {}
log:
level: DEBUG # INFO|DEBUG|ERROR
filePath: "etc/traefik/logs/traefik.log"
format: common
accessLog:
filePath: "etc/traefik/logs/access.log"
bufferingSize: 100
filters:
statusCodes:
- "204-299"
- "400-499"
- "500-599"
# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
letsencrypt:
acme:
email: "your email address goes here"
storage: "/etc/traefik/certs/acme.json"
# Alternative ACME Staging CA Server (not ratelimited like prod):
# comment out caserver line when done testing, also clear out /etc/certs/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
delayBeforeCheck: "10"
resolvers:
- "8.8.8.8:53"
- "1.1.1.1:53"
tlsChallenge: {}
httpChallenge:
entryPoint: http```
p1rps01
December 13, 2023, 11:29pm
3
Below is config.yml content:
## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
#routers:
# Homeassistant routing example - Remove if not used
#homeassistant:
#entryPoints:
#- websecure
#rule: 'Host(`hass.redacted.net`)'
#service: homeassistant
#middlewares:
#- "auth"
## SERVICES EXAMPLE ##
#services:
# Homeassistant service example - Remove if not used
#homeassistant:
#loadBalancer:
#servers:
#- url: http://192.168.60.5:8123/
## MIDDLEWARES ##
middlewares:
# Only Allow Local networks
local-ipwhitelist:
ipWhiteList:
sourceRange:
- 127.0.0.1/32 # localhost
- 172.1.0.1/12 # reverse_proxy
- 172.0.0.1/12 # docker_socket
- 172.2.0.1/12 # external_edge
- 192.168.1.0/32 # homelan subnet
- 10.10.0.1/32 # worklan subnet
# authentik:
# forwardauth:
# address: "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
# trustForwardHeader: "true"
# authResponseHeaders:
# - X-authentik-username
# - X-authentik-groups
# - X-authentik-email
# - X-authentik-name
# - X-authentik-uid
# - X-authentik-jwt
# - X-authentik-meta-jwks
# - X-authentik-meta-outpost
# - X-authentik-meta-provider
# - X-authentik-meta-app
# - X-authentik-meta-version
# # Authelia guard
# auth:
# forwardauth:
# address: http://auth:9091/api/verify?rd=https://auth.redacted.net/ # replace auth with your authelia container name
# trustForwardHeader: true
# authResponseHeaders:
# - Remote-User
# - Remote-Groups
# - Remote-Name
# - Remote-Email
# # Authelia basic auth guard
# auth-basic:
# forwardauth:
# address: http://auth:9091/api/verify?auth=basic # replace auth with your authelia container name
# trustForwardHeader: true
# authResponseHeaders:
# - Remote-User
# - Remote-Groups
# - Remote-Name
# - Remote-Email
# A basic authentification middleware, to protect the Traefik dashboard to anyone except myself
# Use with traefik.http.routers.myRouter.middlewares: "traefikAuth@file"
traefikAuth:
basicAuth:
users: "your id:$hashed password"
# Recommended default middleware for most of the services
# Use with traefik.http.routers.myRouter.middlewares: "default@file"
# Equivalent of traefik.http.routers.myRouter.middlewares: "default-security-headers@file,error-pages@file,gzip@file"
default:
chain:
middlewares:
- default-security-headers
- error-pages
- gzip
# Add automatically some security headers
# Use with traefik.http.routers.myRouter.middlewares: "default-security-headers@file"
# Security headers
default-security-headers:
headers:
referrerPolicy: "strict-origin-when-cross-origin"
contentTypeNosniff: true # X-Content-Type-Options=nosniff
browserXssFilter: true # X-XSS-Protection=1; mode=block
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
sslRedirect: true # Allow only https requests
stsSeconds: 63072000 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
# Serve the error pages when the status is included inside the following ranges
# Use with traefik.http.routers.myRouter.middlewares: "error-pages@file"
error-pages:
errors:
query: "error{status}/"
service: traefik-error-pages
status:
- "403-404"
- "500"
- "503"
# Enables the GZIP compression (https://docs.traefik.io/middlewares/compress/)
# if the response body is larger than 1400 bytes
# if the Accept-Encoding request header contains gzip
# if the response is not already compressed (Content-Encoding is not set)
# Use with traefik.http.routers.myRouter.middlewares: "gzip@file"
gzip:
compress: {}
services:
# Error pages
traefik-error-pages:
loadBalancer:
servers:
- url: "https://www.usherbrooke.ca/error-pages/"
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305```
p1rps01
December 13, 2023, 11:30pm
4
Below is docker compose file:
secrets:
cloudflare_api_key:
file: '/share/docker/secrets/cloudflare_api_key.secret'
cloudflare_api_email:
file: '/share/docker/secrets/cloudflare_api_email.secret'
cloudflare_domain1-dns_token:
file: '/share/docker/secrets/cloudflare_domain1-dns_token.secret'
htpasswd:
file: '/share/docker/secrets/htpasswd.secret'
services:
traefik:
container_name: traefik
image: traefik:saintmarcelin # v2.10 with security updates
security_opt:
- no-new-privileges:true
restart: always
networks:
- reverse_proxy # rename this to your custom docker network
ports:
- 33080:80
- 33443:443
- 33880:8080 # Dashboard port
secrets:
- cloudflare_api_email
- cloudflare_domain1-dns_token
- cloudflare_api_key
- htpasswd
env_file:
- $docker_scripts/.vars_docker.env
environment:
- PUID=${var_usr}
- PGID=${var_grp}
- TZ=America/New_York # change to your local timezone
- HTPASSWD_FILE=/run/secrets/htpasswd
- CLOUDFLARE_EMAIL_FILE=/var/run/secrets/cloudflare_api_email
- CLOUDFLARE_API_KEY_FILE=/run/secrets/cloudflare_api_key
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_api_email
- CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_domain1-dns-token
command:
- '--configFile=/etc/traefik/static/traefik.yml'
volumes:
- /etc/timezone:/etc/timezone:ro # Set the container timezone by sharing the read-only localtime
- /var/run/docker.sock:/var/run/docker.sock:ro # Give access to the UNIX Docker
- /$compose_appdata/traefik/certs/:/etc/traefik/certs/
- /$compose_appdata/traefik/:/etc/traefik/
# - /$compose_appdata/traefik/certs/:/etc/traefik/certs/ # Set the location where my ACME certificates are saved to
- /$compose_appdata/traefik/dynamic/config.yml:/etc/traefik/config.yml:ro # Set the dynamic configuration for the file provider
- /$compose_appdata/traefik/static/traefik.yml:/etc/traefik/traefik.yml:ro # Set the static configuration
- /$compose_appdata/traefik/logs/:/etc/traefik/logs/ # Set the traefik main log directory
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
compress: "true"
labels:
- 'traefik.docker.network=reverse_proxy' # Enable Traefik reverse proxy for the Traefik dashboard.
- 'traefik.enable=true'
## HTTP Routers
- 'traefik.http.routers.traefik.entrypoints=https' # Set the Traefik entry point.
- 'traefik.http.routers.traefik.rule=Host(`traefik.${var_domain1}`)'
- 'traefik.http.routers.traefik.service=api@internal' # Enable Traefik API
- 'traefik.http.routers.traefik.tls.certresolver=letsencrypt'
- 'traefik.http.routers.traefik.tls.options=defaultn@file'
- 'traefik.http.routers.traefik.tls=true'
## Middlewares
- 'traefik.http.routers.traefik.middlewares=traefikAuth@file,default@file'
## HTTP Services
- 'traefik.http.services.traefik.loadbalancer.server.port=8080'
networks:
reverse_proxy:
external: true```
p1rps01
December 13, 2023, 11:32pm
5
I did the following to allow ports through the firewall and then also changed the following files to allow writes to them:
## router 443 >> nas.lan.ip:33443
## touch /share/docker/appdata/traefik/certs/acme.json
## chmod -R 600 /share/docker/appdata/traefik/certs/acme.json```
Please re-format all you posts and use 3 backticks in front and after code. It makes it more readable and in yaml every space matters.
"No ACME certificate generation required for domains" is not an error message. It just states that Traefik already has a valid LE cert, doesn’t need to generate a new one. Which is great, because LE has usage limits.
p1rps01
December 14, 2023, 8:14pm
7
Done as you requested an reformatted the output above. The issue i am having is with the above files and info, Its giving me the above error in my traefik log . I just get a big spinning circle on my web page. For instance when i type in dozzle.mywebdomain.com it never takes me to the resolved web page for dozzle (that shows my docker logs for all apps running). I have tried disabling my QNAP firewall to insure any traffic is allowed through without issues (while i test). I have also verified that the ports are forwarded in the router as i indicated above. With the recent increase in system failures and damage caused by ransomware attacks throughout the industry, I am taking steps needed on my server to secure my environment getting traefik docker compose implemented to prevent data breaches and network attacks. Your thoughts on steps i can take troubleshoot the above?
No ACME certificate generation required is not an error, it is just debug. Otherwise it would state "error".
A spinning wheel usually means the browser has something loaded. I would assume it's waiting for some additional JS scripts to be loaded and run, but that's not working. Check your Traefik access log and your browsers developer tools network tab for failed requests.