I'm doing a new setup in TrueNas Eletric Eel. My previous setup was using the Truecharts versions of Traefik but that's been deprecated. How it was set up previously/how I would like things set up is as follows.
I have a main domain "mydomain.com" that is registered on cloudflare, but not exposed to the internet and (no cname/A records set up etc). All my local network traffic runs through my pihole which has a manual DNS records to redirect any of my hosted apps back to the server. So for example if I type in "sonarr.mydomain.com" on my local network, my pihole redirects to my servers IP. Previously this was handled by the truecharts app cluster-cert and traefik. From what I gather, cluster-cert handled the certificates, while traefik handled the reverse proxy side. All the certificates were created and renewed automatically.
I'm trying to recreate this functionality in EE. What I have so far is EE installed, and then I installed Dockge since there is no native traefik app. I'm planning on setting up all the stacks through Dockge. I'm very new to docker.
I have tried a ton of tutorials out there but I can get neither the certificates working, nor the domain redirects and it's doing my head in.
The current docker-compose.yaml I have is as follows. All the redirects work, but there are no certificates (it's all unsecured).
services:
traefik:
image: traefik:latest
container_name: traefik
security_opt:
- no-new-privileges:true
command:
# Tell Traefik to discover containers using the Docker API
- --providers.docker=true
- --api.dashboard=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.email=myemail@gmail.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.http.tls.domains[0].main=mydomain.com
- --entrypoints.websecure.http.tls.domains[0].sans=*.mydomain.com
ports:
- 80:80
- 443:443
- 8080:8080
environment:
- CF_API_EMAIL=myemail@gmail.com
- CF_DNS_API_TOKEN=< Token with Zone.DNS.Edit and Zone.Zone.Read Permissions>
restart: unless-stopped
volumes:
- /mnt/General/Docker/Traefik/sslcerts:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
- traefik.enable=true
- traefik.http.routers.traefik.rule=Host(`traefik.mydomain.com`)
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=strip
- traefik.http.middlewares.strip.stripprefix.prefixes=/traefik
whoami:
image: traefik/whoami
container_name: simple-service
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)
- traefik.http.routers.whoami.entrypoints=websecure
- traefik.http.routers.whoami.tls.certresolver=letsencrypt
networks:
ix-dockge_default:
external: true
traefik_default:
external: true
I can see the txt challenges show up in cloudflare. I get _acme-challenge.traefik under name along with another challenge that's just _acme-challenge (as well as challenges for the whoami etc). Under content it's just a string of numbers and letters, and under Proxy Status it shows as DNS only.
In the Terminal I get the following error after a few minutes.
ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [mydomain.com *.mydomain.com]: error: one or more domains had a problem:\n[*.mydomain.com] propagation: time limit exceeded: last error: authoritative nameservers: NS ariadne.ns.cloudflare.com.:53 returned NXDOMAIN for _acme-challenge.mydomain.com.\n[mydomain.com] propagation: time limit exceeded: last error: authoritative nameservers: NS ariadne.ns.cloudflare.com.:53 returned NXDOMAIN for _acme-challenge.mydomain.com.\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.com","*.mydomain.com"] providerName=letsencrypt.acme routerName=websecure-dockge-ix-dockge@docker rule=Host(dockge-ix-dockge)