HTTPS serving up default traefik certificate instead of ACME Lets-Encrypt

Traefik Traefik v3 (latest)
,
1

Good day everyone,

I am new to traefik and I tried to setup it up in docker according to this tutorial: https://www.youtube.com/watch?v=-hfejNXqOzA&t=265s

http works so far and I seem to be getting certificates from lets encrypt (acme.json was empty before and now has entries that look good to me).

https seems to be offering up a self-signed "TRAEFIK DEFAULT CERT" certificate and I get this log entry when I try to connect:

http: TLS handshake error from 10.80.55.50:42298: remote error: tls: bad certificate

Here is my traefik.yml for static config:

global:
  sendAnonymousUsage: false

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: :80
  websecure:
    address: :443

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
    watch: true

certificatesResolvers:
  cloudflare:
   acme:
     caServer: https://acme-staging-v02.api.letsencrypt.org/directory
     email: xxx@xxx.xx
     keyType: 'EC256'
     storage: /acme.json
     dnsChallenge:
       provider: cloudflare
       resolvers:
         - "1.1.1.1:53"
         - "1.0.0.1:53"

Here my config.yml (not relevant I think but maybe I am wrong).

http:
  routers:
    jellyfin_router:
      entryPoints:
        - "websecure"
        - "web"
      rule: "Host(`jelly.xxx.xx`)"
      service: "jellyfin_service"
  services:
    jellyfin_service:
      loadBalancer:
        servers:
          - url: "http://10.80.55.25:8096"

My docker compose for traefik

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
      - TZ=Europe/Zurich
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/stacks/traefik/traefik/traefik.yml:/traefik.yml:ro
      - /opt/stacks/traefik/traefik/config.yml:/config.yml:ro
      - /opt/stacks/traefik/traefik/acme.json:/acme.json
    networks:
      frontend: null
networks:
  frontend:
    external: true

And the docker compose of the server I am trying to connect to on the same host:

services:
  heimdall:
    image: lscr.io/linuxserver/heimdall:latest
    container_name: heimdall
    labels:
      - traefik.enable=true
      - traefik.http.routers.heimdall.rule=Host(`home.xxx.xx`)
      - traefik.http.routers.heimdall.entrypoints=web
      - traefik.http.routers.heimdal-sec.tls=true
      - traefik.http.routers.heimdal-sec.tls.certresolver=cloudflare
      - traefik.http.routers.heimdal-sec.entrypoints=websecure
      - traefik.http.routers.heimdal-sec.rule=Host(`home.xxx.xx`)
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Zurich
    volumes:
      - heimdall_conf:/config
    ports:
      - 808:80
      - 4434:443
    healthcheck:
      test:
        - CMD
        - curl
        - -f
        - http://10.80.55.26:808
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    restart: unless-stopped
    networks:
      - frontend
volumes:
  heimdall_conf:
    driver: local
networks:
  frontend:
    external: true

Also before I used a nginx reverse proxy if that matters.
Thank you for your help.

2

Saw that after accepting the first untrusted cert warning, I got a different one for "(STAGING) Let's Encrypt"
Due to this I found a mistake in my traefik.yml. The caServer had a wrong entry: Corrected it looks like this:

global:
  sendAnonymousUsage: false

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: :80
  websecure:
    address: :443

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
    watch: true

certificatesResolvers:
  cloudflare:
   acme:
     caServer: 'https://acme-v02.api.letsencrypt.org/directory'
     email: "xxx@xxx.xx"
     keyType: 'EC256'
     storage: /acme.json
     dnsChallenge:
       provider: cloudflare
       resolvers:
         - "1.1.1.1:53"
         - "1.0.0.1:53"

I have moved the acme.json and created a new one. There the certificate was generated with the new CA.
Now I still get the prompt of untrusted certificate with the default traefik cert but when I accept this my website shows up and I get the right letsencrypt cert. So all I need to figure out now is how to make traefik serve the right certificate on the first try.

3

It works now although I have changed nothing.
The secret ingredient was time it seems.
All is well and case closed.