Issue with Duckdns x docker compose

Traefik Traefik v3 (latest)
1

Super new to traefik and devops, been trying to set up traefik with my duckdns domain.
My error seems to be that it's working in setting up the acme configuration but can't seem to access the challenge for duckdns. don't think it's an IP issue cuz i run a script every 5 minutes that updates my ip to my duck dns domain

Dockercompose.yml:

# secrets:
#   cf-token:
#     file: ./cf-token.txt
services:
  traefik:
    image: traefik:latest # or traefik:v3.3 to pin a version
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true # helps to increase security
    # secrets:
    #   - cf-token # the secret at the top of this file
    env_file:
      - .env # store other secrets e.g., dashboard password
    networks:
      proxy:
    ports:
      - 80:80
      - 443:443
      # - 10000:10000 # optional
      # - 33073:33073 # optional
    environment:
      - TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
      - DUCKDNS_DOMAIN=${DUCKDNS_DOMAIN}
      # - DUCKDNS_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers
      # token file is the proper way to do it
      - DUCKDNS_HTTP_TIMEOUT=60
      - DUCKDNS_POLLING_INTERVAL=5
      - DUCKDNS_PROPAGATION_TIMEOUT=300
      - DUCKDNS_SEQUENCE_INTERVAL=30
      - DUCKDNS_TTL=60
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ubuntu/docker/traefik/traefik.yml:/traefik.yml:ro
      - /home/ubuntu/docker/traefik/acme.json:/acme.json
      - /home/ubuntu/docker/traefik/config.yml:/config.yml:ro
      - /home/ubuntu/docker/traefik/logs:/var/log/traefik
    command:
      - --accesslog=true
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.entrypoints=http'
      - 'traefik.http.routers.traefik.rule=Host(`my-traefik-docker.duckdns.org`)' # Use your DuckDNS domain
      - 'traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}'
      - 'traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https'
      - 'traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https'
      - 'traefik.http.routers.traefik.middlewares=traefik-https-redirect'
      - 'traefik.http.routers.traefik-secure.entrypoints=https'
      - 'traefik.http.routers.traefik-secure.rule=Host(`my-traefik-docker.duckdns.org`)' # Use your DuckDNS domain
      - 'traefik.http.routers.traefik-secure.middlewares=traefik-auth'
      - 'traefik.http.routers.traefik-secure.tls=true'
      - 'traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt' # Use the Let's Encrypt resolver
      - 'traefik.http.routers.traefik-secure.service=api@internal'

  duckdns-updater:
    build: .
    container_name: duckdns-updater
    restart: unless-stopped
    environment:
      - DOMAIN=${DUCKDNS_DOMAIN}
      - TOKEN=${DUCKDNS_TOKEN}

networks:
  proxy:
    external: true # or comment this line to auto create the network

my traefik.yml:

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ':80'
    http:
      #  middlewares: # uncomment if using CrowdSec - see my video
      #    - crowdsec-bouncer@file
      redirections:
        entrypoint:
          to: https
          scheme: https
  https:
    address: ':443'
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: ${DUCKDNS_DOMAIN}.duckdns.org
            sans:
              - '*.${DUCKDNS_DOMAIN}.duckdns.org'
  # tcp:
  # address: ":10000"
  # apis:
  # address: ":33073"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    exposedByDefault: false
  file:
    filename: config.yaml # example provided gives A+ rating https://www.ssllabs.com/ssltest/
certificatesResolvers:
  letsencrypt:
    acme:
      # caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
      email: ************
      storage: acme.json
      dnsChallenge:
        provider: duckdns # change as required
        propagation:
          delayBeforeChecks: 120
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

log:
  level: 'INFO'
  filePath: '/var/log/traefik/traefik.log'
accessLog:
  filePath: '/var/log/traefik/access.log'

error:

2025-02-27T16:52:35+01:00 INF Testing certificate renew... acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
2025-02-27T16:59:46+01:00 ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [my-traefik-docker.duckdns.org]: error: one or more domains had a problem:   \n[my-traefik-docker.duckdns.org] propagation: time limit exceeded: last error: authoritative nameservers: DNS call error: read udp 172.21.0.2:48141->99.79.16.64:53: i/o timeout [ns=ns5.duckdns.org.:53,       question='_acme-challenge.my-traefik-docker.duckdns.org. IN  TXT']\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory               domains=["my-traefik-docker.duckdns.org"] providerName=letsencrypt.acme routerName=traefik-secure@docker rule=Host(`my-traefik-docker.duckdns.org`)
2

If it’s just a single domain (or a few, but no wildcard), why not use simple tlsChallenge, which is a lot less complex.

I think the wildcard is only useful with a paid DuckDNS account with many domains.

Also note that you don’t need customrequestheaders, as that is set automatically.

Maybe check simple Traefik example for best practice.

3

I changed it to use tlschallenge and it's giving me this error:

2025-02-28T11:08:34+01:00 ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [my-traefik-docker.duckdns.org]: error: one or more domains had a problem:\n[my-traefik-docker.duckdns.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: 102.89.23.245: Fetching http://my-traefik-docker.duckdns.org/.well-known/acme-challenge/bfgX0paugvYZDuh2KjW_ayyLW5lgmow70igxAWnjA0o: Timeout during connect (likely firewall problem)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["my-traefik-docker.duckdns.org"] providerName=letsencrypt.acme routerName=traefik-secure@docker rule=Host(`my-traefik-docker.duckdns.org`)

Think it's because port 80 isn't being exposed properly?

4

httpChallenge uses port 80, tlsChallenge uses port 443. Traefik needs to be available on one of those ports from the Internet and the domain needs to point to it, to create a LetsEncrypt TLS certs via those less complex challenges.