Issues with cloudflare and ssl

Traefik Traefik v3 (latest)
,
1

I've been trying to set up traefik in docker with wild cards certificates, but can not get it to route ssl traffic.

This is my docker compose file:

services:
  traefik:
    image: "traefik:v3.3"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=xxxx@xxxx.com"
      - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - TZ=$TZ
      - CF_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxx
    volumes:
      - $DOCKERDIR/appdata/traefik3/acme/acme.json:/acme.json # Certs File 
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.xxxxx.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

The acme.json file has the certificates and they appear valid.
When I go to the dashboard it shows the route for whoami.
But when I try to navigate the the url I get this:

Screenshot 2025-01-07 at 12.19.11 PM
Screenshot 2025-01-07 at 12.19.11 PM941×494 42.8 KB

If I change the entry point for whoami to use "web" instead of "websecure". I am able to access the page, without ssl.
My router is forwarding ports 443 and 80 to the server ip.

Looking at the logs seems to imply the certificate is valid.

2025-01-07T12:02:47-08:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for .....
2025-01-07T12:02:47-08:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:470 > Trying to challenge certificate for domain .....
2025-01-07T12:02:47-08:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940 > Looking for provided certificate(s) to validate .... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=whoami@docker ....
2025-01-07T12:02:47-08:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:984 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["whoami.****.com"] providerName=myresolver.acme routerName=whoami@docker rule=Host(`whoami.****.com`)
2

So I've spent days trying to figure this out. And it was a completely boneheaded mistake. :confounded: I was accidentally forwarding port 443 to 433.