Issues with Traefik, Cloudflare and PiHole

Traefik Traefik v3 (latest)
1

I need some help understanding what happens in this case here with traefik.
I'm trying to use wildcards to get SSL on my services.

I just bought a domain in Cloudflare. Do I need to make any DNS records in there?

New to traefik and trying to follow a guide to get it to work. I can't reach the traefik dashboard when trying to connect to it via traefik-dashboard.[domain].com

I have PiHole setup with a DNS record docker-01."domain".com -> 192.168.1.108 which is the IP of my docker host. Then I have a CNAME for traefik-dashboard."domain".com to point to that DNS record.

When I do an nslookup of the domain in my docker host I get this.

nslookup traefik-dashboard.<domain>.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
traefik-dashboard.<domain>.com canonical name = docker-01.<domain>.com.
Name:   docker-01.<domain>.com
Address: 192.168.1.108

Here is my docker compose file:

---
services:
  traefik:
    image: traefik:v3.1.5
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      - 8585:8080
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: 
      - path: ./.env
        required: true # default
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/traefik.yml:ro
      - ./certificates/acme.json:/certificates/acme.json
      - ./logs/:/logs/
 
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.${DOMAIN}`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"

      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.${DOMAIN}`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${DOMAIN}"
      - "traefik.http.routers.traefik-secure.service=api@internal"

secrets:
  cf_api_token:
    file: ./cf_api_token.txt

networks:
  proxy:
    external: true

Here is my traefik.yml:

api:
  dashboard: true
  debug: true
  insecure: true

global:
  checkNewVersion: true
  sendAnonymousUsage: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: cloudflare
        domains:
          - main: "${DOMAIN}"
            sans: 
              - "${DOMAIN}"

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   directory: /dynamic
  #   watch: true

certificatesResolvers:
  cloudflare:
    acme:
      email: ${CLOUDFLARE_EMAIL}
      storage: /certificates/acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        delayBeforeCheck: 10s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

log:
  filepath: "/logs/traefik.log"
  level: DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
accessLog:
  filepath: "/logs/access.log"
  bufferingSize: 100 # Configuring a buffer of 100 lines
  filters:
    statusCodes: "204-299,400-499,500-599"

Here is the log file from traefik, no issues in there from what I can see?

2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:101 > Traefik version 3.1.5 built on 2024-10-02T12:49:07Z version=3.1.5
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:108 > Static configuration loaded [json] staticConfiguration={"accessLog":{"bufferingSize":100,"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"filePath":"/logs/access.log","filters":{"statusCodes":["204-299","400-499","500-599"]},"format":"common"},"api":{"dashboard":true,"debug":true,"insecure":true},"certificatesResolvers":{"cloudflare":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"delayBeforeCheck":"10s","disablePropagationCheck":true,"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]},"email":"${CLOUDFLARE_EMAIL}","keyType":"RSA4096","storage":"/certificates/acme.json"}}},"entryPoints":{"traefik":{"address":":8080","forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"web":{"address":":80","forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"permanent":true,"priority":9223372036854775806,"scheme":"https","to":"websecure"}}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"websecure":{"address":":443","forwardedHeaders":{},"http":{"tls":{"certResolver":"cloudflare","domains":[{"main":"${DOMAIN}","sans":["${DOMAIN}"]}]}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"filePath":"/logs/traefik.log","format":"common","level":"DEBUG"},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:617 > 
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=websecure
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=web
2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator
2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=traefik
2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.Provider
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.Provider provider configuration config={"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","watch":true}
2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"cloudflare","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"delayBeforeCheck":"10s","disablePropagationCheck":true,"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]},"email":"${CLOUDFLARE_EMAIL}","keyType":"RSA4096","storage":"/certificates/acme.json","store":{}}
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:213 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-10-09T13:34:06+02:00 INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:798 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"dashboard_redirect":{"redirectRegex":{"permanent":true,"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/"}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}},"redirect-web-to-websecure":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}}},"models":{"websecure":{"tls":{"certResolver":"cloudflare","domains":[{"main":"${DOMAIN}","sans":["${DOMAIN}"]}]}}},"routers":{"api":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/api`)","ruleSyntax":"v3","service":"api@internal"},"dashboard":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"priority":9223372036854775805,"rule":"PathPrefix(`/`)","ruleSyntax":"v3","service":"dashboard@internal"},"debug":{"entryPoints":["traefik"],"priority":9223372036854775806,"rule":"PathPrefix(`/debug`)","ruleSyntax":"v3","service":"api@internal"},"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"priority":9223372036854775806,"rule":"HostRegexp(`^.+$`)","ruleSyntax":"v3","service":"noop@internal"}},"serversTransports":{"default":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200}},"services":{"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=cloudflare.acme
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:90 > Provider connection established with docker 27.3.1 (API 1.47) providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=wireguard-wireguard-abc75e8829d0f595deda35f643d63967752b9147cf750e0eb949ace05e5f4485 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=esphome-esphome-f83ae0d4620a775fdf04e6097674edc46a1244452813ee84313d67646b17a5ef providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=appdaemon-homeassistant-195c6dd7eb8f4d049b9c6dc117a63740e6985bd498f51e3a2063314db753c909 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=homeassistant-homeassistant-310741e54712ace4c7b5067a22cd47c367f1cc8fc097767458bd74f515b5c77d providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=homepage-homepage-916e340d14c7b2e841eb5d58d7a4381f633dce2655bbc281b539c3beaaa50ef1 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=mealie-mealie-5e2483625f18f9f20c9a264b850cf9df3c6081b5ce1875d6456de60144d94b60 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=portainer-portainer-5887c685e73aa003e427c3c8a6755eedc0b1ff5cda22ee79a2051af270a49fe0 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=unifi-controller-unifi-e8a0210f0efbbde98264360a29baa6adf208928ace40181db2353fd9daafc47a providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=bazarr-opt-1b0b6297f9a92232d4e30b43f5f1972d01da37ea8aba9f90a8b686ef7cdf3ab0 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=radarr-opt-fd7a238cdc78aa33b1b79f6024a01eea6b3092de1c9059f8a61d1817218a3fb9 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=sabnzbd-opt-6a65604d86a4f64babc95e2d82188fd8ccb754f438388f8318aa635f7a1c380c providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=sonarr-opt-0e6f518000cff7aa4d8aa71effa2ee600b9dea74c429b8012f1491ba2ab34ea9 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=loki-opt-eff7ac912c0c232c4d60a0407d28df883bb08629b859426f30f7a64c99e39c79 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=grafana-opt-8ebeb41aa2ba54e683fa5e4fdf3064ed9c15093903fc882f25b96480e3225803 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=influxdb-opt-e8af10b95b20151bc74fcb043df132253173317f8309e0aee0b8445f67379c77 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:184 > Filtering disabled container container=promtail-opt-6a12fb22b2ddb58a98b2d57bda5c2d6a784880ba180fe90a7622df741c3aadf3 providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"sslheader":{"headers":{"customRequestHeaders":{"X-Forwarded-Proto":"https"}}},"traefik-auth":{"basicAuth":{"users":["admin:$2y$05$S7ldVY9i64ewiYhT7G88ze.wzT7o9/2RiS2dlLGxdMt8zrFssjE0m"]}},"traefik-https-redirect":{"redirectScheme":{"scheme":"https"}}},"routers":{"traefik":{"entryPoints":["web"],"middlewares":["traefik-https-redirect"],"rule":"Host(`traefik-dashboard.local.${DOMAIN}.com`)","service":"traefik-traefik"},"traefik-secure":{"entryPoints":["websecure"],"middlewares":["traefik-auth"],"rule":"Host(`traefik-dashboard.local.${DOMAIN}.com`)","service":"api@internal","tls":{"certResolver":"cloudflare","domains":[{"main":"local.${DOMAIN}.com","sans":["*.local.${DOMAIN}.com"]}]}}},"services":{"traefik-traefik":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.2:80"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131 > Adding certificate for domain(s) *.local.${DOMAIN}.com,local.${DOMAIN}.com
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:268 > Creating load-balancer entryPointName=web routerName=traefik@docker serviceName=traefik-traefik@docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:310 > Creating server entryPointName=web routerName=traefik@docker serverName=e662f9fa061cf780 serviceName=traefik-traefik@docker target=http://172.23.0.2:80
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=traefik-https-redirect@docker middlewareType=RedirectScheme routerName=traefik@docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https  entryPointName=web middlewareName=traefik-https-redirect@docker middlewareType=RedirectScheme routerName=traefik@docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17 > Creating middleware entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18 > Setting up redirection from ^(http:\/\/(\[[\w:.]+\]|[\w\._-]+)(:\d+)?)\/$ to ${1}/dashboard/ entryPointName=traefik middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:33 > Creating middleware entryPointName=websecure middlewareName=traefik-auth@docker middlewareType=BasicAuth routerName=traefik-secure@docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=traefik-auth@docker routerName=traefik-secure@docker
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik-dashboard.local.${DOMAIN}.com with TLS options default entryPointName=websecure
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:854 > Looking for provided certificate(s) to validate ["local.${DOMAIN}.com" "*.local.${DOMAIN}.com"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2024-10-09T13:34:06+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:898 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["local.${DOMAIN}.com","*.local.${DOMAIN}.com"] providerName=cloudflare.acme
2

What does that mean? Is the domain resolved to the correct IP? Can you connect to the IP? Are the ports open? Can you ping the IP? What’s the error you get?

3

I can do an nslookup as I described above which resolves to the correct internal IP but I don’t reach the site. In Firefox I get an error that the name could not be resolved.

If I understand correctly, I shouldn’t have to open any ports in my router if I’m just doing internal dns through PiHole? PiHole should intercept that and instead of sending that request out it should route it to the internal server that runs traefik?

4

Can you ping or curl the domain?

What does Traefik access log tell you?

5

Check if your problem is not the browser cache. I use a separate browser when I'm registering a new canonical name record because sometimes when you try to access the new site too fast before it propagates correctly the new record, the browser instead of trying to ask the dns server again for the record, it just uses the data in the cache.
You can also try to change the TTL to a lower number so it can propagate the change faster or reboot the pihole service.

6

Note that not only the browser might cache DNS queries, but also the host OS, the router and the DNS server itself (if you use one not from the domain name provider).

7

I have no problem pinging the adress, it gives me back the 192.168.1.108 adress which is the internal ip where traefik is running.

I don’t think I was getting anything in the access log, let me check that once I get home again!

8

Will also check all these caches and make sure to clear them out.

9

This is ping:

ping traefik-dashboard.local.bookorjeman.com
PING docker-01.local.bookorjeman.com (192.168.1.108) 56(84) bytes of data.
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=2 ttl=64 time=0.020 ms
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=3 ttl=64 time=0.027 ms
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=4 ttl=64 time=0.031 ms
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=5 ttl=64 time=0.020 ms
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=6 ttl=64 time=0.055 ms
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=7 ttl=64 time=0.039 ms
64 bytes from docker-01.local.bookorjeman.com (192.168.1.108): icmp_seq=8 ttl=64 time=0.033 ms

This is what it looks with curl:

curl traefik-dashboard.local.bookorjeman.com -v
*   Trying 192.168.1.108:80...
* Connected to traefik-dashboard.local.bookorjeman.com (192.168.1.108) port 80 (#0)
> GET / HTTP/1.1
> Host: traefik-dashboard.local.bookorjeman.com
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://traefik-dashboard.local.bookorjeman.com/
< Date: Mon, 14 Oct 2024 18:56:35 GMT
< Content-Length: 17
< 
* Connection #0 to host traefik-dashboard.local.bookorjeman.com left intact
Moved Permanently%

I don't get anything inside my access.log actually, which is weird right?

10

Try to curl the https site to get certificate info, since traefik responds on http
"curl -v https://traefik-dashboard.local.bookorjeman.com"

11

I'm getting this when doing curl:

curl https://traefik-dashboard.local.bookorjeman.com -v
*   Trying 192.168.1.108:443...
* Connected to traefik-dashboard.local.bookorjeman.com (192.168.1.108) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
12

Since you are not getting a certificate created I would try first (using stagingservers) is to remove everything about domains from both your docker compose and traefik yamls, and instead add this to your dynamic yaml file

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: cloudflare
        domain:
          main: "local.bookorjeman.com"
          sans:
            - "*.local.bookorjeman.com"

Do you also have a dns-record for local.bookorjeman.com at cloudflare?

13

I would think so, as the dnsChallenge works by creating a TXT entry for your domain in DNS, which LetsEncrypt then checks from externally.

14

I solved this now finally!
I added entries into cloudflare and that did the trick.

I did also create a brand new vm and moved over all the docker containers and such to it, because it felt like I was doing a bunch of stuff with the network of that vm that screwed things up beyond me fixing it...

But huge thanks guys for helping me with this stuff! I hope everything should just work now :slight_smile:

15

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.