Local Certificate isnt used for services

I have a local certificate/keyfile from IONOS I want to use for my services.

docker-compose

version: "3.9"

services:
  traefik:
    container_name: traefik-dev
    image: "traefik:latest"
    restart: always
    network_mode: bridge
    ports: 
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/etc/timezone:/etc/timezone:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/numark1/docker/data_traefik/logs/:/logs/"
      - "/home/numark1/docker/data_traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
      - "/home/numark1/docker/data_traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro"
      - "/home/numark1/docker/data_traefik/certs/ddf2.crt:/certs/ddf2.crt:ro"
      - "/home/numark1/docker/data_traefik/certs/ddf2.key:/certs/ddf2.key:ro"

My traefik.yml

providers:
  docker: {}
  file:
    filename: "/etc/traefik/dynamic.yml"
    watch: "true"

api:
  insecure: "true"

entryPoints:
  web:
    address: ":80"

  websecure:
    address: ":443"

log:
  level: "DEBUG"
  filePath: "/logs/traefik.log"

My dynamic.yml

tls:
  certificates:
    - certFile: "/certs/ddf2.crt"
      keyFile: "/certs/ddf2.key"
      stores:
        - default
  stores:
    default:
      defaultCertificate:
        certFile: "/certs/ddf2.crt"
        keyFile: "/certs/ddf2.key"

Folder

root@docker:/home/numark1/docker/data_traefik# du -Scha
4.0K    ./dynamic.yml
4.0K    ./traefik.yml
4.0K    ./certs/ddf2.crt
4.0K    ./certs/ddf2.key
12K     ./certs
356K    ./logs/traefik.log
360K    ./logs
12K     .
384K    total

Added labels for my service I want to expose via https

  nginx_recipes:
    image: nginx:mainline-alpine
    restart: always
#    ports:
#      - 80:80
    env_file:
      - stack.env
    depends_on:
      - web_recipes
    volumes:
      - nginx_config:/etc/nginx/conf.d:ro
      - staticfiles:/static:ro
      - ./mediafiles:/media:ro
    labels:
      - traefik.enable=true
      - traefik.http.routers.recipes.rule=Host(`recipes.ddf2.de`)
      - traefik.http.routers.recipes.entrypoints=websecure
      - traefik.http.routers.recipes.tls=true 
      - traefik.http.services.recipes.loadbalancer.server.port=80

I already learned that I need to reference certificates in dynamic.yml and not traefik.yml static file. But even then I get the traefik default or a gateway timeout 504 or 499. I dont get it, this is still way to complex for me.

Check inside the Traefik container that the cert files are where they are supposed to be and readable.

docker exec -it <traefik-container> sh

Make sure the crt has three entries.

Enable Traefik debug log and check for errors.

Use a Docker network to connect Traefik and your service, see simple Traefik example.

Certs look ok for me

root@docker:/home/numark1# docker exec -it traefik-dev sh
/ # ls -lha /certs/
total 20K
drwxr-xr-x    2 root     root        4.0K May 23 21:31 .
drwxr-xr-x    1 root     root        4.0K May 23 21:31 ..
-rw-r--r--    1 root     root        5.0K Jun 23  2022 ddf2.crt
-rw-r--r--    1 root     root        1.6K Jun 16  2022 ddf2.key

In the logs it looks like it gets some data from the certificate, but at the end nothing works.

time="2023-05-23T21:56:41Z" level=debug msg="Adding certificate for domain(s) *.ddf2.de,ddf2.de"
time="2023-05-23T21:56:41Z" level=debug msg="Adding route for speedtest.ddf2.de with TLS options default" entryPointName=websecure
time="2023-05-23T21:57:53Z" level=debug msg="'504 Gateway Timeout' caused by: dial tcp 172.22.0.2:8383: i/o timeout"

What does "make sure the crt has three entries" mean ? That its the full chain inside the cert ?

Yes, I mean full chain, usually 3 „entries“.

It seems to be a network issue, try to use a common Docker network.

The error seems strange to me. If your target service is listening on port 80, why is the error about a different port? And domain names seem different.