I have my static config defined in traefik.yml as
# Traefik entrypoints (network ports) configuration
entryPoints:
# Not used in apps, but redirect everything from HTTP to HTTPS
# HTTPS endpoint, with domain wildcard
https:
address: :443
forwardedHeaders:
# Reuse list of Cloudflare Trusted IP's above for HTTPS requests
trustedIPs: *trustedIps
http:
tls:
# Generate a wildcard domain certificate
certResolver: leexample
domains:
- main: example.com # change this to your proxy domain
sans:
- '*.example.com' # change this to your proxy domain
middlewares:
- security-headers@file # reference to a dynamic middleware for setting http security headers per default
- rate-limit@file # reference to a dynamic middleware for enabling rate limiting per default
- chain-basic-auth@file
and I have the certResolver defined in the same file as
# Use letsencrypt to generate ssl certificates
certificatesResolvers:
leexample:
acme:
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: homeserver@example.com # change to your provider account email address. The API token is defined in the docker-compose.yml as environment variable
storage: /certs/acme/example.json
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
I have the docker provider defined with defaultRule that will apply for all subdomains in example.com in the same (traefik.yml) as
docker:
watch: true
defaultRule: 'Host(`{{ index .Labels "com.homeserver.service.name"}}.example.com`)'
swarmModeRefreshSeconds: 15s
exposedByDefault: false
endpoint: unix:///var/run/docker.sock
However when traefik starts up it does not seem to find it and throws the following error
{"entryPointName":"https","level":"debug","msg":"Adding route for [whoami.example.com](https://whoami.example.com) with TLS options default","time":"2023-03-20T22:31:49-07:00"}
{"level":"error","msg":"the router https-whoami@docker uses a non-existent resolver: le-example-com","time":"2023-03-20T22:31:49-07:00"}
Do you have another (old) service/container running with the resolver le-example-com assigned?
Do you use provider.file with a directory and have other (old) config files in the directory?
Do you use a docker-compose.yml file? Can you share it?
This is my entire docker-compose.yml
version: "3.8"
services:
traefik:
image: "traefik:latest"
container_name: "traefik"
env_file:
- .env
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- $APPDATADIR/traefik/traefik.yml:/etc/traefik/traefik.yml
- $APPDATADIR/traefik/providers:/providers # file provider directory
- $APPDATADIR/traefik/logs:/logs # logs directory
- $APPDATADIR/traefik/certs:/certs # certs directory
labels:
- "com.homeserver.service.name=traefik"
- "com.homeserver.domain.name=$DOMAIN_REDACTED"
whoami:
image: "traefik/whoami"
container_name: "whoami"
labels:
- "traefik.enable=true"
- "com.homeserver.service.name=whoami"
- "com.homeserver.domain.name=$DOMAIN_REDACTED"
homepage:
container_name: homepage
env_file:
- .env
environment:
- PUID=$PUID
- PGID=$PGID
image: ghcr.io/benphelps/homepage:latest
labels:
- "com.REDACTED.app-template-processor.version=1.0.0"
- "com.REDACTED.app-template-processor.description=A highly customizable homepage
(or startpage / application dashboard) with Docker and service API integrations."
- "traefik.enable=true"
- "com.homeserver.service.name=homepage"
- "com.homeserver.domain.name=$DOMAIN_REDACTED"
platform: linux
ports:
- 3000:3000/tcp
restart: unless-stopped
volumes:
- $APPDATADIR/homepage/config:/var/homepage/config:rw
- $APPDATADIR/homepage/data:/var/homepage/data:rw
watchtower:
# WatchTower - Automatic Docker Container Updates
image: containrrr/watchtower:latest
container_name: watchtower
restart: unless-stopped
environment:
TZ: $TZ
WATCHTOWER_CLEANUP: "true"
WATCHTOWER_REMOVE_VOLUMES: "true"
WATCHTOWER_INCLUDE_STOPPED: "true"
WATCHTOWER_INCLUDE_RESTARTING: "true"
WATCHTOWER_ROLLING_RESTART: "true"
WATCHTOWER_NO_STARTUP_MESSAGE: "false"
WATCHTOWER_SCHEDULE: "0 30 1 * * *" # Everyday at 1:30
WATCHTOWER_NOTIFICATIONS: shoutrrr
WATCHTOWER_NOTIFICATION_URL: "telegram://2065182960:REDACTED@telegram?channels=REDACTED"
WATCHTOWER_NOTIFICATIONS_LEVEL: info
DOCKER_API_VERSION: "1.39"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
This is my entire /providers/traefik.yml
# Traefik global configuration
global:
checkNewVersion: true
sendAnonymousUsage: false
# Enable traefik ui dashboard
api:
dashboard: true
insecure: true
# Log level INFO|DEBUG|ERROR
log:
level: DEBUG
filePath: /logs/traefik.log
format: json
# Configuring Multiple Filters
accessLog:
filePath: "/logs/traefik.log"
format: json
filters:
statusCodes:
# - "200" # log successful http requests
- "400-599" # log failed http requests
#retryAttempts: true
#minDuration: "10ms"
# collect logs as in-memory buffer before writing into log file
bufferingSize: 0
fields:
headers:
defaultMode: drop # drop all headers per default
names:
User-Agent: keep # log user agent strings
# The setting below is to allow insecure backend connections.
serversTransport:
insecureSkipVerify: true
# Traefik entrypoints (network ports) configuration
entryPoints:
# Not used in apps, but redirect everything from HTTP to HTTPS
http:
address: :80
forwardedHeaders:
trustedIPs: &trustedIps
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it; https://www.cloudflare.com/de-de/ips/
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 104.16.0.0/13
- 104.24.0.0/14
- 108.162.192.0/18
- 131.0.72.0/22
- 141.101.64.0/18
- 162.158.0.0/15
- 172.64.0.0/13
- 173.245.48.0/20
- 188.114.96.0/20
- 190.93.240.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
redirections:
entryPoint:
to: https
scheme: https
middlewares:
- chain-basic-auth@file
# HTTPS endpoint, with domain wildcard
https:
address: :443
forwardedHeaders:
# Reuse list of Cloudflare Trusted IP's above for HTTPS requests
trustedIPs: *trustedIps
http:
tls:
# Generate a wildcard domain certificate
certResolver: leredacted
domains:
- main: redacted.com # change this to your proxy domain
sans:
- '*.redacted.com' # change this to your proxy domain
middlewares:
- security-headers@file # reference to a dynamic middleware for setting http security headers per default
- rate-limit@file # reference to a dynamic middleware for enabling rate limiting per default
- chain-basic-auth@file
providers:
providersThrottleDuration: 2s
# File provider for connecting things that are outside of docker / defining middleware
file:
directory: /providers
watch: true
# Docker provider for connecting all apps that are inside of the docker network
docker:
watch: true
defaultRule: 'Host(`{{ index .Labels "com.homeserver.service.name"}}.{{ index .Labels "com.homeserver.domain.name"}}`)'
swarmModeRefreshSeconds: 15s
exposedByDefault: false
endpoint: unix:///var/run/docker.sock # $TODO
# Use letsencrypt to generate ssl certificates
certificatesResolvers:
leredacted:
acme:
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: homeserver@redacted.com # change to your provider account email address. The API token is defined in the docker-compose.yml as environment variable
storage: /certs/acme/redacted.json
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
This is my entire /providers/tls-options.yml
tls:
options:
tls-opts:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true