No default certificate, fallback... someone help please?

kosta88 · October 20, 2025, 6:09pm

Hello,

I am new to Traefik, my first setup was this weekend. I think I had pretty much success, albeit lots of showstoppers while setting up. But I think I got the gist of it... except, TLS isn't working.

I get consistent:

No default certificate, fallback to the internal generated certificate tlsStoreName=default

And in browser I only see the selfsigned cert.

Even though acme.json is populated with the cert from LE, and apparently works with Cloudflare.

For some reason, the certificate is not being used.

Here are my configs:

docker-compose.yaml for Traefik:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - TZ=Europe/Vienna
      - CF_API_EMAIL=email
      - CF_DNS_API_TOKEN=xxxxxxxx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /path/traefik/config/traefik.yaml:/traefik.yaml:ro
      - /path/traefik/config/config.yaml:/config.yaml:ro
      - /path/traefik/certs/acme.json:/certs/acme.json
    networks:
      - frontend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.api.rule=Host(`dashboard.server.home.domain.example`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=xxxxxx"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`dashboard.server.home.domain.example`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=home.domain.example"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.home.domain.example"
      - "traefik.http.routers.traefik-secure.service=api@internal"
networks:
  frontend:
    external: true

Then static configs:

traefik.yaml

global:
  checkNewVersion: false
  sendAnonymousUsage: false
api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
certificatesResolvers:
  letsencrypt:
    acme:
      storage: /certs/acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory
      
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yaml
log:
  level: DEBUG

config.yaml:

http:
  middlewares:    
    default-security-headers:
      headers:
        customBrowserXSSValue: 0                            
# X-XSS-Protection=1; mode=block
        contentTypeNosniff: true                          
# X-Content-Type-Options=nosniff
        forceSTSHeader: true                              
# Add the Strict-Transport-Security header even when the connection is HTTP
        frameDeny: false                                   
# X-Frame-Options=deny
        referrerPolicy: "strict-origin-when-cross-origin"
        stsIncludeSubdomains: true                        
# Add includeSubdomains to the Strict-Transport-Security header
        stsPreload: true                                  
# Add preload flag appended to the Strict-Transport-Security header
        stsSeconds: 3153600                              
# Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
        contentSecurityPolicy: "default-src 'self'"     
        customRequestHeaders:
          X-Forwarded-Proto: https

And then the app that is using the traefik:

docker-compose.yaml

---
services:
  app:
    image: app:latest
    container_name: app
    environment:
      - TZ=Europe/Vienna
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.server.home.domain.example`)"
      - "traefik.http.routers.app.entrypoints=https"
      - "traefik.http.routers.app.tls=true"
      - "traefik.http.routers.app.tls.certresolver=letsencrypt"
      - "traefik.http.services.app.loadbalancer.server.port=80"
    volumes:
      - /path/app:/config
    networks:
      - frontend
    ports:
      - 8888:8888
    restart: unless-stopped
networks:
  frontend:
    external: true

Posted this on Reddit too, before someone wonders.

I hope someone can help with this, I am totally stuck.

bluepuma77 · October 20, 2025, 8:58pm

Enable and check Traefik debug log (doc), any "ERR" in logs? Enable and check Traefik access log in JSON format (doc), what’s the output during requests?

kosta88 · October 20, 2025, 10:24pm

Already have debug enabled, thanks.

No ERR messages.

Not sure why I would need to use the log-file, I am using “docker logs traefik -f” to monitor the log quite successfully. Is the file-written log different?

The debug is working though, if I visit the site (dashboard), I see the requests. Nothing about the certificate though.

2025-10-21T00:18:24+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=traefik-auth@docker middlewareType=BasicAuth

2025-10-21T00:18:24+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=traefik-auth@docker middlewareType=BasicAuth

If I check the cert on the website, I see this:

TRAEFIK DEFAULT CERT

Moreover, spent a while today troubleshooting and researching…

I saw that when using Dashboard, I didn’t manage it to use the domain-wilcard-cert.

But, if I used Traefik on the app, I had two situations:

starting traefik with app-container stopped would get certificates for domain.example and *.domain.example, and after starting the app, I would see the above default cert
starting traefik with app-container started would get 3 certificates; both for the domain, AND app.server.home.example.local certificate, the one for the app directly, and then I would get the certificate in the browser too

(Note, all tests are done with LE staging, but I think the test is reliably, until the fact that it’s not validated as trusted in general).

I don’t know really… why isn’t my domain.example or wildcard.domain.example recognized as usable certificates??

bluepuma77 · October 21, 2025, 8:29am

You should enable debug and access log. Access log in JSON will tell you about each request, how it is handled.

My best practice is to declare and assign TLS in static config with entrypoint, only use very simple config for services (Host and port), see example.

kosta88 · October 21, 2025, 8:12pm

Many hours later…
I went away from the config file, I figured the newest way is “command:” in docker-compose file.

So my new and only config now, docker-compose.yaml:

services:
  traefik:
    image: traefik:3.5
    container_name: traefik
    command:
      - "--global.checknewversion=false"
      - "--global.sendanonymoususage=false"
      - "--api.dashboard=true"
      - "--api.debug=true"
      - "--serverstransport.insecureskipverify=true"
      - "--entrypoints.web.address=:80"
#      - "--entrypoints.web.address.http.redirections.entrypoint.to=websecure"
#      - "--entrypoints.web.address.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
#      - "--entrypoints.websecure.asdefault=true"
      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"
      - "--entrypoints.websecure.http.tls.domains[0].main=home.domain.example"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.home.domain.example"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.email=email@address"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
#      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--accesslog.filepath=/logs/traefik-access.log"
      - "--accesslog.format=json"
      - "--log=true"
      - "--log.filepath=/logs/traefik.log"
      - "--log.format=json"
    restart: unless-stopped
    environment:
      - TZ=Europe/Vienna
      - CF_API_EMAIL=email@address
      - CF_DNS_API_TOKEN=tokenxxxxxx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /path/traefik/certs/acme.json:/certs/acme.json
    networks:
      - frontend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`dashboard.home.domain.example`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=myauth"
      - "traefik.http.middlewares.myauth.basicauth.users=user:sdfdfgdfgdfgdg"
      - "traefik.http.services.dashboard.loadbalancer.server.port=80"
networks:
  frontend:
    external: true

Now, with this config I can access dashboard on port 80 and I get a basic auth. Fine.

Going for HTTPS: not really. I still get the “TRAEFIK DEFAULT CERT” self signed cert.

So I managed to configure logs too, this is what I am seeing when accessing dashboard via HTTPS (redacted):

{"level":"debug","time":"2025-10-21T22:02:54+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"dashboard.server.home.domain.example\""}
{"time":"2025-10-21T22:02:54+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 192.168.10.100:51589: remote error: tls: unknown certificate"}
{"level":"debug","time":"2025-10-21T22:02:54+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"dashboard.server.home.domain.example\""}
{"level":"debug","middlewareName":"myauth@docker","middlewareType":"BasicAuth","time":"2025-10-21T22:02:54+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:81","message":"Authentication failed"}
{"level":"debug","middlewareName":"myauth@docker","middlewareType":"BasicAuth","time":"2025-10-21T22:02:59+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88","message":"Authentication succeeded"}
{"level":"debug","middlewareName":"myauth@docker","middlewareType":"BasicAuth","time":"2025-10-21T22:02:59+02:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88","message":"Authentication succeeded"}

Unforunately, accesslog is not showing me anything.

Also, docker logs is empty, as long as I have logging into files enabled.

If I disable:

2025-10-21T22:07:24+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:957 > Looking for provided certificate(s) to validate ["home.domain.example" "*.home.domain.example"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
2025-10-21T22:07:24+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:1001 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["home.domain.example","*.home.domain.example"] providerName=letsencrypt.acme
2025-10-21T22:07:24+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:957 > Looking for provided certificate(s) to validate ["home.domain.example" "*.home.domain.example"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
2025-10-21T22:07:24+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:1001 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["home.domain.example","*.home.domain.example"] providerName=letsencrypt.acme
2025-10-21T22:08:39+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:39+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:51482: remote error: tls: unknown certificate
2025-10-21T22:08:39+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:39+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:64835: remote error: tls: unknown certificate
2025-10-21T22:08:42+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:42+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:65145: remote error: tls: unknown certificate
2025-10-21T22:08:42+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:42+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:64023: remote error: tls: unknown certificate
2025-10-21T22:08:46+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:46+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:53783: remote error: tls: unknown certificate
2025-10-21T22:08:48+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:48+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:62324: remote error: tls: unknown certificate
2025-10-21T22:08:49+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:49+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:52326: remote error: tls: unknown certificate
2025-10-21T22:08:49+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:49+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:81 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:53+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "dashboard.server.home.domain.example"
2025-10-21T22:08:53+02:00 DBG log/log.go:245 > http: TLS handshake error from 10.10.10.100:51970: remote error: tls: unknown certificate
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:81 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:81 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:81 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth
2025-10-21T22:08:54+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:88 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth

I am still wondering very much why the certificate is not being loaded!? Why is it taking the traefik self signed…

Same goes for one external application I am trying to use… now minimalized:

services:
  app:
    image: app
    container_name: app
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.server.home.domain.example`)"
      - "traefik.http.routers.app.entrypoints=websecure"
#      - "traefik.http.routers.app.tls=true"
#      - "traefik.http.routers.app.tls.certresolver=letsencrypt"
      - "traefik.http.services.app.loadbalancer.server.port=80"
    volumes:
      - /path/app:/config
    networks:
      - frontend
    ports:
      - 80:80
    restart: unless-stopped
networks:
  frontend:
    external: true

And yet, default cert persists.

Idea…?

kosta88 · October 21, 2025, 9:38pm

Oh and btw, I expect these tests to actually work with Staging-LE. I understand it won’t be trusted, but I would expect the browser to show the staging certificate (and that it’s not trusted, of course).

kosta88 · October 22, 2025, 5:13am

Step further:

Now, I got the certificate to load, but I didn’t see these labels really anywhere as required. And: not working properly.

I am getting “net::ERR_CERT_COMMON_NAME_INVALID”

Labels are:

  **-** "traefik.tls.stores.default.defaultgeneratedcert.resolver=letsencrypt"

  **-** "traefik.tls.stores.default.defaultgeneratedcert.domain.main=home.domain.example"

  **-** "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=\*.home.domain.example"

Any ideas what is going on?

kosta88 · October 23, 2025, 6:12am

I also removed the domains from the entrypoints, and left them in labels only.

That seems to have made the situation better, now not getting any errors really that I can see.

However, I still get an issue with the cert, same as above:

ERR_CERT_COMMON_NAME_INVALID

Not sure why it would say that common name is invalid, because the CN is basically home.domain.example (not *.home.domain.example).

Might that be an issue?

bluepuma77 · October 23, 2025, 6:29am

It seems you got some basic setup issues, if you can’t get debug and access log to run.

Interesting parts would be debug log with entrypoint, acme, tls and router.

Access log with a problematic request, to see what Traefik is matching.

You stated you get a cert in acme.json, is that for your domain? For multi-level domains you usually need to create the sub-domains within Cloudflare first.

You can also use LE-Prod, just make sure to persist the acme.json file as you can only create the cert for a domain 5 times within a week.

kosta88 · October 23, 2025, 10:08am

I did get debug and access log to run. This is what I get when accessing my website. Cert is there, it’s being loaded, and yet:

{"level":"debug","time":"2025-10-23T12:10:15+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:10:15+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:10:15+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:10:19+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","error":"context canceled","time":"2025-10-23T12:10:25+02:00","caller":"github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:121","message":"499 Client Closed Request"}
{"level":"debug","error":"context canceled","time":"2025-10-23T12:10:25+02:00","caller":"github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:121","message":"499 Client Closed Request"}
{"level":"debug","time":"2025-10-23T12:10:31+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"app.server.home.domain.example\""}
{"time":"2025-10-23T12:10:31+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 192.168.10.100:56978: remote error: tls: unknown certificate"}
{"level":"debug","time":"2025-10-23T12:10:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"app.server.home.domain.example\""}
{"time":"2025-10-23T12:10:32+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 192.168.10.100:58301: remote error: tls: unknown certificate"}
{"level":"debug","time":"2025-10-23T12:11:29+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"app.server.home.domain.example\""}
{"time":"2025-10-23T12:11:29+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 192.168.10.100:55272: remote error: tls: unknown certificate"}
{"level":"debug","time":"2025-10-23T12:11:31+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"app.server.home.domain.example\""}
{"time":"2025-10-23T12:11:31+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 192.168.10.100:55289: remote error: tls: unknown certificate"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"app.server.home.domain.example\""}
{"time":"2025-10-23T12:11:32+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 192.168.10.100:55394: remote error: tls: unknown certificate"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288","message":"Serving default certificate for request: \"app.server.home.domain.example\""}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:32+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:33+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"level":"debug","time":"2025-10-23T12:11:33+02:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175","message":"Service selected by WRR: http://172.23.0.3:6767"}
{"time":"2025-10-23T12:11:34+02:00","caller":"log/log.go:245","level":"debug","message":"http: TLS handshake error from 192.168.10.100:55999: remote error: tls: unknown certificate"}

And also the access log:

{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":2,"DownstreamStatus":200,"Duration":2214789,"OriginContentSize":2,"OriginDuration":1920156,"OriginStatus":200,"Overhead":294633,"RequestAddr":"app.server.home.domain.example","RequestContentSize":1,"RequestCount":78,"RequestHost":"app.server.home.domain.example","RequestMethod":"POST","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXYEr\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:03:35.539446235+02:00","StartUTC":"2025-10-23T10:03:35.539446235Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:03:35+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":130,"DownstreamStatus":200,"Duration":83323375,"OriginContentSize":130,"OriginDuration":83195862,"OriginStatus":200,"Overhead":127513,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":80,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/badges","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:03:45.578531787+02:00","StartUTC":"2025-10-23T10:03:45.578531787Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:03:45+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":1,"DownstreamStatus":200,"Duration":25002576878,"OriginContentSize":1,"OriginDuration":25002441097,"OriginStatus":200,"Overhead":135781,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":79,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXYEr.0\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:03:35.539444261+02:00","StartUTC":"2025-10-23T10:03:35.539444261Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:04:00+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":2,"DownstreamStatus":200,"Duration":1907154,"OriginContentSize":2,"OriginDuration":1645297,"OriginStatus":200,"Overhead":261857,"RequestAddr":"app.server.home.domain.example","RequestContentSize":1,"RequestCount":81,"RequestHost":"app.server.home.domain.example","RequestMethod":"POST","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXeLZ\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:04:00.54473747+02:00","StartUTC":"2025-10-23T10:04:00.54473747Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:04:00+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":1,"DownstreamStatus":200,"Duration":25002449053,"OriginContentSize":1,"OriginDuration":25002330231,"OriginStatus":200,"Overhead":118822,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":82,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXeLZ.0\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:04:00.544739409+02:00","StartUTC":"2025-10-23T10:04:00.544739409Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:04:25+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":2,"DownstreamStatus":200,"Duration":2099579,"OriginContentSize":2,"OriginDuration":1817928,"OriginStatus":200,"Overhead":281651,"RequestAddr":"app.server.home.domain.example","RequestContentSize":1,"RequestCount":84,"RequestHost":"app.server.home.domain.example","RequestMethod":"POST","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXkSI\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:04:25.554027748+02:00","StartUTC":"2025-10-23T10:04:25.554027748Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:04:25+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":1,"DownstreamStatus":200,"Duration":25002708042,"OriginContentSize":1,"OriginDuration":25002579013,"OriginStatus":200,"Overhead":129029,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":83,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXkSJ\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:04:25.55400544+02:00","StartUTC":"2025-10-23T10:04:25.55400544Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:04:50+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":2,"DownstreamStatus":200,"Duration":1989337,"OriginContentSize":2,"OriginDuration":1858451,"OriginStatus":200,"Overhead":130886,"RequestAddr":"app.server.home.domain.example","RequestContentSize":1,"RequestCount":85,"RequestHost":"app.server.home.domain.example","RequestMethod":"POST","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXqZ0\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:04:50.559569939+02:00","StartUTC":"2025-10-23T10:04:50.559569939Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:04:50+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":1,"DownstreamStatus":200,"Duration":25002253607,"OriginContentSize":1,"OriginDuration":25001979711,"OriginStatus":200,"Overhead":273896,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":86,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXqZ1\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:04:50.559584932+02:00","StartUTC":"2025-10-23T10:04:50.559584932Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:15+02:00"}
{"ClientAddr":"192.168.10.100:54589","ClientHost":"192.168.10.100","ClientPort":"54589","ClientUsername":"-","DownstreamContentSize":2,"DownstreamStatus":200,"Duration":2726046,"OriginContentSize":2,"OriginDuration":2585077,"OriginStatus":200,"Overhead":140969,"RequestAddr":"app.server.home.domain.example","RequestContentSize":1,"RequestCount":87,"RequestHost":"app.server.home.domain.example","RequestMethod":"POST","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXwfj\u0026sid=7hl7ZckvJqJ4nsYGAAAO","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:15.564723476+02:00","StartUTC":"2025-10-23T10:05:15.564723476Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:15+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":829,"DownstreamStatus":200,"Duration":3773579,"OriginContentSize":829,"OriginDuration":3657926,"OriginStatus":200,"Overhead":115653,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":89,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.090167888+02:00","StartUTC":"2025-10-23T10:05:29.090167888Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":2350,"DownstreamStatus":200,"Duration":4354344,"OriginContentSize":2350,"OriginDuration":4062527,"OriginStatus":200,"Overhead":291817,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":91,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/images/logo64.png","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.172565424+02:00","StartUTC":"2025-10-23T10:05:29.172565424Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":15740,"DownstreamStatus":200,"Duration":7486911,"OriginContentSize":15740,"OriginDuration":7335161,"OriginStatus":200,"Overhead":151750,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":90,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/assets/roboto-latin-300-normal-ThHrQhYb.woff2","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.172546101+02:00","StartUTC":"2025-10-23T10:05:29.172546101Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":3,"DownstreamStatus":200,"Duration":12808052,"OriginContentSize":3,"OriginDuration":12674114,"OriginStatus":200,"Overhead":133938,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":93,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/system/searches?query=","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.181115543+02:00","StartUTC":"2025-10-23T10:05:29.181115543Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":107,"DownstreamStatus":200,"Duration":4460324,"OriginContentSize":107,"OriginDuration":4361517,"OriginStatus":200,"Overhead":98807,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":95,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXz-j","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.197109443+02:00","StartUTC":"2025-10-23T10:05:29.197109443Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":2,"DownstreamStatus":200,"Duration":3061993,"OriginContentSize":2,"OriginDuration":2958524,"OriginStatus":200,"Overhead":103469,"RequestAddr":"app.server.home.domain.example","RequestContentSize":2,"RequestCount":96,"RequestHost":"app.server.home.domain.example","RequestMethod":"POST","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXz-q\u0026sid=KiWKFpWvUdr8ttU4AAAQ","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.204444198+02:00","StartUTC":"2025-10-23T10:05:29.204444198Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":32,"DownstreamStatus":200,"Duration":4291553,"OriginContentSize":32,"OriginDuration":4014694,"OriginStatus":200,"Overhead":276859,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":97,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/socket.io/?EIO=4\u0026transport=polling\u0026t=PeGXz-q.0\u0026sid=KiWKFpWvUdr8ttU4AAAQ","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.204451611+02:00","StartUTC":"2025-10-23T10:05:29.204451611Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":3027,"DownstreamStatus":200,"Duration":39676220,"OriginContentSize":3027,"OriginDuration":39582108,"OriginStatus":200,"Overhead":94112,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":92,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/system/settings","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.179876275+02:00","StartUTC":"2025-10-23T10:05:29.179876275Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":130,"DownstreamStatus":200,"Duration":110421578,"OriginContentSize":130,"OriginDuration":110120166,"OriginStatus":200,"Overhead":301412,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":94,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/badges","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.181121259+02:00","StartUTC":"2025-10-23T10:05:29.181121259Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":5798,"DownstreamStatus":200,"Duration":46474947,"OriginContentSize":5798,"OriginDuration":46379256,"OriginStatus":200,"Overhead":95691,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":99,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/series?start=0\u0026length=1000","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.284767427+02:00","StartUTC":"2025-10-23T10:05:29.284767427Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":384,"DownstreamStatus":200,"Duration":3162565,"OriginContentSize":384,"OriginDuration":3044014,"OriginStatus":200,"Overhead":118551,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":100,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/api/system/languages/profiles","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:29.443017212+02:00","StartUTC":"2025-10-23T10:05:29.443017212Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:29+02:00"}
{"ClientAddr":"192.168.10.100:50152","ClientHost":"192.168.10.100","ClientPort":"50152","ClientUsername":"-","DownstreamContentSize":987,"DownstreamStatus":200,"Duration":2935731,"OriginContentSize":987,"OriginDuration":2781806,"OriginStatus":200,"Overhead":153925,"RequestAddr":"app.server.home.domain.example","RequestContentSize":0,"RequestCount":101,"RequestHost":"app.server.home.domain.example","RequestMethod":"GET","RequestPath":"/sw.js","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"bazarr@docker","ServiceAddr":"172.23.0.3:6767","ServiceName":"bazarr@docker","ServiceURL":"http://172.23.0.3:6767","StartLocal":"2025-10-23T12:05:30.975742696+02:00","StartUTC":"2025-10-23T10:05:30.975742696Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2025-10-23T12:05:30+02:00"}

Not sure what that tells me though.

kosta88 · October 23, 2025, 10:18am

Hm, reading on, I think I have one knowledge error:

I thought .domain.example would cover all levels upwards from *. But it actually only covers the first level.

So, what am I missing? Do I need it request a certificate for *.server.home.domain.example?

bluepuma77 · October 23, 2025, 11:11am

Yes. AFAIK you need to create server.home.domain.example in Cloudflare to get wildcard for it.

kosta88 · October 23, 2025, 2:28pm

Thank you for bearing up with me. Have it working great now. It was simply my dumb misunderstanding about wildcard certs.

Next step will be about how I setup everything to have it externally available, but safe. But, that’s another topic.

Topic		Replies	Views
Traefik issues default certificate Traefik v2 docker , letsencrypt-acme	13	3669	June 19, 2023
Always get "404 page not found" or NET::ERR_CERT_AUTHORITY_INVALID Traefik v2 docker	11	4126	July 24, 2021
Traefik occasionally returns the default certificate Traefik v2 kubernetes-crd	0	769	November 12, 2020
Traefik not getting SSL certificates for some domains Traefik v1 letsencrypt-acme	11	14475	July 24, 2019
Please help, I am loosing my mind over ssl Traefik v1 docker	29	3428	August 14, 2019

No default certificate, fallback... someone help please?

Related topics