Proxmox and truenas not working

alwayzsomthin · August 8, 2025, 3:35pm

I am at the point to where I am not sure I can see the forest due to the trees!

I can get other sites to work just fine with traefik…it just seems to be these two at the moment.

Any input would be greatly appreciated…afraid to say how long I have been working on this.

when I go to proxmox I am getting “connection refused” and for truenas I am getting “Your connection is not private net::ERR_CERT_AUTHORITY_INVALID”

Here is my compose file…

services:

  traefik:

    image: traefik:latest

    container_name: traefik

    restart: unless-stopped

    security_opt:

      - no-new-privileges:true

    networks:

      traefik:

          ipv4_address: 192.168.69.5

    ports:

      - 80:80

      - 443:443

      # - 443:443/tcp # Uncomment if you want HTTP3

      # - 443:443/udp # Uncomment if you want HTTP3

    environment:

      NAMECOM_API_TOKEN: ${NAMECOM_API_TOKEN} # if using .env

      NAMECOM_USERNAME: ${NAMECOM_USERNAME}

      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}

    env_file: .env # use .env

    volumes:

      - /etc/localtime:/etc/localtime:ro

      - /var/run/docker.sock:/var/run/docker.sock:ro

      - ./traefik/config/traefik.yml:/traefik.yml:ro

      - ./traefik/config/acme.json:/acme.json

      - ./traefik/log:/var/log/traefik

      - ./traefik/config.yml:/config.yml:ro

    labels:

      - "traefik.enable=true"

      - "traefik.http.routers.traefik.entrypoints=http"

      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.domain.com`)"

      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"

      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"

      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"

      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"

      - "traefik.http.routers.traefik-secure.entrypoints=https"

      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.domain.com`)"

      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

      - "traefik.http.routers.traefik-secure.tls=true"

      - "traefik.http.routers.traefik-secure.tls.certresolver=namedotcom"

      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.com"

      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.com"

      - "traefik.http.routers.traefik-secure.service=api@internal"

###########################################################################

traefik.yml

api:

  dashboard: true

  debug: true

entryPoints:

  http:

    address: ":80"

    http:

      redirections:

        entryPoint:

          to: https

          scheme: https

  https:

    address: ":443"

serversTransport:

  insecureSkipVerify: true

providers:

  docker:

    endpoint: "unix:///var/run/docker.sock"

    exposedByDefault: false

  file:

    filename: /config.yml

certificatesResolvers:

  namedotcom:

    acme:

      email: dakers88@gmail.com

      storage: /acme.json

      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)

      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging

      dnsChallenge:

        provider: namedotcom

        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.

        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted

        resolvers:

          - "1.1.1.1:53"

          - "1.0.0.1:53"

# Log level INFO|DEBUG|ERROR

log:

  level: INFO

  filePath: "/var/log/traefik/traefik.log"

  #format: json

accessLog:

  filePath: "/var/log/traefik/access.log"

  #format: json

###########################################################################

config.yml

###########################################################################

http:

  serversTransports:

    insecuretransport:

      insecureSkipVerify: true

  middlewares:

    default-headers:

      headers:

        frameDeny: true

        browserXssFilter: true

        contentTypeNosniff: true

        forceSTSHeader: true

        stsIncludeSubdomains: true

        stsPreload: true

        stsSeconds: 15552000

        customFrameOptionsValue: SAMEORIGIN

        customRequestHeaders:

          X-Forwarded-Proto: https

    https-redirectscheme:

      redirectScheme:

        scheme: https

        permanent: true

    default-whitelist:

      ipWhiteList:

        sourceRange:

        #- "10.0.0.0/8"

        #- "192.168.0.0/16"

        #- "172.16.0.0/12"

         - "172.31.1.0/24"

###########################################################################

  routers:

    portainer:

      entryPoints:

        - "https"

      rule: "Host(`portainer.local.domain.com`)"

      middlewares:

        - default-headers

        - https-redirectscheme

      tls: {}

      service: portainer

    proxmox:

      entryPoints:

        - "https"

      rule: "Host(`pve.local.domain.com`)"

      middlewares:

        - default-headers

        - https-redirectscheme

      tls: {}

      service: proxmox

    nas1:

      entryPoints:

        - "https"

      rule: "Host(`nas1.local.domain.com`)"

      middlewares:

        - default-headers

        - https-redirectscheme

      tls: {}

      service: nas1

    scale:

      entryPoints:

        - "https"

      rule: "Host(`scale.local.domain.com`)"

      middlewares:

        - default-headers

        - https-redirectscheme

      tls: {}

      service: scale

###########################################################################

  services:

    portainer:

      loadBalancer:

        servers:

          - url: "https://172.31.1.25:9443"

        passHostHeader: true

        serversTransport: insecuretransport

    proxmox:

      loadBalancer:

        servers:

          - url: "https://172.31.1.23:8006"

        passHostHeader: true

        serversTransport: insecuretransport

    nas1:

      loadBalancer:

        servers:

          - url: "https://172.31.1.21:443"

        passHostHeader: true

        serversTransport: insecuretransport

    scale:

      loadBalancer:

        servers:

          - url: "https://172.31.1.26"

        passHostHeader: true

        serversTransport: insecuretransport

alwayzsomthin · August 8, 2025, 4:58pm

To help with formatting….below are my config files…

###########################################################################

http:

serversTransports:

insecuretransport:

  insecureSkipVerify: true

middlewares:

default-headers:

  headers:

    frameDeny: true

    browserXssFilter: true

    contentTypeNosniff: true

    forceSTSHeader: true

    stsIncludeSubdomains: true

    stsPreload: true

    stsSeconds: 15552000

    customFrameOptionsValue: SAMEORIGIN

    customRequestHeaders:

      X-Forwarded-Proto: https

https-redirectscheme:

  redirectScheme:

    scheme: https

    permanent: true    

default-whitelist:

  ipWhiteList:

    sourceRange:

    #- "10.0.0.0/8"

    #- "192.168.0.0/16"

    #- "172.16.0.0/12"

     - "172.31.1.0/24"

###########################################################################

routers:

portainer:

  entryPoints:

    - "https"

  rule: "Host(\`portainer.local.domain.com\`)"

  middlewares:

    - default-headers

    - https-redirectscheme

  tls: {}

  service: portainer

proxmox:

  entryPoints:

    - "https"

  rule: "Host(\`pve.local.domain.com\`)"

  middlewares:

    - default-headers

    - https-redirectscheme

  tls: {}

  service: proxmox

nas1:

  entryPoints:

    - "https"

  rule: "Host(\`nas1.local.domain.com\`)"

  middlewares:

    - default-headers

    - https-redirectscheme

  tls: {}

  service: nas1

scale:

  entryPoints:

    - "https"

  rule: "Host(\`scale.local.domain.com\`)"

  middlewares:

    - default-headers

    - https-redirectscheme

  tls: {}

  service: scale

###########################################################################

services:

portainer:

  loadBalancer:

    servers:

      - url: "https://172.31.1.25:9443"

    passHostHeader: true

    serversTransport: insecuretransport

proxmox:

  loadBalancer:

    servers:

      - url: "https://172.31.1.23:8006"

    passHostHeader: true

    serversTransport: insecuretransport

nas1:

  loadBalancer:

    servers:

      - url: "https://172.31.1.21"

    passHostHeader: true

    serversTransport: insecuretransport

scale:

  loadBalancer:

    servers:

      - url: "https://172.31.1.26"

    passHostHeader: true

    serversTransport: insecuretransport

###########################################################################

traefik.yml

api:

dashboard: true

debug: true

entryPoints:

http:

address: ":80"

http:

  redirections:

    entryPoint:

      to: https

      scheme: https

https:

address: ":443"

serversTransport:

insecureSkipVerify: true

providers:

docker:

endpoint: "unix:///var/run/docker.sock"

exposedByDefault: false

file:

filename: /config.yml

certificatesResolvers:

namedotcom:

acme:

  email: 

  storage: /acme.json

  caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)

  #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging

  dnsChallenge:

    provider: namedotcom

    #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.

    #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 

    resolvers:

      - "1.1.1.1:53"

      - "1.0.0.1:53"

# Log level INFO|DEBUG|ERROR

log:

level: INFO

filePath: "/var/log/traefik/traefik.log"

#format: json

accessLog:

filePath: "/var/log/traefik/access.log"

#format: json

###########################################################################

compose.yml

services:

traefik:

image: traefik:latest

container_name: traefik

restart: unless-stopped

security_opt:

  - no-new-privileges:true

networks:

  traefik:

      ipv4_address: 192.168.69.5

ports:

  - 80:80

  - 443:443

  \# - 443:443/tcp # Uncomment if you want HTTP3

  \# - 443:443/udp # Uncomment if you want HTTP3

environment:

  NAMECOM_API_TOKEN: ${NAMECOM_API_TOKEN} # if using .env

  NAMECOM_USERNAME: ${NAMECOM_USERNAME}

  TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}

env_file: .env # use .env  

volumes:

  - /etc/localtime:/etc/localtime:ro

  - /var/run/docker.sock:/var/run/docker.sock:ro

  - ./traefik/config/traefik.yml:/traefik.yml:ro

  - ./traefik/config/acme.json:/acme.json

  - ./traefik/log:/var/log/traefik

  - ./traefik/config.yml:/config.yml:ro      

labels:

  - "traefik.enable=true"

  - "traefik.http.routers.traefik.entrypoints=http"

  - "traefik.http.routers.traefik.rule=Host(\`traefik-dashboard.local.domain.com\`)"

  - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"

  - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"

  - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"

  - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"

  - "traefik.http.routers.traefik-secure.entrypoints=https"

  - "traefik.http.routers.traefik-secure.rule=Host(\`traefik-dashboard.local.domain.com\`)"

  - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

  - "traefik.http.routers.traefik-secure.tls=true"

  - "traefik.http.routers.traefik-secure.tls.certresolver=namedotcom"

  - "traefik.http.routers.traefik-secure.tls.domains\[0\].main=local.domain.com"

  - "traefik.http.routers.traefik-secure.tls.domains\[0\].sans=\*.local.domain.com"

  - "traefik.http.routers.traefik-secure.service=api@internal"

bluepuma77 · August 9, 2025, 6:21am

Edit you posts and use 3 backticks before and after code/config (or select and press </>) to make it more readable and preserve spacing, which is important in yaml format.

bluepuma77 · August 9, 2025, 6:25pm

Not sure what you did, but it still looks very strange.

alwayzsomthin · August 9, 2025, 10:49pm

Will get it cleaned up when I get back on.

alwayzsomthin · August 10, 2025, 6:12pm

I think I got it figured out now…The only site that works for the SSL certificate is my portainer site, the others do not.

compose.yml

networks:
  traefik:
    external: true
    #name: traefik
    #driver: bridge
    #ipam:
      #driver: default
      #config:
      #- subnet: 192.168.69.0/24
        #gateway: 192.168.69.1
###########################################################################
x-logging: &default-logging
  driver: "json-file"
  options:
    max-size: "10m"
    max-file: "3"
###########################################################################
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      traefik:
          ipv4_address: 192.168.69.5
    ports:
      - 80:80
      - 443:443
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      NAMECOM_API_TOKEN: ${NAMECOM_API_TOKEN} # if using .env
      NAMECOM_USERNAME: ${NAMECOM_USERNAME}
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    env_file: .env # use .env  
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/config/traefik.yml:/traefik.yml:ro
      - ./traefik/config/acme.json:/acme.json
      - ./traefik/log:/var/log/traefik
      - ./traefik/config.yml:/config.yml:ro      
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.domain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=namedotcom"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

traefik.yml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  namedotcom:
    acme:
      email: 
      storage: /acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: namedotcom
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"          
# Log level INFO|DEBUG|ERROR          
log:
  level: INFO
  filePath: "/var/log/traefik/traefik.log"
  #format: json
accessLog:
  filePath: "/var/log/traefik/access.log"
  #format: json

config.yml

###########################################################################
http:
  serversTransports:
    insecuretransport:
      insecureSkipVerify: true
  middlewares:    
    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true    
    default-whitelist:
      ipWhiteList:
        sourceRange:
        #- "10.0.0.0/8"
        #- "192.168.0.0/16"
        #- "172.16.0.0/12"
         - "172.31.1.0/24"
###########################################################################
  routers:
    portainer:
      entryPoints:
        - "https"
      rule: "Host(`portainer.local.domain.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: portainer
    proxmox:
      entryPoints:
        - "https"
      rule: "Host(`pve.local.domain.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: proxmox
    nas1:
      entryPoints:
        - "https"
      rule: "Host(`nas1.local.domain.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: nas1
    scale:
      entryPoints:
        - "https"
      rule: "Host(`scale.local.domain.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: scale                    
###########################################################################
  services:
    portainer:
      loadBalancer:
        servers:
          - url: "https://172.31.1.25:9443"
        passHostHeader: true
        serversTransport: insecuretransport
    proxmox:
      loadBalancer:
        servers:
          - url: "https://172.31.1.23:8006"
        passHostHeader: true
        serversTransport: insecuretransport
    nas1:
      loadBalancer:
        servers:
          - url: "https://172.31.1.21:443"
        passHostHeader: true
        serversTransport: insecuretransport
    scale:
      loadBalancer:
        servers:
          - url: "https://172.31.1.26"
        passHostHeader: true
        serversTransport: insecuretransport

bluepuma77 · August 10, 2025, 7:22pm

It seems you have not assigned the certResolver to entrypoint or router.

Maybe check simple Traefik example for best practice.

alwayzsomthin · August 11, 2025, 1:11am

Do you still need the traefik.yml file with using the example compose file?

Topic		Replies	Views
Docker-compose basic example from docs.traefik.io not working Traefik v2 docker	2	1924	November 29, 2019
Proxmox with Traefik (Maybe someone can help me ) Traefik v2 file	0	1686	November 24, 2021
After Traefik docker-compose install, dashboard invisible Traefik v2 docker	4	406	April 25, 2020
Traefik 1.7 to 2.0 Docker for Windows Traefik v2 docker , file , letsencrypt-acme	58	7000	October 29, 2019
Traefik acme certificate Untrusted Traefik v2 dashboard-api	1	637	December 31, 2019

Proxmox and truenas not working

Related topics