Router uses a nonexistent certificate resolver LetsEncrypt/Cloudflare

Traefik Traefik v3 (latest)
,
1

I am following the guide here trying to get my local services to be secure. My docker-compose.yaml looks like this currently:

version: "3.8"

services:
  traefik:
    image: traefik:v3.1.3
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      # CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # - ./data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.bagel-studios.dev`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.bagel-studios.dev`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.bagel-studios.dev"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.bagel-studios.dev"
      - "traefik.http.routers.traefik-secure.service=api@internal"
networks:
  proxy:
    external: true

And my traefic.yml looks like the following:

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
    http:
      tls:
        certResolver: letsEncrypt
log:
  level: DEBUG
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  letsEncrypt:
    acme:
      email: coltonls024@gmail.com
      storage: acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: cloudflare
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

The error I am getting is

2024-09-19T21:24:24-05:00 ERR github.com/traefik/traefik/v3/cmd/traefik/traefik.go:367 > Router uses a nonexistent certificate resolver certificateResolver=cloudflare routerName=traefik-secure@docker

I have switched between using the production and staging caServer but the results are the same

2

You name your certresolver letsEncrypt in static config (traefik.yml), but then assign cloudflare in dynamic config (labels). That can’t work.

Note that Traefik handles standard headers automatically, no need for X-Forwarded-Proto=https.

To structure config and reduce repeated lines, I recommend to declare https-redirect and TLS main/sans globally in static config. Compare to simple Traefik example.