Securing Traefik Dashboard unsuccesfull

Mr-Dannick · April 24, 2025, 11:17am

Hi All,

I have been struggling a few days now. I am trying to secure my Traefik dashboard however I keep getting an error that there is not certificate and it's serving the default one. My containers can succesfully get a certificate from Traefik.

This is my docker-compose.yaml:

services:
  reverse-proxy:
    image: traefik:v3.3.6
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--api.dashboard=true"
      - "--certificatesresolvers.cloudflare.acme.email=**EMAIL REDACTED**"
      - "--certificatesresolvers.cloudflare.acme.storage=/etc/traefik/acme/cloudflare-acme.json"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      - "--log.level=DEBUG"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.vsv1.**DOMAIN REDACTED**`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certResolver=cloudflare"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - CF_DNS_API_TOKEN
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./certs:/etc/traefik/acme:rw
      - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
    networks:
      - traefik
    restart: unless-stopped

networks:
  traefik:
    external: true

My traefik.yaml looks like this:

global:
  sendAnonymousUsage: false
log:
  level: DEBUG
api:
  dashboard: true
  insecure: false
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
certificatesResolvers:
  cloudflare:
    acme:
      email: "**EMAIL REDACTED**"
      storage: "/etc/traefik/acme/cloudflare-acme.json"
      caServer: 'https://acme-v02.api.letsencrypt.org/directory'
      keyType: EC256
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: traefik

My logs look like this:

2025-04-24T11:11:58.304776376Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:106 > Traefik version 3.3.5 built on 2025-03-31T08:45:53Z version=3.3.5
2025-04-24T11:11:58.307481325Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:113 > Static configuration loaded [json] staticConfiguration={"api":{"basePath":"/","dashboard":true},"certificatesResolvers":{"cloudflare":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","8.8.8.8:53"]},"email":"**email redacted**","keyType":"EC256","storage":"/etc/traefik/acme/cloudflare-acme.json"}}},"entryPoints":{"web":{"address":":80","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576,"redirections":{"entryPoint":{"permanent":true,"priority":9223372036854775806,"scheme":"https","to":"websecure"}}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"websecure":{"address":":443","forwardedHeaders":{},"http":{"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"format":"common","level":"DEBUG"},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","network":"traefik","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2025-04-24T11:11:58.307797830Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:632 > 
2025-04-24T11:11:58.307817240Z Stats collection is disabled.
2025-04-24T11:11:58.307824438Z Help us improve Traefik by turning this feature on :)
2025-04-24T11:11:58.307831130Z More details on: https://doc.traefik.io/traefik/contributing/data-collection/
2025-04-24T11:11:58.307837600Z 
2025-04-24T11:11:58.312260463Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator *aggregator.ProviderAggregator
2025-04-24T11:11:58.312692659Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=websecure
2025-04-24T11:11:58.313931672Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
2025-04-24T11:11:58.314095215Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
2025-04-24T11:11:58.314377005Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=web
2025-04-24T11:11:58.314714782Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
2025-04-24T11:11:58.314973559Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
2025-04-24T11:11:58.315319948Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2025-04-24T11:11:58.315683061Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"cloudflare","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","8.8.8.8:53"]},"email":"**Email Redacted**","keyType":"EC256","storage":"/etc/traefik/acme/cloudflare-acme.json","store":{}}
2025-04-24T11:11:58.315967043Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"redirect-web-to-websecure":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}}},"routers":{"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"priority":9223372036854775806,"rule":"HostRegexp(`^.+$`)","ruleSyntax":"v3","service":"noop@internal"}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2025-04-24T11:11:58.316427494Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:232 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2025-04-24T11:11:58.316812485Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:884 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=cloudflare.acme
2025-04-24T11:11:58.318506644Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=cloudflare.acme
2025-04-24T11:11:58.318648653Z 2025-04-24T11:11:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *docker.Provider
2025-04-24T11:11:58.319033096Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *docker.Provider provider configuration config={"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","network":"traefik","watch":true}
2025-04-24T11:11:58.340716479Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:90 > Provider connection established with docker 27.5.1 (API 1.47) providerName=docker
2025-04-24T11:11:58.348901665Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=reverse-proxy-traefik-9db1c22f4ec9c0941873eee4789239a18db1e98eeed0bb6843e1de3aa73e64b6 providerName=docker
2025-04-24T11:11:58.349243074Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=adguardhome-adguard-11bdd9cd2588b175feee735eeb4c0fab693d6f0a37e7cf9a612149164656466d providerName=docker
2025-04-24T11:11:58.350057812Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=portainer-f0ecc4f3850c3239a6fe1af1f8329eb62957dd0d8e11304569b32ed8dfe83b16 providerName=docker
2025-04-24T11:11:58.350471213Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=docker
2025-04-24T11:11:58.429728483Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-04-24T11:11:58.431193858Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2025-04-24T11:11:58.431215443Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2025-04-24T11:11:58.431351986Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-04-24T11:11:58.432195955Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) whoami.**Redacted**
2025-04-24T11:11:58.432452865Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) nginx.vsv1.**Redacted**
2025-04-24T11:11:58.432763459Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) whoami.vsv1.**Redacted**
2025-04-24T11:11:58.433021263Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) nginxtest.vsv1.**Redacted**
2025-04-24T11:11:58.433368788Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) nginxtest1.vsv1.**Redacted**
2025-04-24T11:11:58.433693036Z 2025-04-24T11:11:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:132 > Adding certificate for domain(s) gotify.vsv1.**Redacted**
2025-04-24T11:11:59.183441712Z 2025-04-24T11:11:59Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-04-24T11:11:59.185227576Z 2025-04-24T11:11:59Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2025-04-24T11:11:59.185560685Z 2025-04-24T11:11:59Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2025-04-24T11:11:59.186002227Z 2025-04-24T11:11:59Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-04-24T11:12:51.086956674Z 2025-04-24T11:12:51Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "traefik.vsv1.**Redacted**"
2025-04-24T11:12:51.098741380Z 2025-04-24T11:12:51Z DBG log/log.go:245 > http: TLS handshake error from 192.168.1.65:61140: remote error: tls: unknown certificate

I also seem to notice this in the log:
Filtering disabled container container=reverse-proxy-traefik-9db1c22f4ec9c0941873eee4789239a18db1e98eeed0bb6843e1de3aa73e64b6 providerName=docker

bluepuma77 · April 24, 2025, 3:42pm

You can't have Traefik static config in traefik.yml and command:, decide for one (doc).

Maybe compare to simple Traefik example.

Mr-Dannick · April 27, 2025, 6:54pm

Issue was resolved by renaming my docker traefik container to the name traefik was showing as not configured.

system · April 30, 2025, 6:55pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No dashboard, tls: unknown certificate Traefik v2 docker	6	46	January 1, 2025
Dashboard not using certificate Traefik v2 docker	0	329	October 20, 2021
Dashboard & Let's Encrypt Certificates not working no matter what I tried Traefik v2 docker , letsencrypt-acme	4	1443	January 10, 2024
Traefik unable to use ACME certificate after generating Traefik v2 docker	1	142	April 12, 2024
ERR Router uses a nonexistent certificate resolver Traefik v3 (latest) file , letsencrypt-acme	0	85	February 6, 2025

Securing Traefik Dashboard unsuccesfull

Related topics