[SOLVED] Wildcard cert valid but 404 Error when trying url

Traefik Traefik v3 (latest)
1

Hello,

today I wanted to replace my Nginx Proxy Manager with Traefik.
It seems I got it working that traefik fetches a valid wildcard domain for my domain, but I am getting a 404 Error when trying to reach one of my containers.
I feel like its a simple error that I am just unable to recognize.

SOLVED: As I thought it was a simple (and dumb) error:
I forgot to replace the router name in the values I used for wallos. Now it works.

Appreciate any help very much, thank you. Config files following:

traefik.yml:

Summary 
global:
    checkNewVersion: true
    sendAnonymousUsage: false
log:
    level: DEBUG
accesslog: {}
  #tracing: {}
api:
  dashboard: true
  insecure: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    exposedByDefault: false
    endpoint: "unix:///var/run/docker.sock"
certificatesResolvers:
  ionos:
    acme:
      email: staging_blooming239@zrtmx.com
      storage: /certs/acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: http
      dnsChallenge:
        provider: ionos
        resolvers:
          - "ns1092.ui-dns.de"
          - "ns1092.ui-dns.com"
          - "ns1092.ui-dns.org"
          - "ns1092.ui-dns.biz"

traefik docker compose:

Summary 
services:
  traefik:
    image: traefik:v3.3
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    networks:
      - traefik
    environment:
      - TZ=Europe/Berlin
      - IONOS_API_KEY=$IONOS_API_KEY
    ports:
      - 80:80 # HTTP entryPoints
      - 443:443 # HTTPS entryPoints
      - 8080:8080 # Dashbaord WebGui 
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /docker/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - /docker/traefik/certs:/certs:rw
    labels:
      # Traefik
      traefik.enable: true
      traefik.http.routers.traefik.rule: Host(`traefik.my-domain.com`)
      traefik.http.routers.traefik.entrypoints: https
      traefik.http.routers.traefik-secure.tls: true
      traefik.http.routers.traefik-secure.tls.certresolver: ionos
      traefik.http.routers.traefik-secure.tls.domains[0].sans: '*.my-domain.com'

networks:
  traefik:
    external: true

Wallos is a relatively simple subscription tracker that Im using to test traefik
wallos docker-compose:

Summary 
services:
  wallos:
    container_name: wallos
    image: bellamy/wallos:v2.45.0
    ports:
      - "8282:80/tcp"
    networks:
      - traefik
    environment:
      TZ: 'Europe/Berlin'
    # Volumes store your data between container upgrades
    volumes:
      - /docker/wallos/db:/var/www/html/db
      - /docker/wallos/logos:/var/www/html/images/uploads/logos
    restart: unless-stopped
    labels:
      # Traefik
      - "traefik.enable=true"
      - "traefik.http.routers.wallos.rule=Host(`wallos.my-domain.com`)"
      - "traefik.http.routers.wallos.entrypoints=https"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=ionos"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=wallos.my-domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.my-domain.com"

networks:
  traefik:
    external: true

Wallos uses the normal labels format because I was trying out whether me using the other format (used in the traefik compose) was maybe messing with my config.

Trying to reach http://wallos.my-domain.com redirects me to https and says: "404 page not found".
The browser shows the connection is secure with a valid cert using *.my-domain.com

So it seems the cert is fine but something isnt right with the routing. Accessing wallos through 10.0.50.5:8282 works. My Network uses a pihole that has a local dns record to redirect wallos.my-server.com to my 10.0.50.5.

Traefik logs in reply because of character limit

I hope someone might see what the issue is here, let me know if I can provide any further information :smiley:

4

The usual recommendations:

  1. You can not use Traefik static config in traefik.yml and command:, decide for one (doc)

  2. You should not use ports: with services/containers except for Traefik. Otherwise Traefik security middlewares might be bypassed.

  3. For wildcards, it's recommended to use:

.domains[0].main: 'my-domain.com'
.domains[0].sans: '*.my-domain.com'
  1. Make sure to indicate the internal target service port:
.loadbalancer.server.port=80

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Maybe compare to simple Traefik example.

1 Like
5

Hello, thanks for the best practices, I will apply them ASAP.
I happened to solve it just now, I forgot to replace the router name inside the wallos compose. Replacing "traefik-secure" with wallos made it work.
Thats what happens when you piece your config together...

Thanks still!

6

@bluepuma77 As I see that you are a moderator, do you have an idea how I can delete this post or even account? I happened to overlook some sensitive data inside this post that I dont wish to share, and am unable to remove it from the post :x

I see there are some administrators but they seem quite inactive. Can you also do this as a moderator? Thanks in advance for any help! :slight_smile:

7

Can’t you just press the 3 dots and pen to edit?

8

I did but the line is still visible in the edit history

9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.