Traefik 2.10 bad certificate error from letsencrypt due dashboard and other services in spite of insecureSkipVerify

Hi all,

I don't know what to do anymore. I tried now so many different things from different documentations. I also think I over configured my traefik.yml and dynamic.conf after so many different attempts to fix this by myself. At the end I still have the same error and behavior as at the beginning.

I get an error in my traefik.logs after calling the url in the browser. It does not matter if it is the traefik dashboard or any other service.

level=debug msg="http: TLS handshake error from 172.18.0.1:57674: remote error: tls: bad certificate"

If I call the url in the browser I get at first a certificate warning and after accepting this 404 page not found. I don't know if this is the result from the error or another problem. (btw. I deactivated the redirection to websecure and still get this message). So I guess this is another problem???

So what do I have to do to fix the certification error.
I would also appreciate any tips on reducing unnecessary over-configuration.

So far I added

stores:
default: {}
and
insecureSkipVerify: true

I also made sure, that my acme.json is a file and not a folder and deleted the docker volume multiple times to reset.
I also configured my dynamic_conf.yml directly in the compose file because I thought this configuration is not found.
I come from traefik 2.7 with a http challenge and here everything is working as expected. But now I want to use tsl as you can see in my files...

I am working with docker on an ubuntu 22.04 server

docker info
Client: Docker Engine - Community
 Version:    24.0.5
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.20.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 5
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-83-generic
 Operating System: Ubuntu 22.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.39GiB
 Name: lab
 ID: 2cabbfaa-c422-4358-b8d8-4afd847876a3
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

My compose file is:

version: "3.8"

services:
  traefik:
    image: traefik:2.10
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./config:/etc/traefik
      - ./log:/var/log/traefik/
      - certificates:/certificates
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "traefik.http.routers.traefik.rule=Host(`traefik.xxxxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.traefik.routers.traefik.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=xxxx:xxxxx"
    networks:
       - proxy
    restart: unless-stopped


networks:
  proxy:
    external: true

volumes:
  certificates:

my traefik.conf:

global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: DEBUG
  format: common
  filePath: "/var/log/traefik/traefik.log"

accessLog:
  format: common
  filePath: "/var/log/traefik/access.log"

api:
  dashboard: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443

certificatesResolvers:
  letsencrypt:
    acme:
      email: myemail@mail.org
      storage: /certificates/acme.json
      tlsChallenge: {}

providers:
  docker:
    exposedByDefault: false
    network: "proxy"
  file:
    directory: /etc/traefik/
    watch: true
  providersThrottleDuration: 10

my dynamic-conf.yml

tls:
  stores:
    default: {}
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: false


http:
  services:
    traefik:
      loadBalancer:
        serversTransport: mytransport

  serversTransports:
    mytransport:
      insecureSkipVerify: true

The full error message from the beginning:

level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
level=debug msg="Added outgoing tracing middleware noop@internal" middlewareType=TracingForwarder entryPointName=web routerName=web-to-websecure@internal middlewareName=tracing
level=debug msg="Creating middleware" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
level=debug msg="Creating middleware" middlewareType=Recovery middlewareName=traefik-internal-recovery entryPointName=web
level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
level=debug msg="Added outgoing tracing middleware noop@internal" entryPointName=web routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder
level=debug msg="Creating middleware" middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web routerName=web-to-websecure@internal
level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
level=debug msg="Serving default certificate for request: \"traefik.xxxx.com\""
level=debug msg="http: TLS handshake error from 172.18.0.1:57674: remote error: tls: bad certificate"
level=debug msg="Serving default certificate for request: \"traefik.xxxxx.com\""

Many many thanks in advance

You forgot --traefik.enable=true in labels, without the Docker service/container is ignored because of exposedByDefault: false.

Check simple Traefik example.

oh man... embarrassing
I have wasted too much of my life on it.
Thanks for pointing out this obvious error.