Traefik 3.0 Failed HTTP-01 challenge for own subdomain with let's encrypt

Traefik Traefik v3 (latest)
, ,
1

I have the traefik dashboard enabled to be accessed from traefik.example.com on HTTPS, it seems that few months ago when my project started it successfully retrieved a LE certificate since it is now correctly working under HTTPS

I also have pi-hole.example.com and a webcam.example.com subdomains that are correctly working

I have the geoblock plugin installed but that is protecting every subdomain, since some are working correctly I don't believe that's the issue here, the same applies to the digest auth, it is protecting every subdomain

Note: I censored some IPs by changing the last number in a letter because I did not know if some of them were private or not.

I noticed that ONLY the certificate for traefik.example.com is expiring in a few days, while the ones for pi-hole and webcam have been correctly renewed some time ago

The error in the logs says that the acme-challenge for traefik.example.com fails with a 404 HTTP code

Version: 3.0.0
Codename: beaufort
Go version: go1.22.2
Built: 2024-04-29T14:25:59Z
OS/Arch: linux/arm

RPi Zero W armv6l with Raspbian GNU/Linux 11 (bullseye)

Traefik static config

# Enables the web UI
api:
  dashboard: true

certificatesResolvers:
  lets_encrypt:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: CENSORED_EMAIL
      storage: /home/traefik/certs/acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web
  lets_encrypt_staging:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      email: CENSORED_EMAIL
      storage: /home/traefik/certs/acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
    forwardedHeaders:
      trustedIPs:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
        - fd00::/8
    proxyProtocol:
      trustedIPs:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
        - fd00::/8
  websecure:
    address: ":443"
    forwardedHeaders:
      trustedIPs:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
        - fd00::/8
    proxyProtocol:
      trustedIPs:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
        - fd00::/8

# tell Traefik to listen to files for dynamic configuration
providers:
  file:
    directory: /home/traefik/file_dynamic_conf

log:
  level: DEBUG
  filePath: "/home/traefik/logs/traefik.log"

accessLog:
  filePath: "/home/traefik/logs/access.log"
  bufferingSize: 100

experimental:
  plugins:
    geoblock:
      moduleName: github.com/PascalMinder/geoblock
      version: v0.2.8

Traefik dynamic config

http:
  routers:
    traefik:
      service: api@internal
      rule: Host(`traefik.CENSORED_DOMAIN`)
      middlewares:
        - geoblock@file
        - auth-administration@file
      tls:
        certResolver: lets_encrypt

  middlewares:
    auth-administration:
      digestAuth:
        usersFile: /run/secrets/users
        realm: administration
    geoblock:
      plugin:
        geoblock:
          silentStartUp: false
          allowLocalRequests: true
          logLocalRequests: false
          logAllowedRequests: false
          logApiRequests: false
          api: "https://get.geojs.io/v1/ip/country/{ip}"
          apiTimeoutMs: 1500
          cacheSize: 15
          forceMonthlyUpdate: true
          allowUnknownCountries: false
          unknownCountryApiResponse: "nil"
          blacklist: false
          countries:
            - IT
          allowedIPAddresses:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
            - fd00::/8
          addCountryHeader: false

docker:
  network: public_net

Docker compose

services:
  traefik:
    container_name: traefik
    image: traefik:3.0
    restart: always
    depends_on:
      - pi-hole
    networks:
      - public_net
    ports:
      - mode: host
        protocol: tcp
        published: 80
        target: 80
      - mode: host
        protocol: tcp
        published: 443
        target: 443
    volumes:
      - ${PROJECTS_HOME}/traefik/certs:/home/traefik/certs:rw # bind-mount
      - ${PROJECTS_HOME}/traefik/conf:/etc/traefik:rw # bind-mount
      - ${PROJECTS_HOME}/traefik/file_dynamic_conf:/home/traefik/file_dynamic_conf:ro # bind-mount
      - ${PROJECTS_HOME}/traefik/logs:/home/traefik/logs:rw # bind-mount
      - ${PROJECTS_HOME}/traefik/secrets:/run/secrets:ro # bind-mount

log output in DEBUG level

2024-05-05T14:10:34Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:100 > Traefik version 3.0.0 built on
2024-04-29T14:25:59Z version=3.0.0
2024-05-05T14:10:34Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107 > Static configuration loaded [json] staticConfiguration={"accessLog":{"bufferingSize":100,"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"filePath":"/home/traefik/logs/access.log","filters":{},"format":"common"},"api":{"dashboard":true},"certificatesResolvers":{"lets_encrypt":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"CENSORED_EMAIL","httpChallenge":{"entryPoint":"web"},"keyType":"RSA4096","storage":"/home/traefik/certs/acme.json"}},"lets_encrypt_staging":{"acme":{"caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"CENSORED_EMAIL","httpChallenge":{"entryPoint":"web"},"keyType":"RSA4096","storage":"/home/traefik/certs/acme.json"}}},"entryPoints":{"web":{"address":":80","forwardedHeaders":{"trustedIPs":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","fd00::/8"]},"http":{"redirections":{"entryPoint":{"permanent":true,"priority":2147483646,"scheme":"https","to":"websecure"}}},"http2":{"maxConcurrentStreams":250},"proxyProtocol":{"trustedIPs":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","fd00::/8"]},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"websecure":{"address":":443","forwardedHeaders":{"trustedIPs":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","fd00::/8"]},"http":{},"http2":{"maxConcurrentStreams":250},"proxyProtocol":{"trustedIPs":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","fd00::/8"]},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"experimental":{"plugins":{"geoblock":{"moduleName":"github.com/PascalMinder/geoblock","version":"v0.2.8"}}},"global":{"checkNewVersion":true},"log":{"filePath":"/home/traefik/logs/traefik.log","format":"common","level":"DEBUG"},"providers":{"file":{"directory":"/home/traefik/file_dynamic_conf","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2024-05-05T14:10:35Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:605 >
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2024-05-05T14:10:35Z INF github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:458 > Enabling ProxyProtocol for trusted IPs [10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fd00::/8] entryPointName=web
2024-05-05T14:10:35Z INF github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:458 > Enabling ProxyProtocol for trusted IPs [10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fd00::/8] entryPointName=websecure
2024-05-05T14:10:35Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: geoblock: github.com/PascalMinder/geoblock@v0.2.8
2024-05-05T14:10:35Z DBG github.com/hashicorp/go-retryablehttp@v0.7.5/client.go:612 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/PascalMinder/geoblock/v0.2.8
2024-05-05T14:10:40Z DBG github.com/hashicorp/go-retryablehttp@v0.7.5/client.go:612 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/PascalMinder/geoblock/v0.2.8
2024-05-05T14:10:41Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=web
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=websecure
2024-05-05T14:10:41Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"directory":"/home/traefik/file_dynamic_conf","watch":true}
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /home/traefik/file_dynamic_conf
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /home/traefik/file_dynamic_conf/digest-auth.yml
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /home/traefik/file_dynamic_conf/geoblock.yml
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /home/traefik/file_dynamic_conf/pi-hole.yml
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /home/traefik/file_dynamic_conf/traefik.yml
2024-05-05T14:10:41Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /home/traefik/file_dynamic_conf/webcam.yml
2024-05-05T14:10:42Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
2024-05-05T14:10:42Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
2024-05-05T14:10:42Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"lets_encrypt","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"CENSORED_EMAIL","httpChallenge":{"entryPoint":"web"},"keyType":"RSA4096","storage":"/home/traefik/certs/acme.json","store":{}}
2024-05-05T14:10:42Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"lets_encrypt_staging","TLSChallengeProvider":{},"caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"CENSORED_EMAIL","httpChallenge":{"entryPoint":"web"},"keyType":"RSA4096","storage":"/home/traefik/certs/acme.json","store":{}}
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:213 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=lets_encrypt_staging.acme
2024-05-05T14:10:42Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:795 > Testing certificate renew... acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=lets_encrypt_staging.acme
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:213 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme
2024-05-05T14:10:42Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:795 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"redirect-web-to-websecure":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}}},"routers":{"acme-http":{"entryPoints":["web"],"priority":2147483647,"rule":"PathPrefix(`/.well-known/acme-challenge/`)","service":"acme-http@internal"},"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"priority":2147483646,"rule":"HostRegexp(`^.+$`)","service":"noop@internal"}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"acme-http":{},"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"auth-administration":{"digestAuth":{"realm":"administration","usersFile":"/run/secrets/users"}},"auth-webcam":{"digestAuth":{"realm":"webcam","usersFile":"/run/secrets/users"}},"geoblock":{"plugin":{"geoblock":{"addCountryHeader":"false","allowLocalRequests":"true","allowUnknownCountries":"false","allowedIPAddresses":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","fd00::/8"],"api":"https://get.geojs.io/v1/ip/country/{ip}","apiTimeoutMs":"1500","blacklist":"false","cacheSize":"15","countries":["IT"],"forceMonthlyUpdate":"true","logAllowedRequests":"false","logApiRequests":"false","logLocalRequests":"false","silentStartUp":"false","unknownCountryApiResponse":"nil"}}},"pi-hole-addprefix-admin":{"addPrefix":{"prefix":"/admin"}},"pi-hole-stripprefix-admin":{"stripPrefix":{"prefixes":["/admin"]}}},"routers":{"pi-hole":{"middlewares":["geoblock@file","auth-administration@file","pi-hole-stripprefix-admin@file","pi-hole-addprefix-admin@file"],"rule":"Host(`pi-hole.CENSORED_DOMAIN`)","service":"pi-hole","tls":{"certResolver":"lets_encrypt"}},"rpi_camera_web_interface":{"middlewares":["geoblock@file","auth-webcam@file"],"rule":"Host(`webcam.CENSORED_DOMAIN`)","service":"rpi_camera_web_interface","tls":{"certResolver":"lets_encrypt"}},"traefik":{"middlewares":["geoblock@file","auth-administration@file"],"rule":"Host(`traefik.CENSORED_DOMAIN`)","service":"api@internal","tls":{"certResolver":"lets_encrypt"}}},"services":{"pi-hole":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://pi-hole"}]}},"rpi_camera_web_interface":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://CENSORED_IP:8080"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=file
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=lets_encrypt.acme
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=lets_encrypt_staging.acme
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:251 > Building ACME client... providerName=lets_encrypt.acme
2024-05-05T14:10:42Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:257 > https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme
2024-05-05T14:10:43Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:322 > Using HTTP Challenge provider. providerName=lets_encrypt.acme
2024-05-05T14:10:43Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:817 > Renewing certificate from LE : {Main:traefik.CENSORED_DOMAIN SANs:[]} acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme
2024-05-05T14:10:43Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] [traefik.CENSORED_DOMAIN] acme: Trying renewal with 91 hours remaining lib=lego
2024-05-05T14:10:43Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] [traefik.CENSORED_DOMAIN] acme: Obtaining bundled SAN certificate lib=lego
2024-05-05T14:10:49Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] [traefik.CENSORED_DOMAIN] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/347003206277 lib=lego
2024-05-05T14:10:49Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] [traefik.CENSORED_DOMAIN] acme: Could not find solver for: tls-alpn-01 lib=lego
2024-05-05T14:10:49Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] [traefik.CENSORED_DOMAIN] acme: use http-01 solver lib=lego
2024-05-05T14:10:49Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] [traefik.CENSORED_DOMAIN] acme: Trying to solve HTTP-01 lib=lego
2024-05-05T14:10:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:452 > IP 51.20.3.A is not in trusted IPs list, ignoring ProxyProtocol Headers and bypass connection entryPointName=web
2024-05-05T14:10:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:452 > IP 3.144.99.B is not in trusted IPs list, ignoring ProxyProtocol Headers and bypass connection entryPointName=web
2024-05-05T14:10:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:452 > IP 23.178.112.C is not in trusted IPs list, ignoring ProxyProtocol Headers and bypass connection entryPointName=web
2024-05-05T14:10:51Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:452 > IP 52.88.20.D is not in trusted IPs list, ignoring ProxyProtocol Headers and bypass connection entryPointName=web
2024-05-05T14:10:59Z DBG github.com/go-acme/lego/v4@v4.16.1/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/347003206277 lib=lego
2024-05-05T14:11:02Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:832 > Error renewing certificate from LE: {traefik.CENSORED_DOMAIN []} error="error: one or more domains had a problem:\n[traefik.CENSORED_DOMAIN] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 94.34.163.E: Invalid response from http://traefik.CENSORED_DOMAIN/.well-known/acme-challenge/w1feAVOLZfWOmVyhmNULXosIr4zlJ3HkRmGleiHOBks: 404\n" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["web","websecure"] routerName=rpi_camera_web_interface
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["web","websecure"] routerName=pi-hole
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["web","websecure"] routerName=traefik
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131 > Adding certificate for domain(s) traefik.CENSORED_DOMAIN
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131 > Adding certificate for domain(s) webcam.CENSORED_DOMAIN
2024-05-05T14:11:05Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131 > Adding certificate for domain(s) pi-hole.CENSORED_DOMAIN
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:259 > Creating load-balancer entryPointName=web routerName=rpi_camera_web_interface@file serviceName=rpi_camera_web_interface@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:301 > Creating server entryPointName=web routerName=rpi_camera_web_interface@file serverName=4ffdb36774d123e8 serviceName=rpi_camera_web_interface@file target=http://CENSORED_IP:8080
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/digest_auth.go:33 > Creating middleware entryPointName=web middlewareName=auth-webcam@file middlewareType=digestAuth routerName=rpi_camera_web_interface@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=auth-webcam@file routerName=rpi_camera_web_interface@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=geoblock@file routerName=rpi_camera_web_interface@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:259 > Creating load-balancer entryPointName=web routerName=pi-hole@file serviceName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:301 > Creating server entryPointName=web routerName=pi-hole@file serverName=b56e63d2470e3d89 serviceName=pi-hole@file target=http://pi-hole
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/addprefix/add_prefix.go:26 > Creating middleware entryPointName=web middlewareName=pi-hole-addprefix-admin@file middlewareType=AddPrefix routerName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=pi-hole-addprefix-admin@file routerName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32 > Creating middleware entryPointName=web middlewareName=pi-hole-stripprefix-admin@file middlewareType=StripPrefix routerName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=pi-hole-stripprefix-admin@file routerName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/digest_auth.go:33 > Creating middleware entryPointName=web middlewareName=auth-administration@file middlewareType=digestAuth routerName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=auth-administration@file routerName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=geoblock@file routerName=pi-hole@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/digest_auth.go:33 > Creating middleware entryPointName=web middlewareName=auth-administration@file middlewareType=digestAuth routerName=traefik@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=auth-administration@file routerName=traefik@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=web middlewareName=geoblock@file routerName=traefik@file
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for webcam.CENSORED_DOMAIN with TLS options default entryPointName=web
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for pi-hole.CENSORED_DOMAIN with TLS options default entryPointName=web
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.CENSORED_DOMAIN with TLS options default entryPointName=web
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for pi-hole.CENSORED_DOMAIN with TLS options default entryPointName=websecure
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.CENSORED_DOMAIN with TLS options default entryPointName=websecure
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for webcam.CENSORED_DOMAIN with TLS options default entryPointName=websecure
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384 > Trying to challenge certificate for domain [pi-hole.CENSORED_DOMAIN] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme routerName=pi-hole@file rule=Host(`pi-hole.CENSORED_DOMAIN`)
2024-05-05T14:11:19Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384 > Trying to challenge certificate for domain [traefik.CENSORED_DOMAIN] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme routerName=traefik@file rule=Host(`traefik.CENSORED_DOMAIN`)
2024-05-05T14:11:20Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384 > Trying to challenge certificate for domain [webcam.CENSORED_DOMAIN] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme routerName=rpi_camera_web_interface@file rule=Host(`webcam.CENSORED_DOMAIN`)
2024-05-05T14:11:20Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["webcam.CENSORED_DOMAIN"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme routerName=rpi_camera_web_interface@file rule=Host(`webcam.CENSORED_DOMAIN`)
2024-05-05T14:11:20Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["webcam.CENSORED_DOMAIN"] providerName=lets_encrypt.acme routerName=rpi_camera_web_interface@file rule=Host(`webcam.CENSORED_DOMAIN`)
2024-05-05T14:11:20Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["pi-hole.CENSORED_DOMAIN"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme routerName=pi-hole@file rule=Host(`pi-hole.CENSORED_DOMAIN`)
2024-05-05T14:11:20Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["pi-hole.CENSORED_DOMAIN"] providerName=lets_encrypt.acme routerName=pi-hole@file rule=Host(`pi-hole.CENSORED_DOMAIN`)
2024-05-05T14:11:20Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["traefik.CENSORED_DOMAIN"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets_encrypt.acme routerName=traefik@file rule=Host(`traefik.CENSORED_DOMAIN`)
2024-05-05T14:11:20Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.CENSORED_DOMAIN"] providerName=lets_encrypt.acme routerName=traefik@file rule=Host(`traefik.CENSORED_DOMAIN`)
2024-05-05T14:16:32Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:452 > IP 141.98.11.F is not in trusted IPs list, ignoring ProxyProtocol Headers and bypass connection entryPointName=web
2

Have you tried tlsChallenge?

3

I cannot use tlschallenge because the main domain is not mine but it is something like a dyndns service

4

DynDNS usually just resolves to an IP, so tlsChallnge should be possible, dnsChallenge not.