Traefik dashboard gets letsencrypt certificate but whoami doesn't

Traefik Traefik v3 (latest)
,
1

Hi everyone
I have a docker swarm cluster with the managers on one network and the workers on another. The ssl certificates are stored on an nfs server which is on the same network as the worker nodes. There is an overlay network which the services use. File/folder permissions are set correctly and acme.json to 600. All servers can connect to the nfs server and access locations.
When I launch the Traefik stack deploy, only the dashboard gets an ssl certificate from letsencrypt. Whoami and other domains don't. The Traefik instances are running on the manager nodes and whoami on the worker nodes. Not sure where I'm going wrong but any help would be greatly appreciated.
Here is the error I get:

error: one or more domains had a problem:\n[whoami.domain.com] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:tls :: During secondary validation: remote error: tls: unrecognized name

Here is my docker compose file:

services:

  traefik:
    image: traefik:3.3.6
    networks:
      - proxyney
    ports:
      - 80:80
      - 443:443
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --accesslog=true
      - --providers.swarm.endpoint=unix:///var/run/docker.sock
      - --providers.swarm=true
      - --providers.swarm.network=proxynet
      - --providers.swarm.exposedByDefault=false
      - --entrypoints.webinsecure.address=:80
      - --entrypoints.webinsecure.http.redirections.entrypoint.to=websecure
      - --entryPoints.webinsecure.http.redirections.entrypoint.scheme=https
      - --entryPoints.webinsecure.http.redirections.entrypoint.permanent=true
      - --entrypoints.websecure.address=:443
      - --entrypoints.dashboard.address=:8181
      - --entrypoints.websecure.asDefault=true 
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=email@mydomain.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      # - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
    deploy:
      mode: global
      placement:
        constraints:
          - node.role==manager
      labels:
        - traefik.enable=true
        - traefik.environment=cloud
        - traefik.http.routers.dashboard.entrypoints=websecure
        - traefik.http.routers.dashboard.rule=Host(`traefik.mydomain.com`)
        - traefik.http.routers.dashboard.service=api@internal
        - traefik.http.services.dashboard.loadbalancer.server.port=8181
        - traefik.http.routers.dashboard.middlewares=auth
        - traefik.http.middlewares.auth.basicauth.users=user:pin
    volumes:
      - ./traefik/logs:/var/log
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/ssl/acme.json:/letsencrypt/acme.json
      
    whoami:
    image: traefik/whoami
    networks:
      - proxynet
    deploy:
      mode: global
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - traefik.enable=true
        - traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)
        - traefik.http.services.whoami.loadbalancer.server.port=80

networks:
  proxynet:
    external: true
2

Traefik CE can not handle distributed/clustered LetsEncrypt. So you can’t have multiple Traefik instances using httpChallenge or tlsChallenge. The external LetsEncrypt challenge will usually end up on the wrong instance, which will not reload the acme.json file, therefore not know the challenge.

You can use dnsChallenge, but every instance will get its own unique cert (note limit of 5). Example.

Alternatively you can create the certs externally (certbot, etc.) and just load them via dynamic config file.

3

Good day and thanx for your response.
So let me try to understand this: If I have two physical networks - one for the managers and one for the workers - and have a single Traefik instance spanning both physical networks via a single overlay network.... Won't this work? I am able to create the swarm and all nodes can communicate, except Traefik won't work.
If this isn't possible then I'll have to try dns challenge, albeit I was hoping not to use services like Cloudflare or other similar. I have a Wireguard tunnel to my homelab and I prefer it that way.
Thanx in advance

4

Let’s try again.

Traefik in Swarm needs to be on manager node to be able to discover other Swarm services. (Or you run a Docker socket proxy.)

Swarm manager and workers have to be connected with an overlay network, Traefik and target services connected to it.

Make sure the Docker overlay network MTU is set correctly, especially when using a VPN. Check with ping with payload 2000 bytes.

When running a single Traefik instance, you can run simple tlsChallenge to create LetsEncrypt TLS certs. Traefik will read the domains from .rule=Host().

Check simple Traefik Swarm example, which is intended for a single manager.