Traefik dashboard not using certificate

Since I've got a domain which DNS is managed by cloudflare, I wanted to use the wildcard certificates for all my services behind traefik. That includes my local services like Portainer, Uptime Kuma and als the Traefik dashboard. I've got the following files

# docker-compose.yml
version: "3"

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      - 53:53/udp
      - 53:53/tcp
      - 8080:8080
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik-data/traefik.yml:/traefik.yml:ro
      - ./traefik-data/acme.json:/acme.json
      - ./traefik-data/configurations:/configurations
    environment:
      - CF_DNS_API_TOKEN=<MY_CLOUDFLARE_API_KEY>
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file,safe-ipwhitelist@file"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"

  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./portainer-data:/data
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.portainer-secure.entrypoints=websecure"
      - "traefik.http.routers.portainer-secure.rule=Host(`portainer.mydomain.com`)"
      - "traefik.http.routers.portainer-secure.service=portainer"
      - "traefik.http.routers.portainer-secure.middlewares=safe-ipwhitelist@file"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"

networks:
  proxy:
    external: true
# traefik.yml
api:
  dashboard: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: cloudflare

  dns:
    address: :53

  dns-udp:
    address: :53/udp

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  cloudflare:
    acme:
      email: <MY_EMAIL>
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
# dynamic.yml
http:
  middlewares:
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        customFrameOptionsValue: "SAMEORIGIN"

    user-auth:
      basicAuth:
        users: <MY_BASIC_AUTH>

    safe-ipwhitelist:
      ipWhiteList:
        sourceRange: <MY_IP_WHITELIST>

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      minVersion: VersionTLS12
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

Everything works as expected. My services, which are exposed to the internet, get a valid certificate and my local services get certificates too. The only exception being the traefik dashboard. And if I check the TLS rules for the routes in traefik, the one for Portainer has cloudflare listed as the certificate resolver:

While this block is missing for the Traefik dashboard :

Anyone got an idea on how to fix this/what the problem is?

Thanks!

A little embarrassing to stumble upon the solution minutes after creating a post but oh well.
I managed to achieve what I wanted (traefik dashboard getting a valid certificate via cloudflare) by mapping the domains to a dummy router using the noop@internal service.

So instead of

# docker-compose.yml
[...]
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"
[...]

I changed it too

# docker-compose.yml
[...]
      - "traefik.http.routers.whoami-secure.service=noop@internal"
      - "traefik.http.routers.whoami-secure.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.whoami-secure.tls.domains[0].sans=*.mydomain.com"
[...]

And now it's working as I wanted it to :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.