Traefik dashboard returns 404 page not found + TLS handshake error: remote error: tls: bad certificate (traefik + bind9 + docker-compose + CloudFlare + Let's Encrypt)

Riven · September 15, 2023, 11:35am

I configured Traefik in docker using the guide: Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial

But when trying to access the dashboard - I see an error: 404 Page not found

A small description of the configuration I have (to understand what I want to do):

I have a domain example.com

. I created a global subdomain on it local.example.com and sent it to the server ip (my work computer and the server are the same, I do all the actions on the server).

On the server itself there is bind9, which is my local zone local.example.com assigns local subdomains to servers on the intra-container ip address 10.20.3.4 and *.servers - so that those local game servers that were created using pterodactyl have a local subdomain server1.servers.local.example.com
And I also made a local subdomain for Traefik, so that only I could log into it locally from the host machine.

I have a microtic router that stands between my local home network and access to the global Internet, a static IP serves as access to the global Internet 93...***
The router, using fixed dhcp, assigns to my physical computer =ip server 192.168.88.253
Important: the firewall on mikrotic is disabled (temporarily, while I'm testing the launch and activation of traefik+bind9+pterodactyl
Next comes the physical server = my computer on the ubuntu operating system, in which the firewall is also disabled. Bind9 and Traefik are on it.

Docker containers with bind9 and traefik do not have access to the local home network, but have access to proxy1 and dns-network networks (bind9 network).
Inside the dns network, the local ip zone is different: 10.20.0.0/8
That's where the grafting of these ip subdomains takes place. And already the output traffic from these networks is carried out by docker-compose in which ports 80,443,53 are open. It is through the ports that traffic is exchanged with the local and, if I want, even with the global Internet.

I have asked this question on several forums:

I've tried everything:

disabled the firewall in ubuntu and in the router
Tried to log in from both local ip and local machine ip: localhost and 192.168.88.253
I configured docker compose file so that both Traefik and bind9 were in the same network and even configured a subdomain in bind 9 adding Traefik-dashboard entry to it.
I couldn't access Traefik dashboard from the domain, and still can't. However, I can't enter it either by local ip and localhost.

Below I'll give you all my tips, including docker-compose files, error logs, etc.
I would be very grateful if you could point out my flaws and help me solve this problem.

Let's start with traefik docker-compose.yml:

traefik docker-compose.yml

version: '3.8'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      proxy1:
      dns-server_dns-network:
        ipv4_address: 10.20.3.5
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=****@protonmail.com
      - CF_DNS_API_TOKEN=mdc3Xlhxpuidm***
      # - CF_API_KEY=YOUR_API_KEY
      # be sure to use the correct one depending on if you are using a token or key
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik/data/traefik.yml:/traefik.yml:ro
      - /root/traefik/data/acme.json:/acme.json
      - /root/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.****.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:BASIC_AUTH_PASSWORD"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.****.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.****.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.****.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  dns-server_dns-network:
    external: true
  proxy1:
    external: true

I'll give you a little explanation:
dns-server_dns-network is the network of the dns-server (bind9), which is also inside the docker container, but a different one. In this case it is necessary to assign a local subdomain and everything would work correctly.
proxy1 - network of Traefik itself.

Traefik config.yml

http:
     #region routers 
      routers:
        bind9:
          entryPoints:
            - "https"
          rule: "Host(`bind9.local.*****.com`)"
          middlewares:
            - default-headers
            - https-redirectscheme
          tls: {}
          service: bind9
        pterodactyl:
          entryPoints:
            - "https"
          rule: "Host(`pterodactyl.local.*****.com`)"
          middlewares:
            - default-headers
            - https-redirectscheme
          tls: {}
          service: pterodactyl
    #endregion
    #region services
      services:
        bind9:
          loadBalancer:
            servers:
              - url: "https://10.20.3.2:53"  
            passHostHeader: true
        pterodactyl:
          loadBalancer:
            servers:
              - url: "http://10.20.3.6:8082"
            passHostHeader: true
    #endregion
      middlewares:
        addprefix-pihole:
          addPrefix:
    prefix: "/admin"
        https-redirectscheme:
          redirectScheme:
            scheme: https
            permanent: true
        redirectregex-pihole:
          redirectRegex:
            regex: /admin/$
            replacement: /
    
        default-headers:
          headers:
            frameDeny: true
            browserXssFilter: true
            contentTypeNosniff: true
            forceSTSHeader: true
            stsIncludeSubdomains: true
            stsPreload: true
            stsSeconds: 15552000
            customFrameOptionsValue: SAMEORIGIN
            customRequestHeaders:
              X-Forwarded-Proto: https
    
        idrac:
          headers:
            frameDeny: true
            browserXssFilter: true
            forceSTSHeader: true
            stsIncludeSubdomains: true
            stsSeconds: 15552000
            customFrameOptionsValue: SAMEORIGIN
            customRequestHeaders:
              X-Forwarded-Proto: https
    
        default-whitelist:
          ipWhiteList:
            sourceRange:
            - "10.0.0.0/8"
            - "192.168.88.0/24"
            - "172.16.0.0/12"
    
        secured:
          chain:
            middlewares:
            - default-whitelist
            - default-headers

Traefik.yml

api:
      dashboard: true
      debug: true
    entryPoints:
      http:
        address: ":80"
        http:
          redirections:
            entryPoint:
              to: https
              scheme: https
      https:
        address: ":443"
    serversTransport:
      insecureSkipVerify: true
    providers:
      docker:
        endpoint: "unix:///var/run/docker.sock"
        exposedByDefault: false
      file:
        filename: /config.yml
    certificatesResolvers:
      cloudflare:
        acme:
          email: ****@protonmail.com
          storage: acme.json
          dnsChallenge:
            delayBeforeCheck: 5
            provider: cloudflare
           #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables>
            resolvers:
              - "1.1.1.1:53"
              - "1.0.0.1:53"

acme.json file

{
      "cloudflare": {
        "Account": {
          "Email": "*****@protonmail.com",
          "Registration": {
            "body": {
              "status": "valid",
              "contact": [
                "mailto:****@protonmail.com"
              ]
            },
            "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1308****76"
          },
          "PrivateKey": "MIIJKQ**********fhYGyV2xowwa/O9WSHf+3GU>
          "KeyType": "4096"
        },
        "Certificates": [
          {
            "domain": {
              "main": "local.*****.com",
              "sans": [
                "*.local.*****.com"
              ]
            },
            "certificate": "LS0tLS1C***********N3VUEKTURJ>
            "key": "LS0tLS1CRUdJTiBS*******Bejk4bzdCeTBtCnhLVFFC>
            "Store": "default"
          }
        ]
      }
    }

If you run Traefik with a container, there is nothing in the logs:

  root@riven:~/traefik/data# docker logs --tail=100 traefik
    time="2023-09-14T03:47:43+03:00" level=info msg="Configuration loaded from file: /traefik.yml"

However, if you write restart, errors will appear in the logs:

 root@riven:~/traefik/data# docker restart traefik
    traefik
    root@riven:~/traefik/data# docker logs --tail=100 traefik
    time="2023-09-14T03:47:43+03:00" level=info msg="Configuration loaded from file: /traefik.yml"
    time="2023-09-14T14:37:35+03:00" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=http
    time="2023-09-14T14:37:35+03:00" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=https
    time="2023-09-14T14:37:35+03:00" level=error msg="close tcp [::]:80: use of closed network connection" entryPointName=http
    time="2023-09-14T14:37:35+03:00" level=error msg="close tcp [::]:443: use of closed network connection" entryPointName=https
    time="2023-09-14T14:37:36+03:00" level=info msg="Configuration loaded from file: /traefik.yml"

Just in case, here's a list of all the containers:

root@riven:~/dns-server/config# docker ps -a
    CONTAINER ID   IMAGE                 COMMAND                  CREATED        STATUS          PORTS                                                                           NAMES
    78296a683271   traefik:latest        "/entrypoint.sh trae…"   11 hours ago   Up 25 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp        traefik
    5c3081b0c7df   ubuntu/bind9:latest   "docker-entrypoint.sh"   12 hours ago   Up 8 minutes    0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp, :::53->53/tcp, :::53->53/udp, 953/tcp   dns-server

Now let's move on to the dns server bind9, which is also running in a container:

bind9 docker-compose.yml

version: '3'
    
    networks:
      dns-network:
        driver: bridge
        ipam:
          config:
            - subnet: 10.20.0.0/16
    
    services:
      bind9:
        container_name: dns-server
        image: ubuntu/bind9:latest
        environment:
          - BIND9_USER=root
          - TZ=Europe/Moscow
        networks:
          dns-network:
            ipv4_address: 10.20.3.2
        ports:
          - "53:53/tcp"
          - "53:53/udp"
        volumes:
          - ./config:/etc/bind
          - ./cache:/var/cache/bind
          - ./records:/var/lib/bind
        restart: unless-stopped

named.conf file

acl internal {
        10.10.0.0/16;
        10.11.0.0/16;
        10.20.0.0/16;
        10.50.0.0/16;
        192.168.88.0/24;
    };
    
    options {
        forwarders {
            1.1.1.1;
            1.0.0.1;
        };
        allow-query { internal; };
    };
    
    zone "local.*****.com" IN {
        type master;
        file "/etc/bind/local-*****-com.zone";
    };

local-*****-com.zone file

 $TTL 2D
    
    $ORIGIN local.*****.com.
    
    @       IN      SOA     ns.local.*****.com.  admin.*****.com. (
                            2023083100      ; serial
                            12h             ; refresh
                            15m             ; retry
                            3w              ; expire
                            2h              ; minimum ttl
    )
    
            IN      NS      ns.local.*****.com.
    
    ns      IN      A       10.20.3.2
    
    ; -- add dns records below
    
    servers IN      A       10.20.3.4
    *.servers IN    A       10.20.3.4
    traefik-dashboard IN A 10.20.3.5

Bind9 logs

root@riven:~/dns-server/config# docker logs --tail=200 dns-server
    Starting named...
    exec /usr/sbin/named -u "root" "-g" ""
    14-Sep-2023 14:54:56.133 starting BIND 9.18.12-1ubuntu1.1-Ubuntu (Extended Support Version) <id:>
    14-Sep-2023 14:54:56.133 running on Linux x86_64 6.2.0-32-generic #32~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 18 10:40:13 UTC 2
    14-Sep-2023 14:54:56.133 built with  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-2zwQl8/bind9-9.18.12=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/build/bind9-2zwQl8/bind9-9.18.12=/usr/src/bind9-1:9.18.12-1ubuntu1.1 -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
    14-Sep-2023 14:54:56.133 running as: named -u root -g
    14-Sep-2023 14:54:56.133 compiled by GCC 12.2.0
    14-Sep-2023 14:54:56.133 compiled with OpenSSL version: OpenSSL 3.0.8 7 Feb 2023
    14-Sep-2023 14:54:56.133 linked to OpenSSL version: OpenSSL 3.0.8 7 Feb 2023
    14-Sep-2023 14:54:56.133 compiled with libxml2 version: 2.9.14
    14-Sep-2023 14:54:56.133 linked to libxml2 version: 20914
    14-Sep-2023 14:54:56.133 compiled with json-c version: 0.16
    14-Sep-2023 14:54:56.133 linked to json-c version: 0.16
    14-Sep-2023 14:54:56.133 compiled with zlib version: 1.2.13
    14-Sep-2023 14:54:56.133 linked to zlib version: 1.2.13
    14-Sep-2023 14:54:56.133 ----------------------------------------------------
    14-Sep-2023 14:54:56.133 BIND 9 is maintained by Internet Systems Consortium,
    14-Sep-2023 14:54:56.133 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
    14-Sep-2023 14:54:56.133 corporation.  Support and training for BIND 9 are 
    14-Sep-2023 14:54:56.133 available at https://www.isc.org/support
    14-Sep-2023 14:54:56.133 ----------------------------------------------------
    14-Sep-2023 14:54:56.133 found 8 CPUs, using 8 worker threads
    14-Sep-2023 14:54:56.133 using 8 UDP listeners per interface
    14-Sep-2023 14:54:56.133 DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
    14-Sep-2023 14:54:56.133 DS algorithms: SHA-1 SHA-256 SHA-384
    14-Sep-2023 14:54:56.133 HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
    14-Sep-2023 14:54:56.133 TKEY mode 2 support (Diffie-Hellman): yes
    14-Sep-2023 14:54:56.133 TKEY mode 3 support (GSS-API): yes
    14-Sep-2023 14:54:56.137 config.c: option 'trust-anchor-telemetry' is experimental and subject to change in the future
    14-Sep-2023 14:54:56.137 loading configuration from '/etc/bind/named.conf'
    14-Sep-2023 14:54:56.137 unable to open '/etc/bind/bind.keys'; using built-in keys instead
    14-Sep-2023 14:54:56.137 looking for GeoIP2 databases in '/usr/share/GeoIP'
    14-Sep-2023 14:54:56.137 using default UDP/IPv4 port range: [32768, 60999]
    14-Sep-2023 14:54:56.137 using default UDP/IPv6 port range: [32768, 60999]
    14-Sep-2023 14:54:56.137 listening on IPv4 interface lo, 127.0.0.1#53
    14-Sep-2023 14:54:56.141 listening on IPv4 interface eth0, 10.20.3.2#53
    14-Sep-2023 14:54:56.141 Could not open '//run/named/named.pid'.
    14-Sep-2023 14:54:56.141 Please check file and directory permissions or reconfigure the filename.
    14-Sep-2023 14:54:56.141 could not open file '//run/named/named.pid': Permission denied
    14-Sep-2023 14:54:56.141 generating session key for dynamic DNS
    14-Sep-2023 14:54:56.141 Could not open '//run/named/session.key'.
    14-Sep-2023 14:54:56.141 Please check file and directory permissions or reconfigure the filename.
    14-Sep-2023 14:54:56.141 could not open file '//run/named/session.key': Permission denied
    14-Sep-2023 14:54:56.141 could not create //run/named/session.key
    14-Sep-2023 14:54:56.141 failed to generate session key for dynamic DNS: permission denied
    14-Sep-2023 14:54:56.141 sizing zone task pool based on 1 zones
    14-Sep-2023 14:54:56.141 none:99: 'max-cache-size 90%' - setting to 57829MB (out of 64255MB)
    14-Sep-2023 14:54:56.141 using built-in root key for view _default
    14-Sep-2023 14:54:56.141 set up managed keys zone for view _default, file 'managed-keys.bind'
    14-Sep-2023 14:54:56.141 automatic empty zone: 10.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 16.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 17.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 18.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 19.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 20.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 21.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 22.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 23.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 24.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 25.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 26.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 27.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 28.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 29.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 30.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 31.172.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 168.192.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 64.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 65.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 66.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 67.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 68.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 69.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 70.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 71.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 72.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 73.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 74.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 75.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 76.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 77.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 78.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 79.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 80.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 81.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 82.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 83.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 84.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 85.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 86.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 87.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 88.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 89.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 90.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 91.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 92.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 93.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 94.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 95.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 96.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 97.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 98.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 99.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 100.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 101.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 102.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 103.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 104.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 105.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 106.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 107.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 108.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 109.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 110.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 111.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 112.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 113.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 114.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 115.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 116.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 117.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 118.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 119.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 120.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 121.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 122.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 123.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 124.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 125.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 126.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 127.100.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 0.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 127.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 254.169.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 2.0.192.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.141 automatic empty zone: 100.51.198.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: 113.0.203.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: D.F.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: 8.E.F.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: 9.E.F.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: A.E.F.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: B.E.F.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: EMPTY.AS112.ARPA
    14-Sep-2023 14:54:56.145 automatic empty zone: HOME.ARPA
    14-Sep-2023 14:54:56.145 configuring command channel from '/etc/bind/rndc.key'
    14-Sep-2023 14:54:56.145 command channel listening on 127.0.0.1#953
    14-Sep-2023 14:54:56.145 configuring command channel from '/etc/bind/rndc.key'
    14-Sep-2023 14:54:56.145 command channel listening on ::1#953
    14-Sep-2023 14:54:56.145 not using config file logging statement for logging due to -g option
    14-Sep-2023 14:54:56.145 managed-keys-zone: loaded serial 2
    14-Sep-2023 14:54:56.149 zone local.*****.com/IN: loaded serial 2023083100
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:1::53#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:dc3::35#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:503:ba3e::2:30#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:7fe::53#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:12::d0d#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:2::c#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:2f::f#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:a8::e#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:9f::42#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:7fd::1#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:503:c27::2:30#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:200::b#53
    14-Sep-2023 14:54:56.149 address not available resolving './NS/IN': 2001:500:2d::d#53
    14-Sep-2023 14:54:56.153 all zones loaded
    14-Sep-2023 14:54:56.153 running
    14-Sep-2023 14:54:56.173 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
    14-Sep-2023 14:54:56.177 resolver priming query complete: success

All my networks

root@riven:~/dns-server/config# docker network ls
    NETWORK ID     NAME                     DRIVER    SCOPE
    bed0ea1726ee   bridge                   bridge    local
    37f54b168f7e   dns-server_dns-network   bridge    local
    8db2a758902a   host                     host      local
    d5d2a3a56006   none                     null      local
    44f6196d71d9   proxy1                   bridge    local

Checking ip addresses of containers

root@riven:~/dns-server/config# docker ps -a
    CONTAINER ID   IMAGE                 COMMAND                  CREATED        STATUS          PORTS                                                                           NAMES
    78296a683271   traefik:latest        "/entrypoint.sh trae…"   11 hours ago   Up 25 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp        traefik
    5c3081b0c7df   ubuntu/bind9:latest   "docker-entrypoint.sh"   12 hours ago   Up 8 minutes    0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp, :::53->53/tcp, :::53->53/udp, 953/tcp   dns-server
    root@riven:~/dns-server/config# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' 78296a683271
    10.20.3.5172.18.0.2
    root@riven:~/dns-server/config# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' 5c3081b0c7df
    10.20.3.2

But as you can see DNS server is working fine, you can see it from nslookup queries:

nslookup queries

root@riven:~/dns-server/config# nslookup local.*****.com
    Server:         192.168.88.1
    Address:        192.168.88.1#53
    
    Non-authoritative answer:
    Name:   local.*****.com
    Address: 91.***.***.1*4
    
    root@riven:~/dns-server/config# nslookup servers.local.*****.com 10.20.3.2
    Server:         10.20.3.2
    Address:        10.20.3.2#53
    
    Name:   servers.local.*****.com
    Address: 10.20.3.4
    
    root@riven:~/dns-server/config# nslookup traefik-dashboard.local.*****.com 10.20.3.2
    Server:         10.20.3.2
    Address:        10.20.3.2#53
    
    Name:   traefik-dashboard.local.*****.com
    Address: 10.20.3.5

Also if I go to the local domain (local.*****.com) I will see my microtik router page

But if I go into the traefik panel, I see that nothing is working:

curl output:

Note that I am doing all of the above from a local host machine and with the ubuntu firewall (UFW) completely disabled
And also with mikrotik firewall disabled!!!

I have no idea what I did wrong or how to make it all work. At least how to make the Traefik panel work. I would be grateful for help and advice.

bluepuma77 · September 15, 2023, 1:15pm

Welcome in this beautiful Traefik community forum after your visit to the Docker forum.

Lets start from the bottom: your full traefik-dashboard.* domain does not work. That error says it can't connect, so the target IP is not reachable or the port is not opened. You wrote about a private DNS server. Did you set up the sub-domain with the correct IP address in your private DNS server? Is your browser able to reach your private DNS server and connect to Traefik running inside Docker?

What do you want to achieve? Why do you use a private DNS server? Are you aware that you can use a regular public DNS server and create sub-domains that point to your private IP, so only you can connect to the servers internally? And you seem to plan to use Cloudflare for LetsEncrypt, that would only work with a public DNS server, anyway.

Riven · September 15, 2023, 1:38pm

NEW UPDATE (15 SEPT 2023)

traefik-access.log

192.168.88.253 - - [15/Sep/2023:12:43:14 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 1 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:43:16 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 2 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:43:16 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 3 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:43:16 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 4 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:43:34 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 5 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:43:34 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 6 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:43:35 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 7 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:43:39 +0000] "GET /dashboard/? HTTP/2.0" 404 19 "-" "-" 8 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:47:40 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 1 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:47:41 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 2 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:47:42 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 3 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:46 +0000] "GET /dashboard/? HTTP/2.0" 404 19 "-" "-" 4 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:48 +0000] "GET /dashboard/? HTTP/2.0" 404 19 "-" "-" 5 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:48 +0000] "GET /dashboard/? HTTP/2.0" 404 19 "-" "-" 6 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:50 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 7 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:50 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 8 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:50 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 9 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:52 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 10 "-" "-" 0ms
10.20.0.1 - - [15/Sep/2023:12:47:52 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 11 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:48:12 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 12 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:48:12 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 13 "-" "-" 0ms
192.168.88.253 - - [15/Sep/2023:12:48:12 +0000] "GET /dashboard/? HTTP/2.0" - - "-" "-" 14 "-" "-" 0ms

traefik.log

time="2023-09-15T15:45:52+03:00" level=info msg="Traefik version 2.10.4 built on 2023-07-24T16:29:02Z"
time="2023-09-15T15:45:52+03:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"https\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"},\"file\":{\"watch\":true,\"filename\":\"/config.yml\"}},\"api\":{\"dashboard\":true,\"debug\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/var/log/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/var/log/traefik-access.log\",\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}},\"certificatesResolvers\":{\"cloudflare\":{\"acme\":{\"email\":\"Ther1ven@protonmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"delayBeforeCheck\":\"5s\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]}}}}}"
time="2023-09-15T15:45:52+03:00" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2023-09-15T15:45:52+03:00" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2023-09-15T15:45:52+03:00" level=debug msg="Starting TCP Server" entryPointName=http
time="2023-09-15T15:45:52+03:00" level=debug msg="Starting TCP Server" entryPointName=https
time="2023-09-15T15:45:52+03:00" level=info msg="Starting provider *file.Provider"
time="2023-09-15T15:45:52+03:00" level=debug msg="*file.Provider provider configuration: {\"watch\":true,\"filename\":\"/config.yml\"}"
time="2023-09-15T15:45:52+03:00" level=info msg="Starting provider *traefik.Provider"
time="2023-09-15T15:45:52+03:00" level=debug msg="*traefik.Provider provider configuration: {}"
time="2023-09-15T15:45:52+03:00" level=info msg="Starting provider *docker.Provider"
time="2023-09-15T15:45:52+03:00" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2023-09-15T15:45:52+03:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-09-15T15:45:52+03:00" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-09-15T15:45:52+03:00" level=info msg="Starting provider *acme.Provider"
time="2023-09-15T15:45:52+03:00" level=debug msg="*acme.Provider provider configuration: {\"email\":\"Ther1ven@protonmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"cloudflare\",\"delayBeforeCheck\":\"5s\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]},\"ResolverName\":\"cloudflare\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2023-09-15T15:45:52+03:00" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-09-15T15:45:52+03:00" level=info msg="Testing certificate renew..." providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-09-15T15:45:52+03:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"bind9\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"default-headers\",\"https-redirectscheme\"],\"service\":\"bind9\",\"rule\":\"Host(`bind9.local.*****.com`)\",\"tls\":{}},\"pterodactyl\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"default-headers\",\"https-redirectscheme\"],\"service\":\"pterodactyl\",\"rule\":\"Host(`pterodactyl.local.*****.com`)\",\"tls\":{}}},\"services\":{\"bind9\":{\"loadBalancer\":{\"servers\":[{\"url\":\"https://10.20.3.2:53\"}],\"passHostHeader\":true}},\"pterodactyl\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.20.3.6:8082\"}],\"passHostHeader\":true}}},\"middlewares\":{\"addprefix-pihole\":{\"addPrefix\":{\"prefix\":\"/admin\"}},\"default-headers\":{\"headers\":{\"customRequestHeaders\":{\"X-Forwarded-Proto\":\"https\"},\"stsSeconds\":15552000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true,\"frameDeny\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"contentTypeNosniff\":true,\"browserXssFilter\":true}},\"default-whitelist\":{\"ipWhiteList\":{\"sourceRange\":[\"10.0.0.0/8\",\"192.168.88.0/24\",\"172.16.0.0/12\"]}},\"https-redirectscheme\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}},\"idrac\":{\"headers\":{\"customRequestHeaders\":{\"X-Forwarded-Proto\":\"https\"},\"stsSeconds\":15552000,\"stsIncludeSubdomains\":true,\"forceSTSHeader\":true,\"frameDeny\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"browserXssFilter\":true}},\"redirectregex-pihole\":{\"redirectRegex\":{\"regex\":\"/admin/$\",\"replacement\":\"/\"}},\"secured\":{\"chain\":{\"middlewares\":[\"default-whitelist\",\"default-headers\"]}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=file
time="2023-09-15T15:45:52+03:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"http-to-https\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"redirect-http-to-https\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"redirect-http-to-https\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"serversTransports\":{\"default\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2023-09-15T15:45:52+03:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=cloudflare.acme
time="2023-09-15T15:45:52+03:00" level=debug msg="Provider connection established with docker 24.0.5 (API 1.43)" providerName=docker
time="2023-09-15T15:45:52+03:00" level=debug msg="Filtering disabled container" container=bind9-dns-server-5c3081b0c7df5ccbfda73c4f97d37cee5041b0affd068f0a6e555fcb01970a72 providerName=docker
time="2023-09-15T15:45:52+03:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"traefik-https-redirect\"],\"service\":\"traefik-traefik\",\"rule\":\"Host(`traefik-dashboard.local.*****.com`)\"},\"traefik-secure\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"traefik-auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik-dashboard.local.*****.com`)\",\"tls\":{\"certResolver\":\"cloudflare\",\"domains\":[{\"main\":\"local.*****.com\",\"sans\":[\"*.local.*****.com\"]}]}}},\"services\":{\"traefik-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"sslheader\":{\"headers\":{\"customRequestHeaders\":{\"X-Forwarded-Proto\":\"https\"}}},\"traefik-auth\":{\"basicAuth\":{\"users\":[\"USER:BASIC_AUTH_PASSWORD\"]}},\"traefik-https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\"}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-09-15T15:45:52+03:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareType=TracingForwarder entryPointName=http routerName=http-to-https@internal middlewareName=tracing
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=http routerName=http-to-https@internal middlewareName=redirect-http-to-https@internal
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up redirection to https 443" entryPointName=http routerName=http-to-https@internal middlewareName=redirect-http-to-https@internal middlewareType=RedirectScheme
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=http middlewareName=traefik-internal-recovery
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" entryPointName=https routerName=pterodactyl@file middlewareName=pipelining middlewareType=Pipelining serviceName=pterodactyl
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating load-balancer" serviceName=pterodactyl entryPointName=https routerName=pterodactyl@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating server 0 http://10.20.3.6:8082" entryPointName=https routerName=pterodactyl@file serviceName=pterodactyl serverName=0
time="2023-09-15T15:45:52+03:00" level=debug msg="child http://10.20.3.6:8082 now UP"
time="2023-09-15T15:45:52+03:00" level=debug msg="Propagating new UP status"
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware pterodactyl" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=pterodactyl@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" routerName=pterodactyl@file middlewareName=https-redirectscheme@file middlewareType=RedirectScheme entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up redirection to https " middlewareName=https-redirectscheme@file middlewareType=RedirectScheme entryPointName=https routerName=pterodactyl@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" routerName=pterodactyl@file middlewareName=default-headers@file middlewareType=Headers entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" entryPointName=https routerName=pterodactyl@file middlewareName=default-headers@file middlewareType=Headers
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" middlewareType=Headers entryPointName=https routerName=pterodactyl@file middlewareName=default-headers@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding tracing to middleware" routerName=pterodactyl@file middlewareName=default-headers@file entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" routerName=bind9@file serviceName=bind9 middlewareName=pipelining middlewareType=Pipelining entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating load-balancer" routerName=bind9@file serviceName=bind9 entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating server 0 https://10.20.3.2:53" entryPointName=https routerName=bind9@file serviceName=bind9 serverName=0
time="2023-09-15T15:45:52+03:00" level=debug msg="child https://10.20.3.2:53 now UP"
time="2023-09-15T15:45:52+03:00" level=debug msg="Propagating new UP status"
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware bind9" routerName=bind9@file middlewareName=tracing middlewareType=TracingForwarder entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" middlewareName=https-redirectscheme@file middlewareType=RedirectScheme entryPointName=https routerName=bind9@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up redirection to https " entryPointName=https routerName=bind9@file middlewareName=https-redirectscheme@file middlewareType=RedirectScheme
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" routerName=bind9@file middlewareName=default-headers@file middlewareType=Headers entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" middlewareName=default-headers@file middlewareType=Headers entryPointName=https routerName=bind9@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" routerName=bind9@file middlewareName=default-headers@file middlewareType=Headers entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding tracing to middleware" entryPointName=https routerName=bind9@file middlewareName=default-headers@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding route for bind9.local.*****.com with TLS options default" entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding route for pterodactyl.local.*****.com with TLS options default" entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding certificate for domain(s) *.local.*****.com,local.*****.com"
time="2023-09-15T15:45:52+03:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware noop@internal" entryPointName=http routerName=http-to-https@internal middlewareName=tracing middlewareType=TracingForwarder
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" routerName=http-to-https@internal middlewareType=RedirectScheme middlewareName=redirect-http-to-https@internal entryPointName=http
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up redirection to https 443" routerName=http-to-https@internal middlewareType=RedirectScheme middlewareName=redirect-http-to-https@internal entryPointName=http
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" serviceName=traefik-traefik entryPointName=http middlewareName=pipelining middlewareType=Pipelining routerName=traefik@docker
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating load-balancer" entryPointName=http routerName=traefik@docker serviceName=traefik-traefik
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating server 0 http://172.18.0.2:80" serviceName=traefik-traefik serverName=0 entryPointName=http routerName=traefik@docker
time="2023-09-15T15:45:52+03:00" level=debug msg="child http://172.18.0.2:80 now UP"
time="2023-09-15T15:45:52+03:00" level=debug msg="Propagating new UP status"
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware traefik-traefik" entryPointName=http routerName=traefik@docker middlewareType=TracingForwarder middlewareName=tracing
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=http routerName=traefik@docker middlewareName=traefik-https-redirect@docker
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up redirection to https " entryPointName=http routerName=traefik@docker middlewareName=traefik-https-redirect@docker middlewareType=RedirectScheme
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing entryPointName=https routerName=traefik-secure@docker middlewareType=TracingForwarder
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" entryPointName=https middlewareType=BasicAuth middlewareName=traefik-auth@docker routerName=traefik-secure@docker
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding tracing to middleware" routerName=traefik-secure@docker middlewareName=traefik-auth@docker entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" entryPointName=https routerName=pterodactyl@file serviceName=pterodactyl middlewareName=pipelining middlewareType=Pipelining
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating load-balancer" routerName=pterodactyl@file serviceName=pterodactyl entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating server 0 http://10.20.3.6:8082" serviceName=pterodactyl serverName=0 entryPointName=https routerName=pterodactyl@file
time="2023-09-15T15:45:52+03:00" level=debug msg="child http://10.20.3.6:8082 now UP"
time="2023-09-15T15:45:52+03:00" level=debug msg="Propagating new UP status"
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware pterodactyl" routerName=pterodactyl@file middlewareName=tracing middlewareType=TracingForwarder entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" routerName=pterodactyl@file middlewareName=https-redirectscheme@file middlewareType=RedirectScheme entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up redirection to https " middlewareName=https-redirectscheme@file middlewareType=RedirectScheme entryPointName=https routerName=pterodactyl@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" middlewareName=default-headers@file middlewareType=Headers entryPointName=https routerName=pterodactyl@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" middlewareType=Headers entryPointName=https routerName=pterodactyl@file middlewareName=default-headers@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" entryPointName=https routerName=pterodactyl@file middlewareName=default-headers@file middlewareType=Headers
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding tracing to middleware" middlewareName=default-headers@file entryPointName=https routerName=pterodactyl@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" entryPointName=https routerName=bind9@file serviceName=bind9 middlewareName=pipelining middlewareType=Pipelining
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating load-balancer" entryPointName=https routerName=bind9@file serviceName=bind9
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating server 0 https://10.20.3.2:53" entryPointName=https routerName=bind9@file serviceName=bind9 serverName=0
time="2023-09-15T15:45:52+03:00" level=debug msg="child https://10.20.3.2:53 now UP"
time="2023-09-15T15:45:52+03:00" level=debug msg="Propagating new UP status"
time="2023-09-15T15:45:52+03:00" level=debug msg="Added outgoing tracing middleware bind9" entryPointName=https routerName=bind9@file middlewareName=tracing middlewareType=TracingForwarder
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=https routerName=bind9@file middlewareName=https-redirectscheme@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up redirection to https " routerName=bind9@file middlewareName=https-redirectscheme@file middlewareType=RedirectScheme entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" middlewareName=default-headers@file middlewareType=Headers routerName=bind9@file entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up secureHeaders from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" entryPointName=https middlewareName=default-headers@file middlewareType=Headers routerName=bind9@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Setting up customHeaders/Cors from {map[X-Forwarded-Proto:https] map[] false [] [] [] [] [] 0 false [] [] false false  map[] false 15552000 true true true true SAMEORIGIN true true       false}" routerName=bind9@file entryPointName=https middlewareName=default-headers@file middlewareType=Headers
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding tracing to middleware" middlewareName=default-headers@file entryPointName=https routerName=bind9@file
time="2023-09-15T15:45:52+03:00" level=debug msg="Creating middleware" entryPointName=https middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding route for pterodactyl.local.*****.com with TLS options default" entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding route for bind9.local.*****.com with TLS options default" entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Adding route for traefik-dashboard.local.*****.com with TLS options default" entryPointName=https
time="2023-09-15T15:45:52+03:00" level=debug msg="Looking for provided certificate(s) to validate [\"local.*****.com\" \"*.local.*****.com\"]..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=cloudflare.acme
time="2023-09-15T15:45:52+03:00" level=debug msg="No ACME certificate generation required for domains [\"local.*****.com\" \"*.local.*****.com\"]." providerName=cloudflare.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-09-15T15:47:36+03:00" level=debug msg="Serving default certificate for request: \"\""
time="2023-09-15T15:47:36+03:00" level=debug msg="http: TLS handshake error from 192.168.88.253:55072: remote error: tls: bad certificate"
time="2023-09-15T15:47:37+03:00" level=debug msg="Serving default certificate for request: \"\""
time="2023-09-15T15:47:37+03:00" level=debug msg="http: TLS handshake error from 192.168.88.253:55080: remote error: tls: bad certificate"
time="2023-09-15T15:47:37+03:00" level=debug msg="Serving default certificate for request: \"\""
time="2023-09-15T15:47:37+03:00" level=debug msg="http: TLS handshake error from 192.168.88.253:55094: remote error: tls: bad certificate"
time="2023-09-15T15:47:40+03:00" level=debug msg="Serving default certificate for request: \"\""
time="2023-09-15T15:47:43+03:00" level=debug msg="Serving default certificate for request: \"localhost\""
time="2023-09-15T15:47:43+03:00" level=debug msg="http: TLS handshake error from 10.20.0.1:40312: remote error: tls: bad certificate"
time="2023-09-15T15:47:44+03:00" level=debug msg="Serving default certificate for request: \"localhost\""
time="2023-09-15T15:47:44+03:00" level=debug msg="http: TLS handshake error from 10.20.0.1:40318: remote error: tls: bad certificate"
time="2023-09-15T15:47:44+03:00" level=debug msg="Serving default certificate for request: \"localhost\""
time="2023-09-15T15:47:44+03:00" level=debug msg="http: TLS handshake error from 10.20.0.1:40320: remote error: tls: bad certificate"
time="2023-09-15T15:47:46+03:00" level=debug msg="Serving default certificate for request: \"localhost\""
time="2023-09-15T16:17:10+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56048: read tcp 10.20.3.5:443->134.209.41.228:56048: read: connection reset by peer"
time="2023-09-15T16:17:10+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56064: EOF"
time="2023-09-15T16:17:11+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56066: tls: no cipher suite supported by both client and server"
time="2023-09-15T16:17:11+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56076: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])"
time="2023-09-15T16:17:11+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56078: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])"
time="2023-09-15T16:17:11+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56080: tls: client offered only unsupported versions: [302 301]"
time="2023-09-15T16:17:12+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56094: read tcp 10.20.3.5:443->134.209.41.228:56094: read: connection reset by peer"
time="2023-09-15T16:17:12+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56110: read tcp 10.20.3.5:443->134.209.41.228:56110: read: connection reset by peer"
time="2023-09-15T16:17:12+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56122: EOF"
time="2023-09-15T16:17:12+03:00" level=debug msg="http: TLS handshake error from 134.209.41.228:56128: read tcp 10.20.3.5:443->134.209.41.228:56128: read: connection reset by peer"

THE END NEW UPDATE (15 SEPT 2023)

Riven · September 15, 2023, 1:44pm

I added additional logs to the docker forum: traefik-access.log, traefik.log

Riven · September 15, 2023, 2:06pm

I know what functions a private dns server carries, I want to use it to install pterodactyl for hosting game servers. And Traefik and bind9 are needed to issue ssl certificates to local subdomains

bluepuma77 · September 15, 2023, 2:15pm

What are "local subdomains" for you? Domains with a local network address? Or domains which include ".local."? For both cases you could use a public DNS server and should be able to get TLS certs with Traefik LetsEncrypt dnsChallenge.

You could shed a little light on your setup, how does your infrastructure and network look like? You have a router with a public fixed IP and private fixed IP? Traefik is running in a Docker container on a server with a fixed IP in the same network? You DNS is also running on the same server in a Docker container? You have an additional PC with the web browser in the same network which uses DHCP to get an IP? You configured your router to send the DNS server IP with the DHCP lease to the client?

Riven · September 15, 2023, 2:49pm

I have a domain example.com . I created a global subdomain on it local.example.com and sent it to the server ip (my work computer and the server are the same, I do all the actions on the server).

On the server itself there is bind9, which is my local zone local.example.com assigns local subdomains to servers on the intra-container ip address 10.20.3.4 and *.servers - so that those local game servers that were created using pterodactyl have a local subdomain server1.servers.local.example.com .
And I also made a local subdomain for Traefik, so that only I could log into it locally from the host machine.

I have a microtic router that stands between my local home network and access to the global Internet, a static IP serves as access to the global Internet 93...***
The router, using fixed dhcp, assigns to my physical computer =ip server 192.168.88.253
Important: the firewall on mikrotic is disabled (temporarily, while I'm testing the launch and activation of traefik+bind9+pterodactyl
Next comes the physical server = my computer on the ubuntu operating system, in which the firewall is also disabled. Bind9 and Traefik are on it.

Docker containers with bind9 and traefik do not have access to the local home network, but have access to proxy1 and dns-network networks (bind9 network).
Inside the dns network, the local ip zone is different: 10.20.0.0/8
That's where the grafting of these ip subdomains takes place. And already the output traffic from these networks is carried out by docker-compose in which ports 80,443,53 are open. It is through the ports that traffic is exchanged with the local and, if I want, even with the global Internet.

That's my entire configuration.

Riven · September 16, 2023, 1:53am

curl:

bluepuma77 · September 16, 2023, 5:44am

Do you want to be able to reach Traefik Dashboard from Internet? Do you have a port forward on the router? Disabling the firewall alone will probably not work.

Using your own DNS server only works within your home network, not on the Internet. For a browser to be able to use it and resolve domains to IPs, the DNS server needs to be exposed on the local network (using ports 53/udp) and you need your clients (PCs) use it as primary DNS, so your router needs to announce it as DNS server via IP or you need to configure it manually on the client as DNS server.

Riven · September 16, 2023, 12:34pm

I have port forwarding to the router: 443, 53, 80. All these ports are open in mikrotik firewall. I know the principle of using local dns, I have studied this issue in detail.

I try to access the control panel locally on my server=computer.

I have no idea why it doesn't work. And as far as I understand people have no idea either. No forum and various discord communities have not given me an answer yet, what I did wrong.

Riven · September 16, 2023, 12:36pm

It's all very sad and makes me very sad. I have read similar threads on the forum that are similar to my problem, however each case is unique. And these cases don't fit me.

Riven · September 16, 2023, 1:13pm

When I try to log into the dashboard via browser locally from the server, I can see in the browser:

Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to localhost. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

192.168.88.253:80 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

bluepuma77 · September 16, 2023, 6:43pm

It’s a Traefik default cert, when LetsEncrypt is not working.

Where is your dashboard router?

Why don’t you set TLS globally on https entrypoint?

See simple Traefik example.

Topic		Replies	Views
Local subdomain for dashboard, doesn't work Traefik v2 (latest) docker	9	2227	July 30, 2022
404 error when using local DNS Traefik v2 (latest) docker	2	1004	May 30, 2020
Unable to get dashboard working from localhost subdomain Traefik v2 (latest) docker , dashboard-api	3	437	July 30, 2023
Trouble accessing dashboard via hostname on local network Traefik v2 (latest) docker , dashboard-api	6	345	December 2, 2023
Get 404 page not found with Portainer behind Traefik Traefik v2 (latest) docker	3	2209	November 3, 2022

Traefik dashboard returns 404 page not found + TLS handshake error: remote error: tls: bad certificate (traefik + bind9 + docker-compose + CloudFlare + Let's Encrypt)

Related Topics