Traefik dns challenge with duckdns

Hello, I am new to traefik, but I want to use traefik on docker and my duckdns dns challenge to get an certificate. I can use traefik via port 8080 but not by using 443 because there is no certificate. so I want to get one for it to get it work, but there is no way for me?
here are my configs:

docker with portainer:

version: "3.9"

services:

  traefik:
    image: traefik:latest
    container_name: traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=https
      - traefik.http.routers.traefik.rule=Host(`xxx.duckdns.org`)
      - traefik.http.routers.traefik.middlewares=traefikAuth@file,default@file
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=letsencrypt
      - traefik.http.routers.dashboard.tls.domains[0].main=xxx.duckdns.org
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.sticky.cookie.httpOnly=true
      - traefik.http.services.traefik.loadbalancer.sticky.cookie.secure=true
      - traefik.docker.network=dmz-bridge
    ports:
      - 80:80
      - 443:443
      #- 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - /opt/traefik/data/traefik.yml:/traefik.yml:ro
      - /opt/traefik/data/acme_letsencrypt.json:/acme_letsencrypt.json
      - /opt/traefik/data/dynamic_conf.yml:/dynamic_conf.yml
      - /opt/traefik/data/traefik.log:/traefik.log
    environment:
      - DUCKDNS_TOKEN=xxx
      - PUID=xx
      - PGID=xx
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    networks:
      dmz-bridge:
        ipv4_address: 192.168.x.x

networks:
  dmz-bridge:
    external: true

here my traefik.yml:

# Statische Traefik-Konfigurationsdatei
# https://doc.traefik.io/traefik/getting-started/configuration-overview/#the-static-configuration
# https://doc.traefik.io/traefik/reference/static-configuration/cli/

api:
  dashboard: true                             # Aktivieren des Dashboard
  insecure: true
# Certificate Resolver
# Diese sind für den Abruf von Zertifikaten von einem ACME-Server zuständig
# https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
certificatesResolvers:
  letsencrypt:
    acme:
      email: "xxx@xxx.com"
      storage: "./acme_letsencrypt.json"
      dnsChallenge:
        provider: duckdns
        delayBeforeCheck: 5
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

# EntryPoints
# EntryPoints sind die Netzwerk-Eingangspunkte in Traefik. Sie definieren den Port, der die Pakete empfängt.
# https://doc.traefik.io/traefik/routing/entrypoints/
entryPoints:
  http:
    address: ":80"                            # Erstellen des Einstiegspunkt für HTTP (Port 80)
    http:
      redirections:                           # Weiterleitung von HTTP auf HTTPS (Port 80 zu Port 443).
        entryPoint:
          to: "https"                         # Das Ziel
          scheme: "https"                     # Umleitungszielschema
  https:
    address: ":443"                           # Erstellen des Einstiegspunkt für HTTPS (Port 443)

global:
  checknewversion: false                       # In regelmäßigen Abständen prüfen, ob eine neue Version veröffentlicht wurde.
  sendanonymoususage: false                   # Regelmäßige Übermittlung anonymer Nutzungsstatistiken.

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"   # Den UNIX Docker socket beobachten
    exposedByDefault: false                   # Nur Container ausstellen, die explizit aktiviert sind (mit dem Label traefik.enabled
    network: "dmz-bridge"                          # Standardnetzwerk, das für Verbindungen zu allen Containern verwendet wird.
  file:
    filename: "./dynamic_conf.yml"            # Link zur dynamischen Konfiguration
    watch: true                               # Achten auf Änderungen
  providersThrottleDuration: 10               # Frequenz in welchen Abständen die Konfiguration nachgeladen wird

log:
   level: DEBUG
   filePath: "/traefik.log"

and my dynamic_conf.yml:

# TLS
# Hier werden alle notwendigen Einstellungen für das Zertifikat getroffen.
# In Kombination mit den Einstellungen unter http.middlewares.default-security-headers bekommen  wir ein A+ Zertifikat.
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

# Middlewares
# Optionale Optimierungen, die bei jeder Anfrage vorgenommen werden sollen bevor diese an den Zielcontainer geleitet wird.
http:
  middlewares:
    traefikAuth:
      basicAuth:
        users:
          - "admin:$$apr1$$J8vBlNIm$$lSwLv9iGa8KcCct3EyLD41"
# Empfohlene Standard-Middleware für die meisten Dienste
    # Hinzufügbar via "traefik.http.routers.definierteRoute.middlewares=default@file"
    # Equivalent mit "traefik.http.routers.definierteRoute.middlewares=default-security-headers@file,gzip@file"
    # Die Liste kann hier auch beliebig erweitert werden
    default:
      chain:
        middlewares:
          - default-security-headers
          - gzip

    # Kompatibilität zu alten Anleitungen. Damit kann auch wieder "traefik.http.routers.definierteRoute.middlewares=secHeader@file"
    secHeaders:
      chain:
        middlewares:
          - default-security-headers
          - gzip

    # Standard Header
    default-security-headers:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        frameDeny: true
#       Deprecated
#       sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
    # Gzip Kompression
    gzip:
      compress: {}

I checked the log file but there is "nothing" happening, no certificate will be requested.
thx for any help, I am working for so many hours on it and without success...

so long

Works for me, docker-compose.yml:

version: '3.9'

services:
  traefik:
    image: traefik:v3.0
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
      #- /var/log:/var/log
    environment:
      - DUCKDNS_TOKEN=<token>
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      #- --log.filepath=/var/log/traefik.log
      - --accesslog=true
      #- --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=duckdns
      - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=20
      #- --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=99.79.143.35:53,35.182.183.211:53
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.myresolver.acme.email=mail@example.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.duckdns.org`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.duckdns.org`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt

When using Traefik v2 you have to remove entrypoints.websecure.asDefault.

Maybe setting the DNS IPs with the short delayBeforeCheck is the problem. Try removing the IPs and extending the time.

Thank you, the same, there won't be fetched an certificate. what am I doing wrong? Also when checking the log files, there is no try to fetch a certificate. there must be something wrong.

edit:
by adding that, it works but not finally
- traefik.http.services.traefik.loadbalancer.server.port=1337

Now i get a 404 page not found when I try to see the dashboard.

Using Cloudflare or Docker Swarm?

For me Letsencrypt DNS-ACME: No default certificate, fallback to the internal generated certificate a valid certificate is fetched (cloudflare). But I only get a 404 for both dashboard and whoami services.

- "traefik.http.routers.whoami-rtr.service=whoami-svc"
- "traefik.http.services.whoami-svc.loadbalancer.server.port=80"

by adding these I can get the subdomain to serve