Traefik does not generate an Certificate?

Traefik Traefik v2
1

Hello Hello everyone!

So I recently got myself an new domain and wanted to add it to traefik but it does not create an certificate for the new domain :frowning: and I don't know what I done wrong I just used the config just like for my other containers... the thing is I can see the container and my domain on the treafik dashboard
(for the creation of the certificates I use the LetsEncrypt option)
This is container:

version: '3.9'
services:
  apache:
    image: httpd:latest
    container_name: web
    volumes:
    - ./website:/usr/local/apache2/htdocs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.web.entrypoints=https"
      - "traefik.http.routers.web.rule=Host(`<DOMAIN>.tf`, `www.<DOMAIN>.tf`)"	
      - "traefik.http.routers.web.tls=true"
      - "traefik.http.routers.web.tls.certresolver=http"
      - "traefik.http.routers.web.service=web"
      - "traefik.http.services.web.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.web.middlewares=default@file"
      - "traefik.http.routers.web.middlewares=secHeaders@file,authelia@file"
    networks:
      - proxy

networks:
  proxy:
    external: true

And when I check inside the acme file (where the certificates are stored) there is no certificate and I also keep on trying to open the webpage but it does not work it keeps on saying it does not have an SSL-Certificate :confused: and I don't know what to do.

Anyway I thank anyone for their help in advance and thanks!

2

Share you full Traefik static and dynamic config, and docker-compose.yml if used.

Are you sure the name web for router and service are unique across your setup?

This will not work, you need to use a single line:

This is going to be deprecated:

starting with Traefik v3 this needs to be:

    - "traefik.http.routers.web.rule=Host(`<DOMAIN>.tf`) || Host(`www.<DOMAIN>.tf`)"
3

(dynamic_config.yml)

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

http:
  middlewares:
    traefikAuth:
      basicAuth:
        users:
          - "atara95:$apr1$kfUWjNG5$KNWrGHBnj94hk4r6kEWFY/"

    default:
      chain:
        middlewares:
          - default-security-headers
          - gzip

    secHeaders:
      chain:
        middlewares:
          - default-security-headers
          - gzip

    default-security-headers:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        frameDeny: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
    gzip:
      compress: {}

    crowdsec-bouncer:
      forwardauth:
        address: http://crowdsec-bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true

    authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://<HIDDEN>"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"

(traefik.yml):

api:
  dashboard: true                            

certificatesResolvers:
  http:
    acme:
      email: "<HIDDEN>"                  
      storage: "acme_letsencrypt.json"       
      httpChallenge:
        entryPoint: http

entryPoints:
  http:
    address: ":80"                           
    http:
      redirections:                          
        entryPoint:
          to: "https"                         
          scheme: "https"                    
  https:
    address: ":443"                           
    http:
      middlewares:
        - crowdsec-bouncer@file


global:
  checknewversion: true                       
  sendanonymoususage: false                   

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"  
    exposedByDefault: false                   
    network: "proxy"                         
  file:
    filename: "./dynamic_conf.yml"           
    watch: true                               
  providersThrottleDuration: 10               
log:
  level: DEBUG
  filePath: "/var/log/traefik/traefik.log"
accessLog:
  filePath: "/var/log/traefik/access.log"
  bufferingSize: 100

And yes web is unique

and noted I will remember it when Traefik v3 comes out

4

I highly recommend to use an absolute path and make it persistent with bind-mount or volume, otherwise you can run into LE limits very quickly:

Enable and check Traefik debug log (doc) and Traefik dashboard (doc).

5

The Dashboard is active as log also but sadly the files has 0 KB :confused:

It is already a volume

(docker-compose.yml):

version: '3.9'
services:
  traefik:
    container_name: traefik
    image: traefik:latest
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme_letsencrypt.json:/acme_letsencrypt.json
      - ./data/dynamic_conf.yml:/dynamic_conf.yml   
      - /var/log/crowdsec/traefik/:/var/log/traefik/                                 
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`traefik.<MAIN-DOMAIN>.de`)"
      - "traefik.http.routers.traefik.middlewares=traefikAuth@file,default@file"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=http"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.services.traefik.loadbalancer.server.port=80"
      - "traefik.http.services.traefik.loadbalancer.sticky.cookie.httpOnly=true"
      - "traefik.http.services.traefik.loadbalancer.sticky.cookie.secure=true"
      - "traefik.docker.network=proxy"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      proxy:
      crowdsec:                                               
        ipv4_address: 172.31.0.10                             
    hostname: traefik
    ports:
      - "80:80"
      - "443:443"

networks:
  proxy:
    name: proxy
    driver: bridge
    attachable: true
  crowdsec:                                                   
    external: true
6

There should be Traefik logs. Not sure if you mount then file to the right path inside the container:

7

This is what I found

time="2023-12-19T07:54:11-05:00" level=debug msg="Trying to challenge certificate for domain [DOMAIN.tf www.DOMAIN.tf] found in HostSNI rule" rule="Host(`DOMAIN.tf`, `www.DOMAIN.tf`)" providerName=http.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=DOMAIN@docker
time="2023-12-19T07:54:11-05:00" level=debug msg="Looking for provided certificate(s) to validate [\"DOMAIN.tf\" \"www.DOMAIN.tf\"]..." providerName=http.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=DOMAIN@docker rule="Host(`DOMAIN.tf`, `www.DOMAIN.tf`)"
time="2023-12-19T07:54:11-05:00" level=debug msg="Domains [\"DOMAIN.tf\" \"www.DOMAIN.tf\"] need ACME certificates generation for domains \"DOMAIN.tf,www.DOMAIN.tf\"." providerName=http.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=DOMAIN@docker rule="Host(`DOMAIN.tf`, `www.DOMAIN.tf`)"
time="2023-12-19T07:54:11-05:00" level=debug msg="Loading ACME certificates [DOMAIN.tf www.DOMAIN.tf]..." providerName=http.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=DOMAIN@docker rule="Host(`DOMAIN.tf`, `www.DOMAIN.tf`)"
time="2023-12-19T07:54:11-05:00" level=debug msg="legolog: [INFO] [DOMAIN.tf, www.DOMAIN.tf] acme: Obtaining bundled SAN certificate"
time="2023-12-19T07:54:13-05:00" level=debug msg="legolog: [INFO] [www.DOMAIN.tf] AuthURL: https://acme-v02.api.letsencrypt.org/<nty>"
time="2023-12-19T07:54:13-05:00" level=debug msg="legolog: [INFO] [DOMAIN.tf] acme: authorization already valid; skipping challenge"
time="2023-12-19T07:54:13-05:00" level=debug msg="legolog: [INFO] [www.DOMAIN.tf] acme: Could not find solver for: tls-alpn-01"
time="2023-12-19T07:54:13-05:00" level=debug msg="legolog: [INFO] [www.DOMAIN.tf] acme: use http-01 solver"
time="2023-12-19T07:54:13-05:00" level=debug msg="legolog: [INFO] [www.DOMAIN.tf] acme: Trying to solve HTTP-01"
time="2023-12-19T07:54:19-05:00" level=error msg="Unable to obtain ACME certificate for domains \"DOMAIN.tf,www.DOMAIN.tf\": unable to generate a certificate for the domains [DOMAIN.tf www.DOMAIN.tf]: error: one or more domains had a problem:\n[www.DOMAIN.tf] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.DOMAIN.tf - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.DOMAIN.tf - check that a DNS record exists for this domain\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=DOMAIN@docker rule="Host(`DOMAIN.tf`, `www.DOMAIN.tf`)" providerName=http.acme
8

Seems like you haven’t created the www sub-domain or it’s not pointing to the Traefik IP.

9

Thanks for the reply sorry for the late reply I was gone due to new year and didn't had any Internet anyway is it possible that .tf domains can't be correctly verified maybe? cause it points to my traefik server

2024-01-01 19_18_19-Window
2024-01-01 19_18_19-Window1286×96 1.75 KB

(I use Cloudflare)

Edit: And I wish you an happy new year

10

Your screenshot doesn’t make sense. In my experience you can’t have www and a full domain example.com in the same DNS provider input field.

11

It is at cloudflare apparently I do not make how cloudflare does it

Edit: and it's two different entrys

Edit2: and it is also the same for the other domains I use it for and for them I get Let's Encrypt Certificates

Edit3: In Edit2 I mean for these domains it works without an Problem and I get an Certificate

12

After using an diffrent docker compose image it seems like it was able to generate an certificate weird :confused: anyway I thank everyone for their help

13

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.