Traefik does not provide a valid certificate on my website

This is my configuration created on Docker Compose.

version: "3.9"

services:
  traefik:
    build: ./traefik
    image: image-traefik-eb:v.1.0
    container_name: container-traefik-eb
    command:
      - --log.level=INFO
      - --log.filePath=/data-log/traefik.log
      - --log.format=json
      - --accesslog=true
      - --api.insecure=false
      - --api.dashboard=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certresolver=leresolver
      - --certificatesresolvers.leresolver.acme.tlsChallenge=true
      - --certificatesresolvers.leresolver.acme.email=domain-name@gmail.com
      - --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json
    labels:
      traefik.enable: true
      traefik.http.routers.dashboard.rule: Host(`www.traefik.domain-name.ga`)
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.middlewares: auth
      traefik.http.middlewares.auth.basicauth.users: user:***********************
      traefik.http.routers.unmatchedwww.rule: HostRegexp(`{name:^www\..*}`) 
      traefik.http.routers.unmatchedwww.service: noop@internal
      traefik.http.routers.unmatchedwww.priority: 2
      traefik.http.routers.matchlast.rule: PathPrefix(`/`)
      traefik.http.routers.matchlast.priority: 1
      traefik.http.routers.matchlast.middlewares: addwww
      traefik.http.middlewares.addwww.redirectregex.regex: ^https://(?:www\.)?(.*)
      traefik.http.middlewares.addwww.redirectregex.replacement: https://www.$${1}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./volumes/data-letsencrypt/:/letsencrypt
      - ./volumes/data-log/:/data-log/
    restart: always
    ports:
      - 80:80
      - 443:443
    networks:
      - eb
      - traefik-network
      
  php:
    build: ./php-apache
    image: image-php-apache-eb:v.1.0
    labels:
      traefik.enable: 'true'
      traefik.http.services.php.loadbalancer.server.port: 80
      traefik.http.services.php.loadbalancer.server.scheme: http
      traefik.http.routers.php.rule: Host(`www.domain-name.ga`)
      traefik.http.routers.php.tls.domains[0].main: domain-name.ga
      traefik.http.routers.php.tls.domains[0].sans: www.domain-name.ga
    volumes:
      - ./volumes/data-php:/var/www/html
    restart: always
    depends_on:
      - traefik
    networks:
      - eb

networks:
  eb:
    internal: true
  traefik-network:

This is my DNS configuration. I use freenom.

Nome - Tipo - TTL - Target
'' - 'A' - '3600' - '111.111.111.111'
'WWW' - 'A' - '3600' - '111.111.111.111'
'TRAEFIK' - 'A' - '3600 ' - '111.111.111.111'
'WWW.TRAEFIK' - 'A' - '3600' - '111.111.111.111'

These are the errors I get in the log file:

{"level":"info","msg":"Traefik version 2.8.0 built on 2022-06-29T15:43:58Z","time":"2022-08-02T16:20:42Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n","time":"2022-08-02T16:20:42Z"}
{"level":"warning","msg":"Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year.","time":"2022-08-02T16:20:42Z"}
{"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-08-02T16:20:42Z"}
{"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-08-02T16:20:42Z"}
{"level":"info","msg":"Starting provider *docker.Provider","time":"2022-08-02T16:20:42Z"}
{"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-08-02T16:20:43Z"}
{"level":"info","msg":"Starting provider *acme.Provider","time":"2022-08-02T16:20:43Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-08-02T16:20:43Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-02T16:20:43Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-02T16:20:43Z"}
{"level":"info","msg":"Register...","providerName":"leresolver.acme","time":"2022-08-02T16:20:45Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-02T16:20:46Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-02T16:20:46Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-02T16:21:00Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-02T16:21:00Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-02T16:21:03Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-02T16:21:03Z"}

These are the errors I read in the linux shell:

php_1      | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.112.3. Set the 'ServerName' directive globally to suppress this message
php_1      | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.112.3. Set the 'ServerName' directive globally to suppress this message
php_1      | [Wed Aug 03 19:44:21.075214 2022] [mpm_prefork:notice] [pid 1] AH00                                                       163: Apache/2.4.54 (Debian) PHP/8.1.8 configured -- resuming normal operations
php_1      | [Wed Aug 03 19:44:21.075359 2022] [core:notice] [pid 1] AH00094: Co                                                       mmand line: 'apache2 -D FOREGROUND'
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:45:48 +0000] "HEAD / HTTP/1.1" 308 18 "-" "-" 1 "web-to-websecure@internal" "-" 0ms
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:45:48 +0000] "HEAD / HTTP/1.1" 308 18 "-" "-" 2 "web-to-websecure@internal" "-" 15ms
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:45:48 +0000] "HEAD / HTTP/2.0" 401 17 "-" "-" 3 "websecure-dashboard@docker" "-" 0ms
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:45:48 +0000] "HEAD / HTTP/2.0" 401 17 "-" "-" 4 "websecure-dashboard@docker" "-" 0ms
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:46:17 +0000] "HEAD / HTTP/1.1" 308 18 "-" "-" 5 "web-to-websecure@internal" "-" 0ms
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:46:17 +0000] "HEAD / HTTP/2.0" 401 17 "-" "-" 6 "websecure-dashboard@docker" "-" 0ms
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:46:35 +0000] "HEAD / HTTP/1.1" 308 18 "-" "-" 7 "web-to-websecure@internal" "-" 0ms
container-traefik-eb | 195.74.76.198 - - [03/Aug/2022:19:46:36 +0000] "HEAD / HTTP/2.0" 401 17 "-" "-" 8 "websecure-dashboard@docker" "-" 0ms

The PHP service and the Traefik dashboard are reachable. The proxy provides the valid certificate to the following address:

https://www.traefik.domain-name.ga

but not to the following:

https://www.domain-name.ga

Everything works, PHP pages are also displayed in the browser, the only problem is the missing authentic certificate.

Where am I wrong?

P.S.: I use traefik:v2.8.0.

Hey @Milano2022 it seems you just missed binding the certificate resolver to your router:

- "traefik.http.routers.php.tls.certresolver=leresolver"

Reference here

1 Like

Thanks for the quick reply! I did a lot of tests but I assumed that that line was not necessary. Excellent!

I added the line of code and everything works perfectly but the dashboard only works halfway.
The following links lead to the page 'https://www.traefik.###.ga/dashboard/#/'

'https://www.traefik.###.ga/'
'http://www.traefik.###.ga/'

These links do not lead to the page 'https://www.traefik.###.ga/dashboard/#/' and the browser does not recognize a valid certificate.

'https://traefik.###.ga/'
'http://traefik.###.ga/'

If I decide to continue I arrive at the page 'https://www.traefik.###.ga/dashboard/#/' with the valid certificate but the first warning I read in the browser is related to an invalid certificate. I reset the browser and tried an incognito window, the problem remains.

I tried this solution:

Host(`www.traefik.domain-name.ga`,`traefik.domain-name.ga`)

but the problem remains.
I think it's a Traefik bug, where can I report it?

Is the problem I am seeing a bug or an inaccuracy in the configuration?
I arrive at 99.99..999% never 100% ... :frowning:

What is the certificate error?

If you used the same configuration with the letsencrypt staging server first then it could be from that.

You can try stopping the container and then remove the acme.json and then start it up again.

1 Like

Hi @kiwi, it's a pleasure to hear from you.

The error I get is this:

No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request

I also show you the whole log file:

{"level":"info","msg":"Traefik version 2.8.0 built on 2022-06-29T15:43:58Z","time":"2022-08-06T15:12:08Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n","time":"2022-08-06T15:12:08Z"}
{"level":"warning","msg":"Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year.","time":"2022-08-06T15:12:08Z"}
{"level":"info","msg":"Starting provider aggregator aggregator.ProviderAggregator","time":"2022-08-06T15:12:08Z"}
{"level":"info","msg":"Starting provider *traefik.Provider","time":"2022-08-06T15:12:08Z"}
{"level":"info","msg":"Starting provider *docker.Provider","time":"2022-08-06T15:12:08Z"}
{"level":"info","msg":"Starting provider *acme.ChallengeTLSALPN","time":"2022-08-06T15:12:08Z"}
{"level":"info","msg":"Starting provider *acme.Provider","time":"2022-08-06T15:12:08Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-08-06T15:12:08Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:09Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:09Z"}
{"level":"info","msg":"Register...","providerName":"leresolver.acme","time":"2022-08-06T15:12:13Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:14Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:14Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:15Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:15Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:19Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:19Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:20Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:20Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:21Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:21Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:24Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:24Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:28Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:28Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-matchlast@docker","time":"2022-08-06T15:12:32Z"}
{"entryPointName":"websecure","level":"warning","msg":"No domain found in rule HostRegexp(`{name:^www\\..*}`), the TLS options applied for this router will depend on the SNI of each request","routerName":"websecure-unmatchedwww@docker","time":"2022-08-06T15:12:32Z"}
{"level":"warning","msg":"A new release has been found: 2.8.1. Please consider updating.","time":"2022-08-06T15:22:09Z"}
{"level":"error","msg":"Error while Peeking first byte: read tcp 172.19.0.2:443-\u003e172.105.77.209:60223: read: connection timed out","time":"2022-08-07T12:59:46Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"info","msg":"Testing certificate renew...","providerName":"leresolver.acme","time":"2022-08-07T15:12:09Z"}
{"level":"warning","msg":"A new release has been found: 2.8.1. Please consider updating.","time":"2022-08-07T15:12:10Z"}
{"level":"error","msg":"Error while Peeking first byte: read tcp 172.19.0.2:443-\u003e172.105.77.209:53873: read: connection timed out","time":"2022-08-08T04:06:21Z"}

I also thought it was a similar problem to what you wrote but I have discovered that it is not so.

I deleted the instance in the cloud, I reset the browser, I took another domain name, I changed the static IP and I uploaded the whole Docker Compose project. I opened all the links with incognito browsing. I get this:

  1. When I access the proxy URLs without adding WWW I get an unauthentic certificate;
    'https://traefik.###.ga/'
    'http://traefik.###.ga/'
  2. The browser tells me that the certificate is not secure but I decide to continue.
  3. I arrive at the correct link with HTTPS, with WWW and with the authentic certificate.
  4. If I try again to write the 2 links without WWW for the second time, I no longer get points 1, 2 and 3 but immediately 4.

In practice, the problem occurs only once. For this I write 99.99999 ...%. This happens on any computer. There is still some imperfection but I can't figure out where.

Also in the log file there are also other warnings of other errors that worry me but do not cause problems on my server. It seems to me that everything is working fine.