Traefik error="no domain was given"

codycody · August 29, 2023, 2:09pm

Hi all,

I'm getting a strange error while I setting up a service behind traefik.

level=error msg="Unable to obtain ACME certificate for domains \"\"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" error="no domain was given" providerName=staging.acme routerName=signal-proxy@docker rule="HostSNI(`my.ddns.domain.net`)"

As you can see, I want to setup Signal TLS proxy behind traefik.
The labels in the signal-proxy docker are:

labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"
      - "traefik.tcp.services.signal-proxy.loadbalancer.server.port=4433"
      - "traefik.tcp.routers.signal-proxy.rule=HostSNI(`my.ddns.domain.net`)"
      - "traefik.tcp.routers.signal-proxy.entrypoints=websecure"
      - "traefik.tcp.routers.signal-proxy.tls=true"
      - "traefik.tcp.routers.signal-proxy.tls.certresolver=http-resolver"
      - "traefik.tcp.routers.signal-proxy.tls.domains.main=my.ddns.domain.net"

What I don't understand is why the error says no domain was given...

I hope someone can help me, I already tried everything I could think of...

Cheers!

bluepuma77 · August 30, 2023, 12:59pm

Traefik is looking for an array, you are missing the index (doc):

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
  - traefik.http.routers.blog.tls.domains[0].main=example.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

codycody · August 31, 2023, 8:23am

Thank you so much! At least I get a new error message now:

evel=error msg="Error during connection: readfrom tcp 172.18.0.4:42328->172.18.0.2:4433: remote error: tls: unknown certificate authority"

I'm using the same certresolver that I also use for some other services, but never got this error.

bluepuma77 · August 31, 2023, 9:45am

It seems Traefik does not know the certificate that your target service is using, therefore not trusting it. This has nothing to do with the certresolver, that creates the certs for Traefik to use when connected from (external) (browser) clients.

To make it work, you can set global insecureSkipVerify (doc), you can create a serverTransport and assign it specifically to the service (doc), or import and use the custom certificate from the service (doc).

Topic		Replies	Views
Dockers Unable to obtain ACME certificate for domains Traefik v2 docker	2	2329	December 4, 2020
Traefik V2 ACME Error: "Domain name needs at least one dot" Traefik v2 docker , letsencrypt-acme	1	8817	April 8, 2020
No domain parsed in provider ACME Traefik v2 letsencrypt-acme	1	3866	March 11, 2020
First Traefik config PART 2 - Domain name needs at least one dot Traefik v2 docker-swarm , letsencrypt-acme	3	4358	May 7, 2020
Certificate problem Traefik v2 docker	0	455	December 2, 2021

Traefik error="no domain was given"

Related topics