Traefik error="no domain was given"

Hi all,

I'm getting a strange error while I setting up a service behind traefik.

level=error msg="Unable to obtain ACME certificate for domains \"\"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" error="no domain was given" providerName=staging.acme routerName=signal-proxy@docker rule="HostSNI(`my.ddns.domain.net`)"

As you can see, I want to setup Signal TLS proxy behind traefik.
The labels in the signal-proxy docker are:

labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"
      - "traefik.tcp.services.signal-proxy.loadbalancer.server.port=4433"
      - "traefik.tcp.routers.signal-proxy.rule=HostSNI(`my.ddns.domain.net`)"
      - "traefik.tcp.routers.signal-proxy.entrypoints=websecure"
      - "traefik.tcp.routers.signal-proxy.tls=true"
      - "traefik.tcp.routers.signal-proxy.tls.certresolver=http-resolver"
      - "traefik.tcp.routers.signal-proxy.tls.domains.main=my.ddns.domain.net"

What I don't understand is why the error says no domain was given...

I hope someone can help me, I already tried everything I could think of...

Cheers!

Traefik is looking for an array, you are missing the index (doc):

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
  - traefik.http.routers.blog.tls.domains[0].main=example.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Thank you so much! At least I get a new error message now:

evel=error msg="Error during connection: readfrom tcp 172.18.0.4:42328->172.18.0.2:4433: remote error: tls: unknown certificate authority"

I'm using the same certresolver that I also use for some other services, but never got this error.

It seems Traefik does not know the certificate that your target service is using, therefore not trusting it. This has nothing to do with the certresolver, that creates the certs for Traefik to use when connected from (external) (browser) clients.

To make it work, you can set global insecureSkipVerify (doc), you can create a serverTransport and assign it specifically to the service (doc), or import and use the custom certificate from the service (doc).