Traefik in proxmox container with porkbun DNSChallenge

shakeneon · March 14, 2025, 2:30am

I am trying to configure traefik for my home network as a reverse proxy so I can get SSL certificates for my internal services. I have purchased a domain name through porkbun (referred to as domain.top in this post), and created an api key. My services are running as containers in proxmox, including traefik. For traefik, I have installed it on proxmox using the Community Scripts github (Proxmox VE Helper-Scripts).

The traefik container runs at 10.0.0.26. I also have Pi-Hole running on proxmox, at 10.0.0.27. My router is configured with the Pi-Hole address as the only DNS server. I can reach both the traefik dashboard and the Pi-Hole admin interface using their ip addresses in my browser.

In Pi-Hole I have created a local DNS record traefik.home.domain.top pointing to 10.0.0.26 and then a CNAME record of pihole.home.domain.top pointing to traefik.home.domain.top. I cannot reach either traefik.home.domain.top or pihole.home.domain.top in my browser, I get ERR_SSL_UNRECOGNIZED_NAME_ALERT.

My traefik.yaml file:

providers:
  file:
    directory: /etc/traefik/conf.d/

entryPoints:
 http:
   address: ":80"
   http:
     middlewares:
       - internal-hosts-endorsed
 https:
   address: ":443"
   http:
     middlewares:
       - internal-hosts-endorsed

certificatesResolvers:
  letsencrypt:
    acme:
      email: "domain@gmail.com"
      storage: /etc/traefik/ssl/acme.json
      #caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: porkbun
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

api:
  dashboard: true
  insecure: true
  debug: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: DEBUG

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

within /etc/traefik/conf.d I have core.yaml and hosts-http.yaml

core.yaml

http:
#----------------------: https://doc.traefik.io/traefik/routing/routers/
 routers:

   # harden dashboard access: can only be accessed with a username/password
   dashboard:
     rule: 'Host(`traefik.home.{{ env "DOMAIN" }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))'
     service: api@internal
     middlewares:
       - auth

   # catchall rule, evaluated when no router exists for a request;
   # applicable to HTTP and HTTPS entryPoints only
   catchall:
     entryPoints:
       - "http"
       - "https"
     rule: "PathPrefix(`/`)"
     service: unavailable
     priority: 1

#----------------------: https://doc.traefik.io/traefik/routing/services/
 services:

   # Service that will always provide a 503 Service Unavailable response 
   unavailable:
     loadBalancer:
       servers: {}

#----------------------: https://doc.traefik.io/traefik/middlewares/http/overview/
 middlewares:

   auth:
     basicAuth:
       users:    # users and their MD5 hashed passwords, granted access to the traefik-proxy dashboard
         - "dashuser1:$1$M196zkpJ$vw.T7SKDkQknMO2D/vvRU/"
         - "dashuser2:$1$M196zkpJ$vw.T7SKDkQknMO2D/vvRU/"

   internal-hosts-endorsed:
     ipAllowList:
       sourceRange:
         - "10.0.0.0/24"

   http-only:
     redirectScheme:
       scheme: http
       permanent: true

   internal-http-hosts:
     chain:
       middlewares:
         - internal-hosts-endorsed
         - http-only

   https-only:
     redirectScheme:
       scheme: https
       permanent: true

   # chains are useful when multiple middleware needs to be applied to a route,
   # especially if the chain has to be applied to multiple routes
   internal-https-hosts:
     chain:
       middlewares:
         - internal-hosts-endorsed
         - https-only

#----------------------: https://doc.traefik.io/traefik/https/tls/
tls:
 options:
   default:
     minVersion: VersionTLS13    # change to a lower version if you expect to service Internet traffic from around the world
     curvePreferences:   # below priority sequence can be changed
       - X25519     # the most commonly used 128-bit
       - CurveP256  # the next most commonly used 128-bit
       - CurveP384  # 192-bit
       - CurveP521  # 256-bit
     sniStrict: true     # true if our own certificates should be enforced
#### Alternatively, we can use an ACME generated default certificate.
 stores:
   default:
     defaultGeneratedCert:
       resolver: porkbun
       domain:
         main: {{ env "DOMAIN" }}
         sans:
           - '*.home.{{ env "DOMAIN" }}'

I am using an environment variable for my domain, and I believe it is working, because in my traefik dashboard, the HTTP Routers listed have my domain shown in them correctly.

hosts-http.yaml

http:

#----------------------: https://doc.traefik.io/traefik/routing/routers/
 routers:

   pihole:
     entryPoints:
       - "http"
     rule: 'Host(`pihole.home.{{env "DOMAIN"}}`)'
     middlewares:
       - internal-http-hosts
     service: pihole

#----------------------: https://doc.traefik.io/traefik/routing/services/
 services:

   pihole:
     loadBalancer:
       servers:
         - url: "http://10.0.0.27"
       passHostHeader: true

I am uncertain that my porkbun credentials are being used properly. I have set the environmental variables for my PORKBUN_API_KEY and PORKBUN_SECRET_API_KEY, but I don't know how to confirm they are actually being used.

shakeneon · March 14, 2025, 2:33am

my /var/log/traefik/traefik.log file:

{"level":"info","version":"3.3.4","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107","message":"Traefik version 3.3.4 built on 2025-02-25T10:11:01Z"}
{"level":"debug","staticConfiguration":{"global":{"checkNewVersion":true},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"},"entryPoints":{"http":{"address":"
:80","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"middlewares":["internal-hosts-endorsed"],"maxHeaderBytes":1048576},"htt
p2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}},"https":{"address":":443","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"h
ttp":{"middlewares":["internal-hosts-endorsed"],"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}},"traefik":{"address":":8080","transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondi
ngTimeouts":{"readTimeout":"1m0s","idleTimeout":"3m0s"}},"forwardedHeaders":{},"http":{"maxHeaderBytes":1048576},"http2":{"maxConcurrentStreams":250},"udp":{"timeout":"3s"}}},"providers":{"providersThrottleDuration":"2s",
"file":{"directory":"/etc/traefik/conf.d/","watch":true}},"api":{"basePath":"/","insecure":true,"dashboard":true,"debug":true},"log":{"level":"DEBUG","format":"json","filePath":"/var/log/traefik/traefik.log"},"accessLog":
{"filePath":"/var/log/traefik/traefik-access.log","format":"json","filters":{"statusCodes":["200","400-599"],"retryAttempts":true,"minDuration":"10ms"},"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop","names
":{"User-Agent":"keep"}}}},"certificatesResolvers":{"letsencrypt":{"acme":{"email":"domain@gmail.com","caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","storage":"/etc/traefik/ssl/acme.json","keyType
":"RSA4096","certificatesDuration":2160,"dnsChallenge":{"provider":"porkbun","resolvers":["1.1.1.1:53","1.0.0.1:53"]}}}}},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:1
14","message":"Static configuration loaded [json]"}
{"level":"info","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/cmd/traefik/traefik.go:633","message":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMor
e details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"}
{"level":"info","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73","message":"Starting provider aggregator *aggregator.ProviderAggregator"}
{"level":"debug","entryPointName":"traefik","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"http","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"https","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231","message":"Starting TCP Server"}
{"level":"info","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *file.Provider"}
{"level":"debug","config":{"directory":"/etc/traefik/conf.d/","watch":true},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*file.Provider p
rovider configuration"}
{"level":"debug","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/"}
{"level":"debug","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/core.yaml"}
{"level":"debug","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/hosts-http.yaml"}
{"level":"info","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *traefik.Provider"}
{"level":"debug","config":{},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*traefik.Provider provider configuration"}
{"level":"info","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *acme.Provider"}
{"level":"debug","config":{"email":"domain@gmail.com","caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","storage":"/etc/traefik/ssl/acme.json","keyType":"RSA4096","certificatesDuration":2160,"dnsChal
lenge":{"provider":"porkbun","resolvers":["1.1.1.1:53","1.0.0.1:53"]},"ResolverName":"letsencrypt","store":{},"TLSChallengeProvider":{},"HTTPChallengeProvider":{}},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/t
raefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*acme.Provider provider configuration"}
{"level":"debug","providerName":"letsencrypt.acme","acmeCA":"https://acme-staging-v02.api.letsencrypt.org/directory","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go
:232","message":"Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\""}
{"level":"info","providerName":"letsencrypt.acme","acmeCA":"https://acme-staging-v02.api.letsencrypt.org/directory","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:
884","message":"Testing certificate renew..."}
{"level":"info","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *acme.ChallengeTLSALPN"}
{"level":"debug","config":{},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*acme.ChallengeTLSALPN provider configuration"}
{"level":"debug","providerName":"file","config":{"http":{"routers":{"catchall":{"entryPoints":["http","https"],"service":"unavailable","rule":"PathPrefix(`/`)","priority":1},"dashboard":{"middlewares":["auth"],"service":"
api@internal","rule":"Host(`traefik.home.domain.top`) \u0026\u0026 (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"},"pihole":{"entryPoints":["http"],"middlewares":["internal-http-hosts"],"service":"pihole","rule":"Host(
`pihole.home.domain.top`)"}},"services":{"pihole":{"loadBalancer":{"servers":[{"url":"http://10.0.0.27"}],"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"}}},"unavailable":{"loadBalancer":{"passHostHead
er":true,"responseForwarding":{"flushInterval":"100ms"}}}},"middlewares":{"auth":{"basicAuth":{"users":["dashuser1:$1$M196zkpJ$vw.T7SKDkQknMO2D/vvRU/","dashuser2:$1$M196zkpJ$vw.T7SKDkQknMO2D/vvRU/"]}},"http-only":{"redire
ctScheme":{"scheme":"http","permanent":true}},"https-only":{"redirectScheme":{"scheme":"https","permanent":true}},"internal-hosts-endorsed":{"ipAllowList":{"sourceRange":["10.0.0.0/24"]}},"internal-http-hosts":{"chain":{"
middlewares":["internal-hosts-endorsed","http-only"]}},"internal-https-hosts":{"chain":{"middlewares":["internal-hosts-endorsed","https-only"]}}}},"tcp":{},"udp":{},"tls":{"options":{"default":{"minVersion":"VersionTLS13"
,"cipherSuites":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECD
HE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20
_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"],"curvePreferences":["X25519","CurveP256","CurveP384","CurveP521"],"clientAuth":{},"sniStrict":true,"alpnProtocols":["h2","http/1.1","acme-tls/1"]}},"store
s":{"default":{"defaultGeneratedCert":{"resolver":"porkbun","domain":{"main":"domain.top","sans":["*.domain.top"]}}}}}},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwa
tcher.go:227","message":"Configuration received"}
{"level":"debug","providerName":"internal","config":{"http":{"routers":{"api":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","ruleSyntax":"v3","priority":9223372036854775806},"dashboard":{
"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","ruleSyntax":"v3","priority":9223372036854775805},"debug":{"
entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/debug`)","ruleSyntax":"v3","priority":9223372036854775806}},"services":{"api":{},"dashboard":{},"noop":{}},"middlewares":{"dashboard_redirect":{"redir
ectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]}}},"models":{"
http":{"middlewares":["internal-hosts-endorsed"],"observability":{}},"https":{"middlewares":["internal-hosts-endorsed"],"observability":{}}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}}},"tcp":{"serversTran
sports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"udp":{},"tls":{}},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configurati
on received"}
{"level":"debug","providerName":"letsencrypt.acme","config":{"http":{},"tcp":{},"udp":{},"tls":{}},"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","messag
e":"Configuration received"}
{"level":"debug","routerName":"dashboard","entryPointName":["http","https"],"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/aggregator.go:52","message":"No entryPoint defined for this
router, using the default one(s) instead"}
{"level":"error","tlsStoreName":"default","error":"unable to find certificate for domains \"*.domain.top,domain.top\": falling back to the internal generated certificate","time":"2025-03-13T19:12:43-07:00","caller":"githu
b.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:138","message":"Error while creating certificate store"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"auth@file","middlewareType":"BasicAuth","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewa
res/auth/basic_auth.go:37","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"auth@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.
go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/
traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/
traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observ
ability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","serviceName":"pihole@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:312","message":"Crea
ting load-balancer"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","serviceName":"pihole@file","serverIndex":0,"URL":"http://10.0.0.27","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/serve
r/service/service.go:344","message":"Creating server"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"internal-http-hosts@file","middlewareType":"Chain","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middl
ewares/chain/chain.go:22","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"http-only@file","middlewareType":"RedirectScheme","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middle
wares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"http-only@file","middlewareType":"RedirectScheme","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middle
wares/redirect/redirect_scheme.go:30","message":"Setting up redirection to http "}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/
v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/
v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/
middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/
v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/
v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/
middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","serviceName":"unavailable@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:312","me
ssage":"Creating load-balancer"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/t
raefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/t
raefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observa
bility/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recover
y.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"https","routerName":"https-dashboard@file","middlewareName":"auth@file","middlewareType":"BasicAuth","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middle
wares/auth/basic_auth.go:37","message":"Creating middleware"}
{"level":"debug","entryPointName":"https","routerName":"https-dashboard@file","middlewareName":"auth@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middlewar
e.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"https","routerName":"https-dashboard@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefi
k/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"https","routerName":"https-dashboard@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefi
k/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"https","routerName":"https-dashboard@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/obse
rvability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"https","routerName":"https-catchall@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik
/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"https","routerName":"https-catchall@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik
/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"https","routerName":"https-catchall@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/obser
vability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"https","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recove
ry.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefi
k/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/ob
servability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik
/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik
/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/obser
vability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/reco
very.go:25","message":"Creating middleware"}
{"level":"debug","routerName":"dashboard","entryPointName":["http","https"],"time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/aggregator.go:52","message":"No entryPoint defined for this
 router, using the default one(s) instead"}
{"level":"error","tlsStoreName":"default","error":"unable to find certificate for domains \"*.domain.top,domain.top\": falling back to the internal generated certificate","time":"2025-03-13T19:12:43-07:00","caller":"githu
b.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:138","message":"Error while creating certificate store"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","serviceName":"unavailable@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:312","me
ssage":"Creating load-balancer"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/t
raefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/t
raefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"http","routerName":"http-catchall@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observa
bility/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"auth@file","middlewareType":"BasicAuth","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewa
res/auth/basic_auth.go:37","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"auth@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.
go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/
traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33","message":"Creating middleware"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"internal-hosts-endorsed@file","middlewareType":"IPAllowLister","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/
traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57","message":"Setting up IPAllowLister with sourceRange: [10.0.0.0/24]"}
{"level":"debug","entryPointName":"http","routerName":"http-dashboard@file","middlewareName":"internal-hosts-endorsed@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observ
ability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"http","routerName":"pihole@file","serviceName":"pihole@file","time":"2025-03-13T19:12:43-07:00","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:312","message":"Crea
ting load-balancer"}

bluepuma77 · March 14, 2025, 6:44am

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Check acme.json if certs have been created.

Inspect the TLS cert in your browser for its name.

Did you create "home" as sub-domain with porkbun?

shakeneon · March 14, 2025, 1:03pm

I have created home.domain.top as a subdomain in porkbun, and also *.home.domain.top in porkbun, both as A records pointing to 8.8.8.8. My traefik.log file is posted above, it may have not shown at the time of your reply because it got flagged for spam review. Both traefik-access.log and acme.json are empty.

The TLS certificate in my browser when I try to go to my pihole.home.domain.top url is empty.

bluepuma77 · March 14, 2025, 5:17pm

Maybe missing write permissions for the folder/file?

Share your compose file.

shakeneon · March 14, 2025, 7:01pm

I have done chmod 600 /etc/traefik/ssl/acme.json to reset permissions in case they were wrong, but I'm still not getting a certificate. Also still get the same Error while creating certificate store in the log file.

I am not using docker, but the installation script for the LXC was this:

#!/usr/bin/env bash

# Copyright (c) 2021-2025 tteck
# Author: tteck (tteckster)
# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
# Source: https://traefik.io/

source /dev/stdin <<< "$FUNCTIONS_FILE_PATH"
color
verb_ip6
catch_errors
setting_up_container
network_check
update_os

msg_info "Installing Dependencies"
$STD apt-get install -y curl
$STD apt-get install -y sudo
$STD apt-get install -y mc
$STD apt-get install -y gpg
$STD apt-get install -y apt-transport-https
msg_ok "Installed Dependencies"

RELEASE=$(curl -s https://api.github.com/repos/traefik/traefik/releases | grep -oP '"tag_name":\s*"v\K[\d.]+?(?=")' | sort -V | tail -n 1)
msg_info "Installing Traefik v${RELEASE}"
mkdir -p /etc/traefik/{conf.d,ssl}
wget -q https://github.com/traefik/traefik/releases/download/v${RELEASE}/traefik_v${RELEASE}_linux_amd64.tar.gz
tar -C /tmp -xzf traefik*.tar.gz
mv /tmp/traefik /usr/bin/
rm -rf traefik*.tar.gz
echo "${RELEASE}" >/opt/${APPLICATION}_version.txt
msg_ok "Installed Traefik v${RELEASE}"

msg_info "Creating Traefik configuration"
cat <<EOF >/etc/traefik/traefik.yaml
providers:
  file:
    directory: /etc/traefik/conf.d/

entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: letsencrypt
  traefik:
    address: ':8080'

certificatesResolvers:
  letsencrypt:
    acme:
      email: "foo@bar.com"
      storage: /etc/traefik/ssl/acme.json
      tlsChallenge: {}

api:
  dashboard: true
  insecure: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: INFO

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep
EOF
msg_ok "Created Traefik configuration"

msg_info "Creating Service"
cat <<EOF >/etc/systemd/system/traefik.service
[Unit]
Description=Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience

[Service]
Type=notify
ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.yaml
Restart=on-failure
ExecReload=/bin/kill -USR1 \$MAINPID

[Install]
WantedBy=multi-user.target
EOF

systemctl enable -q --now traefik.service
msg_ok "Created Service"


motd_ssh
customize

msg_info "Cleaning up"
$STD apt-get -y autoremove
$STD apt-get -y autoclean
msg_ok "Cleaned"

Topic		Replies	Views
Problem with Lets Encrypt. ACME Fails Traefik v2 docker , letsencrypt-acme	3	3489	March 11, 2022
Setting up HTTPS with Lets Encrypt on Traefik and getting errors Traefik v2 docker , letsencrypt-acme	0	2254	March 13, 2020
SSH forwarding with reverse proxy (Traefik) Traefik v3 (latest) letsencrypt-acme , tcp , cli	3	2222	September 3, 2024
Not creating _acme-challenge for domain Traefik v2 cli , plugin	11	392	April 2, 2024
DNS-01 challenge fails Traefik v3 (latest) docker , letsencrypt-acme	12	1531	March 5, 2025

Traefik in proxmox container with porkbun DNSChallenge

Related topics