I noticed that Traefik is unable to solve the DNS or TLS challenges when I'm using the Hetzner Firewall, specifically the stateless firewall provided for dedicated servers. Here is my Traefik configuration:
services:
traefik:
image: traefik:v2.10
restart: always
container_name: traefik
hostname: traefik
command:
- "--log.level=DEBUG"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.le.acme.email="
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.le.acme.dnschallenge=true"
- "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
networks:
- traefik-network
ports:
- 443:443
- 80:80
volumes:
- "./letsencrypt:/letsencrypt"
- "./log:/log"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- CF_API_EMAIL=
- CF_API_KEY=
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls.certresolver=le"
- "traefik.http.routers.dashboard.tls.domains[0].main=*.example.com"
- "traefik.http.routers.dashboard.middlewares=authentik-proxy@docker"
networks:
traefik-network:
external: true
name: traefik
I even see the TXT records on the Cloudflare dashboard, but the challenge times out. I have uploaded the log file of running Traefik with the firewall enabled and disabled to GitHub, in this case, I was using the DNS challenge but a similar thing happened with the TLS challenge: firewall-disabled.log ยท GitHub