Traefik Letsencrypt TLSChallenge - Documentation Incomplete?

Traefik Traefik v2
1

I have read Traefik Docker TLS Challenge Documentation - Traefik and, unless I missed something, then there is in my opinion one step missing: "bootstrap" Traefik with a valid SSL certificate.

Step 1
Bootstrap Traefik with a Valid SSL Certificate.
Otherwise, if you just jump to TLSChallenge / TLS-ALPN-01, you will get an error like:

Unable to obtain ACME certificate for domains \"SUB.MYDOMAIN.TLD\": unable to generate a certificate for the domains [SUB.DOMAIN.TLD]: error: one or more domains had a problem:\n[SUB.DOMAIN.TLD] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory"

Therefore, what worked for me, is to issue the initial Letsencrypt Certificate using the HTTP Challenge.

The HTTPS permanent redirect needs to be temporarily disabled because the HTTP ACME challenge occurs on port 80 !

Basically one need to disable:
a. Permanent Redirect Disable: #- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
b. TLS Challenge Disable: #- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"

And one need to enable
a. HTTP Challenge Enable: - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
b. HTTP Challenge Entrypoint Enable: - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"

version: '3.9'

networks:
  traefik:
    external: true

services:
  traefik:
    image: traefik:latest
    hostname: SUB.DOMAIN.TLD
    domainname: SUB.DOMAIN.TLD
    restart: unless-stopped
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    networks:
      - traefik
    volumes:
      - /run/user/1001/podman/podman.sock:/var/run/docker.sock:ro
      - ~/data/traefik/letsencrypt:/letsencrypt
      - ~/config/traefik:/config
      - ~/certificates/traefik:/certificates
      - ~/log/traefik:/log
    command:
      ## Logging
      # Server Log
      - "--log.level=DEBUG"
      - "--log.filePath=/log/server/traefik.log"

      # Error Log
      - "--accesslog=true"
      - "--accesslog.filePath=/log/access/access.log"

      ## Dashboard & API
      - "--api"
      - "--api.insecure=false" # production = false , development = true
      - "--api.dashboard=true"

      ## EntryPoints
      # Unsecure Connection - Redirect to Secure
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
#      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"

      # Secure Connection
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"

      - "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=420"
      - "--entryPoints.websecure.transport.respondingTimeouts.writeTimeout=420"
      - "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=420"


      ## Letsencrypt Configuration
#      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # For testing only
      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" # Production - Rated limited !!!
      - "--certificatesresolvers.letsencrypt.acme.email=MYEMAIL@DOMAIN.TLD"
#      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"                
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"       
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

      ## Docker / Podman Intergration
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.watch=false"
      - "--providers.docker.swarmMode=false"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"

      ## Other
      - "--serversTransport.insecureSkipVerify=true"

      # No Telemetry
      - "--global.sendAnonymousUsage=false"

    labels:
      # Enable Traefik
      - "traefik.enable=true"

      # Dashboard
      - "traefik.http.routers.dashboard.rule=Host(`SUB.DOMAIN.TLD`) && PathPrefix(`/api` , `/dashboard`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=authtraefik"

      # Authentication for Dashboard access
      - "traefik.http.middlewares.authtraefik.basicauth.usersfile=/config/users"

Step 2
Issue docker-compose up -d or podman-compose up -d in my case.

Step 3
Verify that the initial certificate works by visiting the website and checking the server log.

Step 4
Reverse the Operations done in Step 1.

Basically one need to enable:
a. Permanent Redirect Enable: - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
b. TLS Challenge Enable: - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"

And one need to disable
a. HTTP Challenge Disable: #- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
b. HTTP Challenge Entrypoint Disable: #- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"

Final compose.yml file:

version: '3.9'

networks:
  traefik:
    external: true

services:
  traefik:
    image: traefik:latest
    hostname: SUB.DOMAIN.TLD
    domainname: SUB.DOMAIN.TLD
    restart: unless-stopped
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    networks:
      - traefik
    volumes:
      - /run/user/1001/podman/podman.sock:/var/run/docker.sock:ro
      - ~/data/traefik/letsencrypt:/letsencrypt
      - ~/config/traefik:/config
      - ~/certificates/traefik:/certificates
      - ~/log/traefik:/log
    command:
      ## Logging
      # Server Log
      - "--log.level=DEBUG"
      - "--log.filePath=/log/server/traefik.log"

      # Error Log
      - "--accesslog=true"
      - "--accesslog.filePath=/log/access/access.log"

      ## Dashboard & API
      - "--api"
      - "--api.insecure=false" # production = false , development = true
      - "--api.dashboard=true"

      ## EntryPoints
      # Unsecure Connection - Redirect to Secure
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"

      # Secure Connection
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"

      - "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=420"
      - "--entryPoints.websecure.transport.respondingTimeouts.writeTimeout=420"
      - "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=420"


      ## Letsencrypt Configuration
#      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # For testing only
      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" # Production - Rated limited !!!
      - "--certificatesresolvers.letsencrypt.acme.email=MYEMAIL@DOMAIN.TLD"
      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
#      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"                
#      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"       
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

      ## Docker / Podman Intergration
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.watch=false"
      - "--providers.docker.swarmMode=false"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"

      ## Other
      - "--serversTransport.insecureSkipVerify=true"

      # No Telemetry
      - "--global.sendAnonymousUsage=false"

    labels:
      # Enable Traefik
      - "traefik.enable=true"

      # Dashboard
      - "traefik.http.routers.dashboard.rule=Host(`SUB.DOMAIN.TLD`) && PathPrefix(`/api` , `/dashboard`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=authtraefik"

      # Authentication for Dashboard access
      - "traefik.http.middlewares.authtraefik.basicauth.usersfile=/config/users"

Step 5
Issue docker-compose up -d or podman-compose up -d and once again visit the website and check the server log to make sure that everything is working.

2

My simple Traefik example works with tlsChallenge from the start, even with traefik:latest.

3

No it doesn't. You can argue it's a "feature" and not a bug. But going directly with TLSChallenge isn't working as you can clearly see in my error message.

Most of the configuration lines are the same.

And if Traefik is so finicky that even a single configuration line of differences causes the "feature" to break down, then it's a BUG ! It cannot be that I need to RESET every single time my configuration because there is a line that traefik doesn't "like" and nothing is stated in the logs about a line, yet everything breaks down for no apparent reason.

The only difference in concept is that you have a "default" SSL entrypoint

--entrypoints.websecure.asDefault=true

While I have a permanent HTTP -> HTTP Redirect:

      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"

Both lines should NOT matter, as the TLSChallenge should anyway occur only on port 443 since the start.

Are you able to run MY compose.yml file and get it working without bootstrapping (apply directly Step 5) ?

4

This is a community forum, this is users supporting other users. So far my simple Traefik example worked for everyone. If not, they started from the working version and added their additional configuration piece by piece until they found the error.

If you want someone to fix your dedicated configuration, you can get a Traefik EE license, there you can open a ticket. Or get another individual paid consultation.

I have never seen a bug you describe over the last year. And as stated, my simple example still works with Traefik latest, so it might be an issue with your dedicated setup. You are free to open an issue on Github, make sure to mention that you use podman.

I am not sure your diagnose is correct, the tlsChallenge may still not be working, Traefik may just be serving the TLS cert it created before with httpChallenge.

The issue urn:ietf:params:acme:error:unauthorized I haven't seen before, maybe try again and delete your existing acme.json file (invalid old LetsEncrypt account?). Or it may be a network issue (another component in front of Traefik, wrong DNS, issue with CNAME, wrong MTU).

Make sure to do a docker compose pull to really use the latest Traefik release.

5

This line-by-line approach of copy-paste is also what I used in the past. That's how I found that one time the "entrypoint" specification was causing the entire thing to break down. So your principle works. It's just that the logs should be more explanatory (especially in DEBUG mode).

For sure not every home user can afford an enterprise subscription eh ?

Unfortunately your simple example does NOT work with the latest traefik. Try it out for yourself.
It's a good example and I appreciate your sharing of examples, information, replying to posts etc.

I tried replacing the permanent redirect I had with the "asDefault" you have in your example: the "asDefault" gives a config error and traefik container crashes.

As soon as "asDefault" is removed then it starts working again. I guess it was removed at some point in some version of traefik.

So now I removed both the "asDefault" and my "permanent" redirect. Still TLSChallenge fails.

I tried removing (backing up first) the acme.json file and trying again. The error continues to occur unfortunately.

Anyway, this seems related to Https redirection without breaking letsencrypt http challenge - #3 by badsyntax

So I must keep the HTTPChallenge otherwise things don't work (with other subdomain names the same problem occurs). And to do that requires disabling ALL HTTP -> HTTPS redirects, otherwise the challenge itself fails.

I just wish that, like @badsyntax mentions in his post, there was a way to exclude the /.well-known/acme-challenge/ from redirects (Feature request: support for an 'exclude' option on redirection (a.k.a negated regex) · Issue #1373 · traefik/traefik · GitHub). But so far that is not implemented.

Actually that should be a BUG: there should be some logic within traefik that, if REDIRECTS are enabled and HTTPChallenge is also ENABLED, an exception for /.well-known/acme-challenge/ is created so that it does NOT redirect to HTTPs.

So the only way to have both LetsEncrypt Certificates working and Redirects seems to be to define Redirect Rules in each container compose.yml file which is pretty stupid, when all I'd like is "Redirect everything to https EXCEPT /.well-known/acme-challenge/). Or maybe only enabling the websecure / https entrypoint in those containers (although that previously caused also traefik to crash on me).

Or having to "bootstrap" like I explained in my first post for each container / subdomain, not only the traefik server itself.

Granted there are "hacks" like I already do in my internal network (using dnsChallenge with certbot and cloudflare API), so I could most likely use a certbot container to generate the certs, and then load them manually into traefik by some BASH script or the likes of it.

But all of these would be "hacks" and not really a nice solution.

You can argue that it's "just my problem" (although I would argue that is not a constructive approach), but it should work "out of the box". Clearly it doesn't.

The same could be said for podman. Since this is a community forum for users helping other users, I also shared (in another post) how to make traefik work by automatically restarting it whenever a new container is spun up in podman. Maybe this works out of the box in Docker, but it clearly didn't in Podman. I proposed a fix and shared it with the community and moved on.

Just stating that "podman is not supported" is not really helpful. While it may be true, I don't think every user wants to change their entire codebase and infrastructure just because of one line/feature that doesn't work as such. Podman is gaining popularity every day. Why only Docker should be supported is beyond me. All other containers I have run fine with Podman ...

6

It clearly states in the example repository:

When using Traefik v2, remove line entrypoints.websecure.asDefault=true

I just tested again, on a brand new Hetzner Debian 12 and Ubuntu 22.04 VM with Docker and latest Traefik release v2.11:

apt update && apt -y upgrade
curl -fsSL https://get.docker.com | sh -
cat << 'EOF' > docker-compose.yml
version: '3.9'

services:
  traefik:
    image: traefik:v2.11
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --accesslog=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=mail@example.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`podman1.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`podman2.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt
EOF
docker compose up

tlsChallenge works without an issue.

Also httpChallenge works without an issue:

apt update && apt -y upgrade
curl -fsSL https://get.docker.com | sh -
cat << 'EOF' > docker-compose.yml
version: '3.9'

services:
  traefik:
    image: traefik:v2.11
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --accesslog=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=mail@example.com
      - --certificatesresolvers.myresolver.acme.httpchallenge=true
      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`podman1.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`podman2.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt
EOF
docker compose up

Of course Traefik is smart enough to automatically pass .well-known to the LetsEncrypt process:

traefik-wellknown
traefik-wellknown1135×325 59.3 KB

This works with and without permanent=true, as the only difference is the http status return code Traefik sends to the client. permanent means that the client (browser) should cache the redirect and not try the original URL again, but use the new redirect target every time.

I tried to get podman running, but that seems to be a whole different ball game. Need to stop procrastinating and get back to work :smile:

7

OK, if not for the asDefault (didn't see the comment/warning, I just quickly compared the differences) then it works I guess.

I'll need to go line-by-line again as I didn't see anything obviously different between my and your config that could/should explain this weird behavior with TLSChallenge not working (in my case).

For Podman ... I know ... It wasn't super easy for me to get started either.
That's why I tried to gather all the learnings (e.g. systemd enable lingering) into one script to handle setups.

Feel free to have a look. I can (mostly) replicate the installations (using "zfs" or "dir"), but there are some occasional hiccups due to chattr +i flags (I didn't currently implement [m]any checks):

To setup use
./setup_podman_debian.sh "podman" "zdata/PODMAN" "zfs"
or
./setup_podman_debian.sh "podman" "/home/podman" "dir"

Note: "dir" isn't as well tested as "zfs" (i think I had some misconfiguration in /etc/fstab).
And of course if you try to run with the default, then change, your /etc/fstab will need cleaning (and chattr -i on the user subfolders). Maybe I need to disable the defaults and just request the arguments instead :upside_down_face:.

Not fully baked yet, but helped me a lot on 4 different installs (2 x ARM64 Rock-5B, 2 x AMD64 KVM) :smiley:.

Traefik needs to be semi-manually restarted each time another container is (re)started, otherwise traefik stops working due to the other container changing the ip address. Events don't seem to work so smoothly.
Workaround is (already included in the "Main" Setup in Git repository)
./setup_podman_traefik_monitor_service.sh

And in my case, installing from Debian/Ubuntu Testing is Required, at least for ZFS [otherwise overlayfs throws some errors with Podman 4.3.x] (and if you plan to use different folders for images, volumes, storage, ...).

Hope that helps :wink:.

Note: I just released those scripts this morning actually. Tried to consolidate the scripts that were a bit in a messy state on a NFS drive :sweat_smile:.

8

We are stuck with regular Docker as we use Docker Swarm. k8s is too complex and Swarm does not work with Docker root-less, otherwise we would have moved to that. We now try to run every Docker service with a dedicated user to reduce the attack surface within the system.

9

I see :upside_down_face:.

Kubernetes and Docker Swarm are quit a bit outside my know-how at least for now ...

I'm just trying to get my homelab up and running, and needed traefik on a VPS Server to handle Headscale :sweat_smile:.

10

Just to report back on your statement about " Of course Traefik is smart enough to automatically pass .well-known to the LetsEncrypt process".

You are right. HTTPChallenge works also when redirects are enabled.

But I think TLSChallenge still doesn't work in my case. Oh well, if HTTPChallenge works, I think I'm happy enough with that. Just weird that TLSChallenge in my case fails for some reason :neutral_face:.

11

Have you tried running the simple example in your network environment a) with Docker and b) with podman?

12

I tried with your basic example (which is using trafik v3, not v2, by the way) with:

  • Disabled "asDefault"
  • Changed "Host" directive
  • Changed "Email" directive
  • Changed volumes directive to "/run/user/1001/podman/podman.sock:/var/run/docker.sock:ro" for the "Docker" socket

Still fails the TLSChallenge.

I wonder if it has something to do with the Cloudflare Proxied DNS record :roll_eyes: ...
The IP address mentioned in the logs concerning the failure corresponds to the Cloudflare DNS Proxy.

Here is podman logs traefik-basic-example_traefik_1:

2024-02-24T14:53:54Z INF Traefik version 3.0.0-rc1 built on 2024-02-13T13:41:20Z version=3.0.0-rc1
2024-02-24T14:53:54Z INF 
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2024-02-24T14:53:54Z INF Starting provider aggregator aggregator.ProviderAggregator
2024-02-24T14:53:54Z INF Starting provider *traefik.Provider
2024-02-24T14:53:54Z INF Starting provider *docker.Provider
2024-02-24T14:53:54Z INF Starting provider *acme.ChallengeTLSALPN
2024-02-24T14:53:54Z INF Starting provider *acme.Provider
2024-02-24T14:53:54Z INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
2024-02-24T14:53:58Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[traefik.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 104.21.36.207: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mydashboard@docker rule=Host(`traefik.rb.MYDOMAIN.TLD`)
2024-02-24T14:54:04Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [whoami.rb.MYDOMAIN.TLD www.whoami.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[whoami.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 104.21.36.207: remote error: tls: handshake failure\n[www.whoami.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 172.67.199.152: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["whoami.rb.MYDOMAIN.TLD","www.whoami.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mywhoami@docker rule="Host(`whoami.rb.MYDOMAIN.TLD`) || Host(`www.whoami.rb.MYDOMAIN.TLD`)"
2024-02-24T14:54:08Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[traefik.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 104.21.36.207: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mydashboard@docker rule=Host(`traefik.rb.MYDOMAIN.TLD`)
2024-02-24T14:54:10Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[traefik.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 172.67.199.152: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mydashboard@docker rule=Host(`traefik.rb.MYDOMAIN.TLD`)
2024-02-24T14:54:15Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [whoami.rb.MYDOMAIN.TLD www.whoami.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[whoami.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 172.67.199.152: remote error: tls: handshake failure\n[www.whoami.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 104.21.36.207: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["whoami.rb.MYDOMAIN.TLD","www.whoami.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mywhoami@docker rule="Host(`whoami.rb.MYDOMAIN.TLD`) || Host(`www.whoami.rb.MYDOMAIN.TLD`)"
2024-02-24T14:54:16Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[traefik.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 172.67.199.152: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mydashboard@docker rule=Host(`traefik.rb.MYDOMAIN.TLD`)
2024-02-24T14:54:20Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [whoami.rb.MYDOMAIN.TLD www.whoami.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[whoami.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 104.21.36.207: remote error: tls: handshake failure\n[www.whoami.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 172.67.199.152: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["whoami.rb.MYDOMAIN.TLD","www.whoami.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mywhoami@docker rule="Host(`whoami.rb.MYDOMAIN.TLD`) || Host(`www.whoami.rb.MYDOMAIN.TLD`)"
2024-02-24T14:54:20Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.rb.MYDOMAIN.TLD]: error: one or more domains had a problem:\n[traefik.rb.MYDOMAIN.TLD] acme: error: 400 :: urn:ietf:params:acme:error:tls :: 172.67.199.152: remote error: tls: handshake failure\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.rb.MYDOMAIN.TLD"] providerName=myresolver.acme routerName=websecure-mydashboard@docker rule=Host(`traefik.rb.MYDOMAIN.TLD`)

I do not use Docker in my environment, only Podman.

The learning curve is hard enough as it is with one system, for as much "compatible" as they claim it to be.

13

Now you mention that you use Cloudflare DNS Proxy? :laughing:

That doesn't work. tlsChallenge is a special TLS request, that needs to go directly to Traefik, not some other service in front of it. If you have services in front of Traefik, use httpChallenge or more complex dnsChallenge.