Traefik return 404 even though a router is present

Traefik Traefik v2
1

Hello, here is my faulty docker-compose.yaml config:

version: '3.3'
services:
  wireguard_client:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard_client
    privileged: true
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Toronto
    volumes:
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.default.disable_ipv6=1
    restart: unless-stopped

  transmission:
    image: ghcr.io/linuxserver/transmission
    container_name: transmission
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=America/Toronto
      - TRANSMISSION_WEB_HOME=/flood-for-transmission/
    volumes:
      - /home/pierre/htpc/transmission/config:/config
      - /home/pierre/htpc/data/torrents:/downloads
      - /home/pierre/htpc/data/magnet_file:/watch
    network_mode: "service:wireguard_client"
    depends_on: [ "wireguard_client", ]
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - traefik.http.routers.transmission.rule=Host(`transmission.pierrevalentin.org`)
      - "traefik.http.routers.transmission.entrypoints=websecure"
      - "traefik.http.routers.transmission.tls.certresolver=myresolver"
      - traefik.http.services.transmission.loadbalancer.server.port=9091

  jellyfin:
    image: ghcr.io/linuxserver/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=America/Toronto
    volumes:
      - /home/pierre/htpc/jellyfin/config:/config
      - /home/pierre/htpc/jellyfin/cache:/cache
      - /home/pierre/htpc/data/media:/media
    restart: unless-stopped
    ports:
      - 8096:8096
    labels:
      - "traefik.enable=true"
      - traefik.http.routers.jellyfin.rule=Host(`jellyfin.domain1.org`)
      - "traefik.http.routers.jellyfin.entrypoints=websecure"
      - "traefik.http.routers.jellyfin.tls.certresolver=myresolver"
      - traefik.http.services.jellyfin.loadbalancer.server.port=8096

  jackett:
    image: ghcr.io/linuxserver/jackett
    container_name: jackett
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=America/Toronto
      - AUTO_UPDATE=true #optional
    volumes:
      - /home/pierre/htpc/jackett/config:/config
      - /home/pierre/magnet_file:/downloads
    ports:
      - 9117:9117
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - traefik.http.routers.jackett.rule=Host(`jackett.domain1.org`)
      - "traefik.http.routers.jackett.entrypoints=websecure"
      - "traefik.http.routers.jackett.tls.certresolver=myresolver"
      - traefik.http.services.jackett.loadbalancer.server.port=9117

  traefik:
    image: traefik
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - --certificatesresolvers.myresolver.acme.httpchallenge=true
      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=me@domain1.org"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      # Resolver for allure websites
      - --certificatesresolvers.allureresolver.acme.httpchallenge=true
      - --certificatesresolvers.allureresolver.acme.httpchallenge.entrypoint=web
      - "--certificatesresolvers.allureresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.allureresolver.acme.email=me@domain1.org"
      - "--certificatesresolvers.allureresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "~/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  sonarr:
    container_name: sonarr
    image: linuxserver/sonarr:latest
    restart: unless-stopped
    environment:
      - PUID=1000 # default user id, defined in .env
      - PGID=1000 # default group id, defined in .env
      - UMASK=002
      - TZ=America/Toronto # timezone, defined in .env
    volumes:
      - /home/pierre/htpc/data:/data
      - /home/pierre/htpc/sonarr/config:/config # config files
    labels:
      - "traefik.enable=true"
      - traefik.http.routers.sonarr.rule=Host(`sonarr.domain1.org`)
      - "traefik.http.routers.sonarr.entrypoints=websecure"
      - "traefik.http.routers.sonarr.tls.certresolver=myresolver"
      - traefik.http.services.sonarr.loadbalancer.server.port=8989

  radarr:
    container_name: radarr
    image: linuxserver/radarr:latest
    restart: unless-stopped
    environment:
      - PUID=1000 # default user id, defined in .env
      - PGID=1000 # default group id, defined in .env
      - TZ=America/Toronto # timezone, defined in .env
    volumes:
      - /home/pierre/htpc/data:/data
      - /home/pierre/htpc/radarr/config:/config # config files
    labels:
      - "traefik.enable=true"
      - traefik.http.routers.radarr.rule=Host(`radarr.domain1.org`)
      - "traefik.http.routers.radarr.entrypoints=websecure"
      - "traefik.http.routers.radarr.tls.certresolver=myresolver"
      - traefik.http.services.radarr.loadbalancer.server.port=7878

  mariadb:
    # We use a mariadb image which supports both amd64 & arm64 architecture
    image: mariadb:10.6.4-focal
    container_name: mariadb
    # If you really want to use MySQL, uncomment the following line
    #image: mysql:8.0.27
    command: '--default-authentication-plugin=mysql_native_password'
    volumes:
      - db_data:/var/lib/mysql
    restart: unless-stopped
    environment:
      - MYSQL_ROOT_PASSWORD=somewordpress
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=wordpress
    expose:
      - 3306
      - 33060

  wordpress:
    image: wordpress:latest
    container_name: wordpress
    depends_on:
      - mariadb
    ports:
      - 8088:80
    expose:
      - 80
    restart: unless-stopped
    environment:
      - WORDPRESS_DB_HOST=mariadb
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD=wordpress
      - WORDPRESS_DB_NAME=wordpress
    labels:
      - "traefik.enable=true"
      - traefik.http.routers.wordpress.rule=Host(`www.domain2.com`)
      - "traefik.http.routers.wordpress.entrypoints=websecure"
      - "traefik.http.routers.wordpress.tls.certresolver=allureresolver"
      - traefik.http.services.wordpress.loadbalancer.server.port=80
volumes:
  db_data:

All the services with a host like service.domain1.org resolves. But now I want to add a WordPress site to my config with the FQDN www.domain2.com
Following the same config as the previous services, the WordPress is not reachable. I get a 404 from traefik. What I am missing here?

If in the WordPress labels I change the domain to www.domain1.org it can resolve. I guess I am missing something, but the debug log aren't really helpful so far.

2

Hi @pievalentin , are you sure the 404 in this case is being returned by Traefik?

Since you mentioned that changing the rule to domain1.org works it makes me wonder if its not a DNS or load balancing issue before Traefik, since you already have domain1 correctly working and pointing to Traefik but domain2.com is new from what I understood.

3

Hello, @pievalentin is right, I'm facing the same issue, it's strange.
When not combined with Wordpress, traefik is making certs fine (for other websites).
But when using Wordpress, suddenly the "/.well-known/acme-challenge/..." is not reachable.

traefik | time="2022-09-15T21:32:23Z" level=error msg="Unable to obtain ACME certificate for domains "www.it-krouzek.cz" : unable to generate a certificate for the domains [www.it-krouzek.cz]: error: one or more domains had a problem:\n[www.it-krouzek.cz] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2a02:2b88:1:4::16: Invalid response from http://www.it-krouzek.cz/.well-known/acme-challenge/-zsKStdJKfgwrfLMxTNecubAp1YxZoezuzKrlDc_psk: 404\n" providerName=production.acme

4

One way to fail the Lets' Encrypt challenge is when you deploy multiple Traefik instances in parallel (behind a load balancer). Then every instance will request a certificate, but with high probability that the challenge is not going back to the same server, therefore not finding the right challenge file.

With a single Traefik instance I can imagine the issue is that the internally created acme-http@internal router for a http challenge has a lower priority than other routes and therefore the challenge request is not routed to the right service. Try not to use multiple resolvers.

Make sure you bind your resolver with http challenge to the right entrypoint on port 80.