Traefik unable to use ACME certificate after generating

Traefik Traefik v2
1

Hi all,

I'm struggling with setting up Traefik for the first time and having difficulty connecting SSL certificates.
I've come from SWAG reverse proxy where it was able to handle DuckDNS and subdomains automatically for containers I needed to expose.

Hoping for a fresh perspective as I've scoured the github, docs, community forum and some chatGPT and finding it really difficult to understand what is relevant to me vs. what's not. There's many ways of presenting the config and I'm getting somewhat confused.

My goal:

  1. Expose Traefik Dashboard via dashboard.example.duckdns.org
  2. Expose HomePage Container via example.duckdns.org

Where I'm at:
I can successfully open the Traefik Dashboard via insecure mode (internal_ip:8089) however attempts to open either goal onto the domain has failed. The Dashboard shows successful TLS, status, entry, and service connections to the docker IP of the respective containers, however navigating via the domain links just result in a "This site can't be reached."

The debug log shows "No default certificate, fallback to the internal generated certificate" which I'm understanding to be the issue.

Docker Logs 
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=myresolver.acme
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Provider connection established with docker 26.0.0 (API 1.45)" providerName=docker
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"homepage\":{\"service\":\"homepage\",\"rule\":\"Host(`example.duckdns.org`)\",\"tls\":{}}},\"services\":{\"homepage\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.11:3000\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareType=TracingForwarder routerName=web-to-websecure@internal entryPointName=web middlewareName=tracing
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal middlewareName=tracing
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web websecure]" routerName=homepage
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareType=TracingForwarder routerName=dashboard@internal entryPointName=traefik middlewareName=tracing
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Setting up redirection to https 443" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=web routerName=homepage@docker serviceName=homepage
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating load-balancer" entryPointName=web routerName=homepage@docker serviceName=homepage
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating server 0 http://172.18.0.11:3000" serviceName=homepage serverName=0 entryPointName=web routerName=homepage@docker
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="child http://172.18.0.11:3000 now UP"
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Propagating new UP status"
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware homepage" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=homepage@docker
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" entryPointName=websecure routerName=websecure-homepage@docker serviceName=homepage middlewareName=pipelining middlewareType=Pipelining
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating load-balancer" serviceName=homepage entryPointName=websecure routerName=websecure-homepage@docker
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating server 0 http://172.18.0.11:3000" serviceName=homepage entryPointName=websecure routerName=websecure-homepage@docker serverName=0
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="child http://172.18.0.11:3000 now UP"
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Propagating new UP status"
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Added outgoing tracing middleware homepage" middlewareType=TracingForwarder entryPointName=websecure routerName=websecure-homepage@docker middlewareName=tracing
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=websecure
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Adding route for example.duckdns.org with TLS options default" entryPointName=websecure
traefik  | time="2024-04-12T16:58:11+10:00" level=debug msg="Adding route for example.duckdns.org with TLS options default" entryPointName=web

Here is my docker-compose.yml:

  traefik:
    image: traefik:v2.11.0
    container_name: traefik
    command:
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      #- --providers.docker.endpoint=unix:///var/run/docker.sock
      #- --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.example.duckdns.org`)
      - --api.dashboard=true
      - --api.insecure=true
      - --log.level=DEBUG
      - --accesslog=true
      - --accesslog.filepath=/Config/traefik/access.log
      - --accesslog.format=json
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certResolver=myresolver
      - --entrypoints.websecure.http.tls.domains[0].main=example.duckdns.org
      - --entrypoints.websecure.http.tls.domains[0].sans=*.example.duckdns.org
      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=duckdns
      - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
      - --certificatesresolvers.myresolver.acme.email=example_email@gmail.com
      - --certificatesresolvers.myresolver.acme.storage=/Config/traefik/acme.json
    ports:
      - 80:80
      - 443:443
      - 8089:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
      - ./Config/traefik:/Config/traefik/
    environment:
      - DUCKDNS_TOKEN=example_token
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.example.duckdns.org`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=myresolver"
      - "traefik.http.routers.dashboard.service=dashboard@internal"
      - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
    restart: unless-stopped

  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    environment:
      - PUID=1000
      - PGID=1000
    ports:
      - 3000:3000
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.rule=Host(`example.duckdns.org`)"
      - "traefik.http.routers.homepage.tls=true"
      - "traefik.http.services.homepage.loadbalancer.server.port=3000"

What i've tried:
As you may notice there's a bunch of commented-out lines in the config. I've tried various combinations of setups, including:

  • Port 8080 is taken by another container so I set traefik to 8089. Attempted port 8080 with the other container shut down but this didn't help.

  • Confirmed all containers include Traefik are on the same docker network

  • Deleting the acme.json a few times, and changing its location to check for permission issues.

  • The Traefik Dashboard (internal ip on insecure mode) correctly shows the mapped containers to router + service. Docker IPs shown here correctly direct to the container page on the host machine.

  • Started on Trafik version 2.11.2 however saw a few threads about similar issues with certificates so downgraded to v2.11.0

I had some other logs that I can't reproduce now that showed the DNS Challenge stepping through each component. It confirmed the DuckDNS token was valid, validated domains and successfully mentioned retrieving the certificate.

Has anyone experience this or has any pointers for how I can resolve this?

Thank you, much appreciated.

2

If you just have a few services, I would prefer simpler tlsChallenge.

Check simple Traefik example.