I am trying to switch to Traefik from (mostly) working NPM setup.(NPM container is removed) Tearing my hair out as I cannot get this working.
Here is the setup:
- Cloudflare handles DNS with domain . com cname pointing to cloudlfare tunnel id and service.domain.com pointing to ,domain . com
- a Cloudflare tunnel (cloudflared container) has ingress tag to traefik container on ip:443.
- Traefik is SUPPOSED to be using the Cloudlfare origin certificate with wildcard *domain . com and domain . com
- cloudflared reports this error when trying to browse to the service:(I doxxed the domain in error below)
0 event=1 ingressRule=0 originService=ip:443
2025-01-07T18:02:18Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for 417535e44f2170bcc257fc4713f4b77f.6eb61e76881069d82d6f7588ef630a44.traefik.default, not MYDOMAIN . com" connIndex=0 dest=service.domain.com/ event=0 ip=198.41.192.77 type=ws
here are all the relevant files:
Traefik Docker Compose:
services:
traefik:
image: traefik:v3.2.3
container_name: CASA_TRAEFIK
command:
- "--configFile=/etc/traefik/traefik.yml" # Point to the external traefik.yml
ports:
- 80:80
- 443:443
- 8079:8080 # Web UI port
environment:
- CF_API_EMAIL=MYCLOUDFLAEMAIL
- CF_API_TOKEN=MYAPITOKEN # Cloudflare API Token
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt # Persistent storage for certificates
- ./certs:/etc/traefik/certs # Mount the directory containing your Cloudflare certificates
- ./traefik.yml:/etc/traefik/traefik.yml # Mount the custom traefik.yml config
networks:
- casaproxy
labels:
- homepage.group=Network
- homepage.name=Traefik
- homepage.icon=traefik.png
- homepage.description=Reverse Proxy
- homepage.widget.type=traefik
- homepage.widget.url=IP
networks:
casaproxy: # Define the internal network
driver: bridge # Default network driver
Here is my traefik.yml:
################################################################
Global configuration
################################################################
global:
checkNewVersion: true
sendAnonymousUsage: true
################################################################
EntryPoints configuration
################################################################
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: "websecure"
scheme: "https"
websecure:
address: ":443"
################################################################
Traefik logs configuration
################################################################
log:
level: DEBUG
################################################################
API and dashboard configuration
################################################################
api:
insecure: true # Enable insecure API for monitoring
dashboard: true # Enable Dashboard (set to false to disable it)
################################################################
Providers configuration
################################################################
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # Docker socket
exposedByDefault: false # Do not expose containers by default
defaultRule: "Host({{ normalize .Name }}
)" # Default rule for container names
file:
directory: "/etc/traefik" # Directory to watch for certificates (dynamic config)
watch: true # Watch for changes in dynamic config
################################################################
Certificates Resolver for Cloudflare
################################################################
certificatesResolvers:
cloudflare:
acme:
dnsChallenge:
provider: cloudflare # Use DNS challenge for Cloudflare
email: MYCLLOUDFLAREMAIL # Your Cloudflare email
storage: "/letsencrypt/acme.json" # Path to store ACME certificates
my certs.yml
Dynamic configuration (certs.yml or dynamic.yml)
tls:
stores:
default:
defaultCertificate:
certFile: "/etc/traefik/certs/cloudflare-origin.pem"
keyFile: "/etc/traefik/certs/cloudflare-origin.key"
certificates:
- certFile: "/etc/traefik/certs/cloudflare-origin.pem"
keyFile: "/etc/traefik/certs/cloudflare-origin.key"