Traefik with DNS Challenge behind firewall

Traefik Traefik v3 (latest)
,
1

Good morning,

i am new to Traefik and im trying to setup the reverse proxy with TLS Letsencrypt certificate using DNS challenge with docker behind a firewall at the moment in my homelab for testing before put it in production.
The goal is to have a valid LetsEncrypt certificate inside my LAN for my services.
After 1 week of trying its still not working, tried almost every configuration without any luck.
This is my setup.

  • 1 static public IP
  • A firewall with NAT 1:1 from internet port UDP 443 to UDP 443 on traefik LXC ip
  • Domain on cloudflare with A record *.dev that point to my static Public IP
  • local DNS managed by pi-hole that point from inside the network tot the internal IP of traefik container

When i spin up the container i dont see any errors but when i try to access any of the services the browser answer that it cannot reach the page. I cannot even reach the dashboard as well, same problem.

This is my docker compose config

services:

traefik:

image: traefik:latest

container_name: traefik

restart: unless-stopped

security_opt:

- no-new-privileges:true

command:

- --log.level=DEBUG

- --accesslog=true

- --accesslog.filepath=/logs/traefik-access.log

- --accesslog.format=json

#      - --log=true

#      - --log.filepath=/logs/traefik.log

#      - --log.format=json

- --providers.docker=true

- --providers.docker.exposedbydefault=false

- --providers.docker.network=proxy

- --api.dashboard=true

# Letsencrypt

- --certificatesresolvers.letsencrypt.acme.dnsChallenge=true

- --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=cloudflare

- --certificatesresolvers.letsencrypt.acme.emailAddresses=${CLOUDFLARE_EMAIL}

- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json

- --certificatesresolvers.letsencrypt.acme.keyType=RSA4096

- --certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory

#      - --certificatesresolvers.letsencrypt.acme.dnsChallenge.disableChecks=true

- --certificatesResolvers.letsencrypt.acme.dnsChallenge.propagation.delayBeforeChecks=30

- --certificatesresolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53

# Insecure listener for redirect all traffic to TLS

- --entryPoints.web.address=:80

- --entryPoints.websecure.address=:443

- --entryPoints.web.http.redirections.entryPoint.to=websecure

- --entryPoints.web.http.redirections.entryPoint.scheme=https

# TLS config for websecure listener

- --entryPoints.websecure.http.tls=true

- --entryPoints.websecure.http.tls.certResolver=letsencrypt

- --entryPoints.websecure.http.tls.domains[0].main=dev.mikoshinet.eu

- --entryPoints.websecure.http.tls.domains[0].sans=*.dev.mikoshinet.eu

labels:

- traefik.enable=true

- traefik.http.routers.mydashboard.rule=Host(`traefik.dev.mikoshinet.eu`)

- traefik.http.routers.mydashboard.tls=true

- traefik.http.routers.mydashboard.service=api@internal

- traefik.http.routers.mydashboard.middlewares=myauth

- traefik.http.routers.mydashboard.entryPoints=websecure

- traefik.http.routers.mydashboard.tls.certResolver=letsencrypt

- traefik.http.middlewares.myauth.basicauth.users=xxxxxxxxxxxxxxxxxxxxx

networks:

- proxy

ports:

- "443:443"

- "80:80"

volumes:

- /var/run/docker.sock:/var/run/docker.sock:ro

- ./certs:/letsencrypt

- ./logs:/logs

environment:

- CF_API_EMAIL=${CLOUDFLARE_EMAIL}

- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}

- TZ=Europe/Rome

whoami:

image: traefik/whoami:v1.8

networks:

- proxy

labels:

- traefik.enable=true

- traefik.http.routers.mywhoami.rule=Host(`whoami.dev.mikoshinet.eu`)

- traefik.http.services.mywhoami.loadbalancer.server.port=80

- traefik.http.routers.mywhoami.entryPoints=websecure

- traefik.http.routers.mywhoami.tls.certResolver=letsencrypt

- traefik.http.routers.mywhoami.tls=true

networks:

proxy:

name: proxy

Here is the Traefik log, the only problem that i see is this line that is flagged as DBG and not ERR

DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:386 > No default certificate, fallback to the internal generated certificate tlsStoreName=default

traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:233 > Starting TCP Server entryPointName=websecure
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:233 > Starting TCP Server entryPointName=web
traefik  | 2026-04-29T09:01:37+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:219 > Starting provider *traefik.Provider
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:220 > *traefik.Provider provider configuration config={}
traefik  | 2026-04-29T09:01:37+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:219 > Starting provider *acme.Provider
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:220 > acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"letsencrypt","TLSChallengeProvider":{},"caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"clientResponseHeaderTimeout":"30s","clientTimeout":"2m0s","dnsChallenge":{"propagation":{"delayBeforeChecks":"30s"},"provider":"cloudflare","resolvers":["1.1.1.1:53","8.8.8.8:53"]},"emailAddresses":["info@mikoshinet.eu"],"keyType":"RSA4096","storage":"/letsencrypt/acme.json","store":{}}
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:252 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
traefik  | 2026-04-29T09:01:37+02:00 INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:908 > Testing certificate renew... acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"redirect-web-to-websecure":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}}},"models":{"websecure":{"observability":{},"tls":{"certResolver":"letsencrypt","domains":[{"main":"dev.mikoshinet.eu","sans":[".dev.mikoshinet.eu"]}]}}},"routers":{"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"priority":9223372036854775806,"rule":"HostRegexp(^.+$)","ruleSyntax":"default","service":"noop@internal"}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=letsencrypt.acme
traefik  | 2026-04-29T09:01:37+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:219 > Starting provider *docker.Provider
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:220 > *docker.Provider provider configuration config={"defaultRule":"Host({{ normalize .Name }})","endpoint":"unix:///var/run/docker.sock","network":"proxy","watch":true}
traefik  | 2026-04-29T09:01:37+02:00 INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:219 > Starting provider *acme.ChallengeTLSALPN
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:220 > *acme.ChallengeTLSALPN provider configuration config={}
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:81 > Provider connection established with docker 29.4.0 (API 1.54) providerName=docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:201 > Filtering disabled container container=vaultwarden-vaultwarden-4763f3fd5a0dc36231c3c1b4d0d37a3b60220a9769a0a251d44f28b1e9e13dea providerName=docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:201 > Filtering disabled container container=adoring-ardinghelli-8202997cddea01315ef3d1f60de9aee1751a9119f6e043ec2541ebccc5270522 providerName=docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"myauth":{"basicAuth":{"users":["admin:$apr1$V2/X6iVg$uiFSQnu7rt7VJ/AAs9sJG0"]}}},"routers":{"homepage_router":{"entryPoints":["websecure"],"rule":"Host(homepage.dev.mikoshinet.eu)","service":"homepage_router","tls":{"certResolver":"letsencrypt"}},"mydashboard":{"entryPoints":["websecure"],"middlewares":["myauth"],"rule":"Host(traefik.dev.mikoshinet.eu)","service":"api@internal","tls":{"certResolver":"letsencrypt"}},"mywhoami":{"entryPoints":["websecure"],"rule":"Host(whoami.dev.mikoshinet.eu)","service":"mywhoami","tls":{"certResolver":"letsencrypt"}}},"services":{"homepage_router":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.21.0.2:80"}],"strategy":"wrr"}},"mywhoami":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.21.0.3:80"}],"strategy":"wrr"}},"traefik-traefik":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.21.0.4:80"}],"strategy":"wrr"}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:386 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/router.go:37 > Added outgoing tracing middleware entryPointName=web middlewareName=tracing middlewareType=TracingRouter routerName=web-to-websecure@internal serviceName=noop@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=SemConvServerMetrics routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=TracingEntryPoint routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/certificate_store.go:226 > Adding certificate for domain(s) traefik.mikoshinet.eu
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/certificate_store.go:226 > Adding certificate for domain(s) whoami.dev.mikoshinet.eu
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/certificate_store.go:226 > Adding certificate for domain(s) homepage.dev.mikoshinet.eu
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/certificate_store.go:226 > Adding certificate for domain(s) traefik.dev.mikoshinet.eu
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/certificate_store.go:226 > Adding certificate for domain(s) *.dev.mikoshinet.eu,dev.mikoshinet.eu
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:386 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/router.go:37 > Added outgoing tracing middleware entryPointName=web middlewareName=tracing middlewareType=TracingRouter routerName=web-to-websecure@internal serviceName=noop@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=SemConvServerMetrics routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=TracingEntryPoint routerName=web-to-websecure@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:382 > Creating load-balancer entryPointName=websecure routerName=mywhoami@docker serviceName=mywhoami@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:440 > Creating server URL=http://172.21.0.3:80 entryPointName=websecure routerName=mywhoami@docker serverIndex=0 serviceName=mywhoami@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/service.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingService routerName=mywhoami@docker serviceName=mywhoami@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/router.go:37 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingRouter routerName=mywhoami@docker serviceName=mywhoami@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=SemConvServerMetrics routerName=mywhoami@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingEntryPoint routerName=mywhoami@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:382 > Creating load-balancer entryPointName=websecure routerName=homepage_router@docker serviceName=homepage_router@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:440 > Creating server URL=http://172.21.0.2:80 entryPointName=websecure routerName=homepage_router@docker serverIndex=0 serviceName=homepage_router@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/service.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingService routerName=homepage_router@docker serviceName=homepage_router@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/router.go:37 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingRouter routerName=homepage_router@docker serviceName=homepage_router@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=SemConvServerMetrics routerName=homepage_router@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingEntryPoint routerName=homepage_router@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:39 > Creating middleware entryPointName=websecure middlewareName=myauth@docker middlewareType=BasicAuth routerName=mydashboard@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=myauth@docker routerName=mydashboard@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/router.go:37 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingRouter routerName=mydashboard@docker serviceName=api@internal
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=SemConvServerMetrics routerName=mydashboard@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingEntryPoint routerName=mydashboard@docker
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/semconv.go:40 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=SemConvServerMetrics
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/entrypoint.go:37 > Creating middleware entryPointName=web middlewareName=tracing middlewareType=TracingEntryPoint
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for whoami.dev.mikoshinet.eu with TLS options default entryPointName=websecure
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for homepage.dev.mikoshinet.eu with TLS options default entryPointName=websecure
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.dev.mikoshinet.eu with TLS options default entryPointName=websecure
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:491 > Trying to challenge certificate for domain [traefik.dev.mikoshinet.eu] found in HostSNI rule ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=mydashboard@docker rule=Host(traefik.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:491 > Trying to challenge certificate for domain [whoami.dev.mikoshinet.eu] found in HostSNI rule ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=mywhoami@docker rule=Host(whoami.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:491 > Trying to challenge certificate for domain [homepage.dev.mikoshinet.eu] found in HostSNI rule ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=homepage_router@docker rule=Host(homepage.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:966 > Looking for provided certificate(s) to validate ["homepage.dev.mikoshinet.eu"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=homepage_router@docker rule=Host(homepage.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:1010 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["homepage.dev.mikoshinet.eu"] providerName=letsencrypt.acme routerName=homepage_router@docker rule=Host(homepage.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:966 > Looking for provided certificate(s) to validate ["whoami.dev.mikoshinet.eu"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=mywhoami@docker rule=Host(whoami.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:966 > Looking for provided certificate(s) to validate ["traefik.dev.mikoshinet.eu"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme routerName=mydashboard@docker rule=Host(traefik.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:1010 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["whoami.dev.mikoshinet.eu"] providerName=letsencrypt.acme routerName=mywhoami@docker rule=Host(whoami.dev.mikoshinet.eu)
traefik  | 2026-04-29T09:01:37+02:00 DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:1010 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["traefik.dev.mikoshinet.eu"] providerName=letsencrypt.acme routerName=mydashboard@docker rule=Host(traefik.dev.mikoshinet.eu)

And this is the service that i try to publish

networks:
proxy:
name: proxy
external: true
services:
homepage:
image: 

container_name: homepage
ports:

3000:3000
volumes:

./homepage-data:/app/config # Make sure your local config directory exists

/var/run/docker.sock:/var/run/docker.sock:ro # optional, for docker integrations

./images:/app/public/images
restart: unless-stopped
labels:

traefik.enable=true

traefik.http.routers.homepage_router.tls=true

traefik.http.routers.homepage_router.rule=Host(homepage.dev.mikoshinet.eu)

traefik.http.routers.homepage_router.entryPoints=websecure

traefik.http.services.homepage_router.loadbalancer.server.port=80

traefik.http.routers.homepage_router.tls.certresolver=letsencrypt
networks:

proxy
environment:
HOMEPAGE_ALLOWED_HOSTS: homepage.dev.mikoshinet.eu,gethomepage.dev,192.168.2.20:3000,citadel.homelab.local:3000 # required, may need port. See gethomepage.dev/installation/#homepage_allowed_hosts
PUID: 0
PGID: 

0

Thank you in advance for the support.
Best Regards

2

Format config as code, not quote, to preserve spacing and make it more readable.

When using Traefik with dnsChallenge for TLS, you don't need any ports to be available on the Internet. dnsChallenge will create a custom TXT record in DNS for your domain, which is checked by LetsEncrypt. For that to work, you need outbound connectivity for Traefik and a DNS provider that works with Traefik/go-acme. Check the /letsencrypt/acme.json file inside the Traefik container (or ./certs/acme.json on host), if TLS certs have been created.

When something is "not reachable", it is usually a local DNS issue, which is not correctly resolving local hostnames to local IPs.

Note that you could simply set your local IP in external DNS, like

whoami.internal.example.com -> 192.168.10.10
3

Got the answer right now, as you stated the problem was a DNS issue.
I forgot one serious element while working on this project and its that my home lan i was reaching from my work place was behind a tailnet vpn.
After modifying the DNS inside the tailnet admin account for my domain all started to work.

Thank you for your reply
Regards