Traefik with Hetzner DNS to get valid ssl certificate for a local network service

Traefik Traefik v3 (latest)
,
1

I use DYNU DNS to route my domain to a local network ip (traefik), for local real ssl certs.
This works, but i try to switch to Hetzner DNS and can't get it to run. Site not found. Any idea?
Hetzner Console -> DNS -> A @ 192.168.1.10

traefik.yaml

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false
    endpoint: "unix:///var/run/docker.sock"
    # only accepts container with label "which.instance=foobar"
    constraints: "Label(`which.instance`,`foobar`)"
  file:
    # setup the dynamic config file path and enable watch so if the file changed, traefik will auto reload it
    #filename: "/etc/traefik/dynamic-config.yaml"
    directory: "/etc/traefik/dynamic_config"
    watch: true

certificatesResolvers:
  hetzner:
    acme:
      email: "admin@foobar.de"
      dnsChallenge:
        provider: hetzner
        delayBeforeCheck: 0
        resolvers:
          - 213.133.100.98
          - 88.198.229.192
          - 193.47.99.5
      storage: "/letsencrypt/acme.json"

Traefik compose.yaml

services:
  traefik:
    image: traefik:v3.6.2
    container_name: traefik-foobar
    security_opt:
      - no-new-privileges:true
      # Not used, because of MacVLAN
      #ports:
      #- 80:80 # HTTP port
      #- 443:443 # HTTPS port
      #- 8080:8080 # Web UI (enabled by --api.insecure=true)
    environment:
      TZ: ${TZ}
      DYNU_API_KEY: ${DYNU_API_KEY}
      HETZNER_API_TOKEN: ${HETZNER_API_TOKEN}
    volumes:
      # Mount the Docker socket to let Traefik listen to the Docker events 
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the configuration files
      - ./traefik.yaml:/etc/traefik/traefik.yaml:ro
      # Mount the dynamic configuration file, if changed,
      # Traefik will auto reload it and you not need to restart the container
      # Must match provider->docker->file->filename in traefik.yaml 
      - ./dynamic_config:/etc/traefik/dynamic_config/:ro
      # Mount the acme.json file to store the certificates, this will be created automatically by Traefik
      - ./letsencrypt:/letsencrypt
    restart: unless-stopped
    networks:
      proxy-traefik-foobar:
      macvlan-br0:
        ipv4_address: 192.168.1.10
networks:
  proxy-traefik-foobar:
    external: true
  macvlan-br0:
    external: true

Dozzle compose.yaml

services:
  dozzle:
    image: amir20/dozzle:${VERSION:-latest}
    container_name: ${SERVICE_NAME}
    hostname: Homeserver
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      #ports:
      #- 8080:8080
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      TZ: ${TZ}
      DOZZLE_NO_ANALYTICS: true
    networks:
      - proxy-traefik-foobar
    labels:
      - which.instance=foobar
      - traefik.enable=true
      - traefik.http.routers.${SERVICE_NAME}.entrypoints=websecure
      - traefik.http.routers.${SERVICE_NAME}.rule=Host(`${URL}`)
      - traefik.http.routers.${SERVICE_NAME}.tls=true
      - traefik.http.routers.${SERVICE_NAME}.tls.certresolver=hetzner
      - traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}
      - traefik.docker.network=proxy-traefik-foobar
networks:
  proxy-traefik-foobar:
    external: true
2

What are you trying to do? You want to reach your home server from within your home network? Or you want to reach your home server from the Internet?

The IP mentioned is a private IP, it only exists in your home network. The DNS of a public domain can point to a private IP, but that does not make it accessible from the Internet.

3

Yes i have a home server with some services running in docker.

To get a valid ssl i map a domain via dns to my local traefik ip and use dnsChallenge for the certificate.
As i wrote before, this was running with DYNU’s DNS and Traefik, but i wan’t to switch to Hetzner.

4

Well, it should work. If it doesn’t, you should enable Traefik debug log (doc) and check for err, tls, acme.