Treafik config help (certresolver)

Traefik Traefik v3 (latest)
,
1

Hi guys,

I was hoping for some help with explaining why setting up traefik has been so difficult self-hosting on docker. Don't get me wrong, learning configs for everything can be a challenge, but I've got everything else set up, from the *arr stack with docker compose and api keys, to non-docker apps using cron jobs and custom service scripts. A bit of copying and tweaking for your needs goes a long way.

But I can't get traefik working no matter what. I've copied a full config, and tweaked it, but the json wouldn't parse correctly, due to indentation. I've deleted the whole thing, and re-written from scratch, but nothing works. It seems traefik in particular randomizes parts of the indentation? My current file is below, and complains about the certresolvers not existing (specifically: error="field not found, node: certresolver") What I find really strange is the error it gave me with 2 spaces before address: :80 since that part requires 3 for reasons I have yet to figure out. More interestingly is that it seems my website does work anyway, sort of. All http requests are forwarded to https, and I do get a valid certificate, but visiting nginx.<mywebsite.com> returns a 404 error, which has made me check my dns records too many times to count.

I hope it's a dns issue I'm too dumb to have seen. I've got a record setup for wildcard subdomains and both ports 80 and 443 are forwards on the router and allowed through the firewall. I'm just stuck here.

docker-compose.yml with simple nginx server to test connection

services:
  traefik:
    container_name: traefik
    image: traefik:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/traefik.yml:/etc/traefik/traefik.yaml:ro
      - ./traefik/conf/:/etc/traefik/conf/
      - ./traefik/certs/:/etc/traefik/certs/
    environment:
      - CF_DNS_API_TOKEN=<token>
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 250m
    networks:
      - frontend
  nginx:
    container_name: nginx
    image: nginx:latest
    ports:
      - 84:80
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 250m
    networks:
      - frontend
    labels:
      - traefik.enable=true
      - traefik.http.routers.nginx-https.tls=true
      - traefik.http.routers.nginx-https.certresolver=cloudflare
      - traefik.http.routers.nginx-https.entrypoints=websecure
      - traefik.http.routers.nginx-https.rule=Host('nginx.<mywebsite.com>')
networks:
  frontend:
    external: true

traefik.yml

global:
  sendAnonymousUsage: false
Log:
  Level: DEBUG
entryPoints:
  web:
     address: :80
     http:
       redirections:
         entryPoint:
           to: websecure
           scheme: https
  websecure:
    address: :443
certificatesResolvers:
  cloudflare:
    acme:
      email: <myemail>@gmail.com
      storage: /etc/traefik/certs/cloudflare-acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: frontend
2

Let’s say Traefik is rather targeting corporate than hobbyists :blush:

Enable and check Traefik debug log (doc), are routers created? Enable and check Traefik access log in JSON format (doc), what’s the output during requests?

It looks like you use the wrong ticks in Host(), has to be Host(`domain`). Maybe check simple Traefik example.

3

That's fair, but to ignore the pipeline from hobbyists to professionals would be silly.

Everything is working fine in the logs, except for the single previous error. Also, good spot on the wrong ticks! Although it does seem as though any might be acceptable, since that didn't change anything.

I did take another, much closer look at the logs after attempting to access the page. It seems to be throwing a lot of DBG log/log.go:245 > http: TLS handshake error from 192.168.0.21:<random port numbers>: remote error: tls: unknown certificate authority and DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "". This seems to a similar if not identical issue to this post about 7 months ago with no clear answer.

Still, I really appreciate you taking a look! :grinning_face_with_smiling_eyes:

4

You see those errors when a browser/client connects but doesn’t accept the TLS cert, which might be Traefik default.

If there is a certResolver error that that would sense, as no public valid certificate would be created.

You can check your config again with

traefik check-config --configFile=/path/to/traefik.yml

Also if Host() is not correct, you would not get the correct domain TLS certs.

Enable and check Traefik debug log (doc), are routers created, Domains recognized, TLS certs created?

Enable and check Traefik access log in JSON format (doc), what’s the output during requests? Is 404 from Traefik because it doesn’t find target service or from target service directly?

5

So, a lot has happened.

I enabled the dashboard to test things, that's a must, and I should have done it sooner. I still don't get anymore certificate errors, and can access everything through nginx.<mywebsite.com>.

ChatGPT walked through it with me, although of course, AI can't replace forums like this, it is a tool I should make use of more.

For anyone wondering what exactly the fix was, I'm not entirely sure myself. I replaced the labels on my nginx container with the following before making minor changes (removing speech marks, reordering and adding more hosts) although they look the same as the labels I had:


      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`nginx.<mywebsite.com>`)"
      - "traefik.http.routers.nginx.entrypoints=websecure"
      - "traefik.http.routers.nginx.tls=true"
      - "traefik.http.routers.nginx.tls.certresolver=cloudflare"
      - "traefik.http.services.nginx.loadbalancer.server.port=80"

There were no DNS issues, though I did add some before fixing them later when redirecting some of my other domains to this on. Oops.

Thank you all for ready, and especially for the input.

I'm off to break things again by adding a middleware and complaining! :grin: