Trouble configuring Traefik w/ Docker on Linode and Cloudflare DNS

Background

I'm trying to setup a Linode Nanode instance that will run Docker on it to self host some of my services. I already have a static IP setup. My DNS is managed by Cloudflare (shown below). And I have a firewall, managed by ufw, running on the instance (shown below).

I grabbed a free domain from freenom.com (*.tk domain) to test all of this on before I move it over to my real *.com domain. The domain is estysdesu.tk.

Problem

I'm trying to get to MVP status using traefik. Right now, I'm trying to access whoami.estysdesu.tk. Right now I get a 404 page not found response which makes me think that the DNS routing is setup properly. I checked my acme.json and that appears to have retrieved a cert from Let's Encrypt properly. So my assumption is something is wrong with my config. But, I followed the docs on setting up Let's Encrypt with a HTTP Challenge. Not sure where my mistakes are.

Configs

Docker

# docker-compose.yml
version: "3.3"

networks:
  default:
    external:
      name: $DOCKER_NETWORK # $DOCKER_NETWORK comes from .env file

services:
  traefik:
    image: "traefik:v2.2"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.certresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.certresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.certresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.certresolver.acme.email=$EMAIL" # $EMAIL comes from .env file
      - "--certificatesresolvers.certresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/data/traefik/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    depends_on:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.$DOMAIN_NAME`)" # $DOMAIN_NAME comes from .env file
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=certresolver"
# docker logs traefik output
time="2020-06-17T20:04:14Z" level=info msg="Configuration loaded from flags."
time="2020-06-17T20:07:22Z" level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik
time="2020-06-17T20:07:22Z" level=error msg="close tcp [::]:8080: use of closed network connection" entryPointName=traefik
time="2020-06-17T20:07:22Z" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=web
time="2020-06-17T20:07:22Z" level=error msg="close tcp [::]:80: use of closed network connection" entryPointName=web
time="2020-06-17T20:07:22Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2020-06-17T20:07:22Z" level=error msg="close tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2020-06-17T20:07:33Z" level=info msg="Configuration loaded from flags."

Cloudflare

DNS settings:


SSL/TLS settings:
I've tried setting my SSL/TLS setting to Flexible. That does provide a https cert, but the cert is issued from Cloudflare not Let's Encrypt. Maybe I need to set to Full, but that seemed to be an issue when I tried last night.

UFW (on Debian 10 Linode Nanode)

# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
8080                       ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)             
8080 (v6)                  ALLOW IN    Anywhere (v6) 

May I recommend a couple of things.

a) Turn on the access log. You can see the requests and whether or not it uses the router (whoami@docker)
b) Inspect your containers to make sure those environment variables are set as expected.

# requires jq
docker inspect container_name | jq ".[].Config.Labels"

How do I do turn on logs?