TXT Record problems with Lets Encrypt + DuckDNS w/Wildcard cert

I'm trying to launch 1 docker compose file that lists out every container, along with Routers, Middlewares, etc. Along with that, I'm trying to issue 1 certificate that would cover all subdomains (which I thought was the purpose of Wildcard cert). Unfortunately, from the Traefik logs, it looks like each subdomain is attempting to get it's own certificate, although it frequently fails. I'm new to all of this, so the below docker-compose has been adapted from the Smart Home Beginner tutorial, using the modification for Traefik 2.0 listed on gitHub.

docker-compose.yml


version: "3.7"

########################### NETWORKS
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

########################### SERVICES
services:

############################# FRONTENDS

# Traefik - Reverse Proxy
# docker network create --gateway 192.168.90.1 --subnet 192.168.20.0/24 t2_proxy
# Subnet range 192.168.0.0/16 covers 192.168.0.0 to 192.168.255.255
# touch ${APPDATA}/traefik/acme/acme.json
# chmod 600 ${APPDATA}/traefik/acme/acme.json
# touch ${APPDATA}/traefik/traefik.log
  traefik:
    container_name: traefik
    image: traefik:latest
    restart: always
    command: # CLI arguments #https://docs.traefik.io/v2.0/reference/static-configuration/cli/
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
      - --entryPoints.http.address=:80
      # https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
      - --entrypoints.http.forwardedHeaders.trustedIPs=127.0.0.1/31, 192.168.20.1/24
      - --entrypoints.http.proxyProtocol=true
      - --entrypoints.http.proxyProtocol.trustedIPs=127.0.0.1/31, 192.168.20.1/24
      - --entryPoints.https.address=:443
      - --entryPoints.traefik.address=:8080
      ## API Settings - https://docs.traefik.io/operations/api/, endpoints - https://docs.traefik.io/operations/api/#endpoints ##
      - --api=true
      - --api.insecure=true # <== Enabling insecure api, NOT RECOMMENDED FOR PRODUCTION
      - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/var/log/docker/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
      - --providers.docker=true
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
      ## Certificate Settings (Let's Encrypt) -  https://docs.traefik.io/https/acme/#configuration-examples ##
        # Enable a dns challenge named "le"
      - --certificatesResolvers.le.acme.dnsChallenge=true
      - --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # uncomment when testing
      - --certificatesResolvers.le.acme.email=$EMAIL
      - --certificatesResolvers.le.acme.storage=/acme.json
      - --certificatesResolvers.le.acme.dnsChallenge.provider=duckdns
      - --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=30

    networks:t
      t2_proxy:
        ipv4_address: 192.168.20.123
    ports:
      # https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - ${APPDATA}/traefik/rules:/rules # file provider directory
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${APPDATA}/traefik/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - ${APPDATA}/traefik/traefik.log:/var/log/docker/traefik.log # for fail2ban - make sure to touch file before starting container
      - ${APPDATA}/shared:/shared
#      - ${APPDATA}/traefik:/etc/traefik
    environment:
      - DUCKDNS_TOKEN=$DUCKDNS_TOKEN

    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certresolver=le"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=traefik-headers,rate-limit@file,oauth@file" #basic-auth@file
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolalloworigin=https://$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.traefik-headers.headers.addvaryheader=true"
      - "traefik.http.middlewares.traefik-headers.headers.allowedhosts=traefik.$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.hostsproxyheaders=X-Forwarded-Host"
      - "traefik.http.middlewares.traefik-headers.headers.sslredirect=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslhost=traefik.$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.sslforcehost=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.traefik-headers.headers.stsseconds=63072000"
      - "traefik.http.middlewares.traefik-headers.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.traefik-headers.headers.stspreload=true"
      - "traefik.http.middlewares.traefik-headers.headers.forcestsheader=true"
      - "traefik.http.middlewares.traefik-headers.headers.framedeny=true"
      - "traefik.http.middlewares.traefik-headers.headers.customFrameOptionsValue='allow-from https:$DOMAINNAME'"
#      - "traefik.http.middlewares.traefik-headers.headers.customframeoptionsvalue=SAMEORIGIN" # This option overrides FrameDeny
      - "traefik.http.middlewares.traefik-headers.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.traefik-headers.headers.browserxssfilter=true"
#      - "traefik.http.middlewares.traefik-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; base-uri 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.referrerpolicy=same-origin"
      - "traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex,"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"

# Duck DNS
#https://hub.docker.com/r/linuxserver/duckdns/
  duckdns:
    container_name: duckdns
    image: linuxserver/duckdns:latest
    environment:
      - TZ:${TZ}
      - PUID=${PUID} #optional
      - PGID=${PGID} #optional
      - SUBDOMAINS=${SUBDOMAIN}
      - TOKEN=${DUCKDNS_TOKEN}
      - LOG_FILE=false #optional
#    # Volumes store your data between container upgrades
    volumes:
       - ${APPDATA}/duckdns/config:/config
    restart: always
    labels:
      ## HTTP Routers
      - "traefik.http.routers.duckdns-rtr.entrypoints=https"
      - "traefik.http.routers.duckdns-rtr.rule=Host(`duckdns.$DOMAINNAME`)"
      - "traefik.http.routers.duckdns-rtr.tls=true"
      - "traefik.http.routers.duckdns-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.duckdns-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.duckdns-rtr.service=duckdns-svc"
      - "traefik.http.services.duckdns-svc.loadbalancer.server.port=80"

# Portainer - WebUI for Containers
  portainer:
    container_name: portainer
    image: portainer/portainer:latest
    restart: always
    command: -H unix:///var/run/docker.sock
    networks:
      - t2_proxy
    ports:
      - "$PORTAINER_PORT:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${APPDATA}/portainer/data:/data # Change to local directory if you want to save/transfer config locally
    environment:
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.portainer-rtr.entrypoints=https"
      - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
      - "traefik.http.routers.portainer-rtr.tls=true"
      - "traefik.http.routers.portainer-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.portainer-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.portainer-rtr.service=portainer-svc"
      - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"

# Organizr - Unified Frontend
  organizr:
    container_name: organizr
    image: organizrtools/organizr-v2:latest
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "$ORGANIZR_PORT:80"
    volumes:
      - ${APPDATA}/organizr:/config
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.organizr-rtr.entrypoints=https"
      - "traefik.http.routers.organizr-rtr.rule=Host(`$DOMAINNAME`,`www.$DOMAINNAME`)" 
      - "traefik.http.routers.organizr-rtr.tls=true"
      - "traefik.http.routers.organizr-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.organizr-rtr.middlewares=noauth-chain@file" 
#      - "traefik.http.middlewares.organizr-headers.headers.customResponseHeaders.sslHost=$DOMAINNAME"
#      - "traefik.http.middlewares.organizr-headers.headers.customResponseHeaders='X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex'"
#      - "traefik.http.middlewares.organizr-headers.headers.browserxssfilter=true"
#      - "traefik.http.middlewares.organizr-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; script-src 'none'; base-uri 'none';"
#      - "traefik.http.middlewares.organizr-headers.headers.referrerpolicy=same-origin"
      ## HTTP Services
      - "traefik.http.routers.organizr-rtr.service=organizr-svc"
      - "traefik.http.services.organizr-svc.loadbalancer.server.port=80"

## Heimdall - Homepage
  heimdall:
    container_name: heimdall
    image: linuxserver/heimdall:latest
    restart: always
    networks:
      - t2_proxy
    ports:
      - "$HEIMDALL_PORT:80"
    volumes:
      - ${APPDATA}/heimdall:/config
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.heimdall-rtr.entrypoints=https"
      - "traefik.http.routers.heimdall-rtr.rule=Host(`heimdall.$DOMAINNAME`)"
      - "traefik.http.routers.heimdall-rtr.tls=true"
      - "traefik.http.routers.heimdall-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.heimdall-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.heimdall-rtr.service=heimdall-svc"
      - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80"

## Autoindex - Simple Directory Index
  autoindex:
    container_name: autoindex
    image: dceoy/nginx-autoindex:latest
    restart: always
    networks:
      - t2_proxy
    ports:
      - "${AUTOINDEX_PORT}:80"
    volumes:
      - /media:/var/lib/nginx/html:ro # Location you want to index
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.autoindex-rtr.entrypoints=https"
      - "traefik.http.routers.autoindex-rtr.rule=Host(`index.$DOMAINNAME`)"
      - "traefik.http.routers.autoindex-rtr.tls=true"
      - "traefik.http.routers.autoindex-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.autoindex-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.autoindex-rtr.service=autoindex-svc"
      - "traefik.http.services.autoindex-svc.loadbalancer.server.port=80"

############################# SMART HOME

# Mosquitto - MQTT Broker
# Create mosquitto.conf, passwd, mosquitto.log files  and set permissions to 775 user:docker
# dexec mosquitto /bin/sh -> mosquitto_passwd -b /mosquitto/config/passwd username passwd
  mosquitto:
    image: eclipse-mosquitto
    container_name: mosquitto
    hostname: mosquitto
    restart: unless-stopped
    ports:
      - "${MOSQUITTO_HTTP_PORT}:1883" #http
      - "${MOSQUITTO_WEBSOCKETS_PORT}:9001" #websockets
      - "${MOSQUITTO_HTTPS_PORT}:8883" #https
    volumes: 
      - ${APPDATA}/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
      - ${APPDATA}/mosquitto/config/passwd:/mosquitto/config/passwd
      - ${APPDATA}/shared:/shared
    environment:
      PUID: ${PUID}
      PGID: ${PGID}
      TZ: ${TZ}

# ZoneMinder - Video Surveillance 
# Create the database and initial tables using the init script. Database zm, username zmuser, and password zmpass - cannot customize zm, zmuser, or zmpass.
  zoneminder:
    image: quantumobject/docker-zoneminder
#    image: adc3c7a0ca0a
    container_name: zoneminder
    hostname: zoneminder
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "$ZONEMINDER_HTTP_PORT:80"
      - "$ZONEMINDER_HTTPS_PORT:443"
      - "$ZONEMINDER_EVENT_NOTIF_PORT:9000" # Event Notification Port
    privileged: true
    shm_size: 4096m
    volumes:
      - /var/empty
      - ${APPDATA}/shared:/shared
      - ${APPDATA}/zoneminder/backups:/var/backups
      - ${APPDATA}/zoneminder/zoneminder:/var/cache/zoneminder
      - ${APPDATA}/zoneminder/config:/config
      - type: tmpfs
        target: /dev/shm
    environment:
      SHMEM: "50%"
      PUID: ${PUID}
      PGID: ${PGID}
      TZ: ${TZ}
      PHP_TZ: ${TZ}
      ZM_DB_HOST: ${DB_HOST}
      ZM_DB_PORT: ${DB_PORT}
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
      MYSQL_ROOT: ${USER}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.zoneminder-rtr.entrypoints=https"
      - "traefik.http.routers.zoneminder-rtr.rule=Host(`zone.$DOMAINNAME`)"
      - "traefik.http.routers.zoneminder-rtr.tls=true"
      - "traefik.http.routers.zoneminder-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.zoneminder-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.zoneminder-rtr.service=zoneminder-svc"
      - "traefik.http.services.zoneminder-svc.loadbalancer.server.port=80"

############################# DATABASE

# MariaDB - MySQL Database
  mariadb:
    container_name: mariadb
    image: linuxserver/mariadb:latest
    restart: always
    networks:
      - default
#      - t2_proxy:
#          ipv4_address: 192.168.12.123 
    ports:
      - "3306:3306"
    volumes:
      - ${APPDATA}/mariadb/data:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD

# InfluxDB - Database for sensor data
# Create influxdb.conf
  influxdb:
    image: influxdb
    container_name: influxdb
    hostname: influxdb
    restart: always
    ports:
      - "${INFLUXDB_PORT}:8086"
    volumes:
#      - ${APPDATA}/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf:ro
      - ${APPDATA}/influxdb/db:/var/lib/influxdb
    command: -config /etc/influxdb/influxdb.conf

# Postgres - Database
  postgres:
    image: postgres
    container_name: postgres
    hostname: postgres
    restart: always
    volumes:
      - ${APPDATA}/postgres:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${STATPING_DB_PASS}
      POSTGRES_USER: ${STATPING_DB_USER}
      POSTGRES_DB: ${STATPING_DB}

# phpMyAdmin - Database management
# Create a new user with admin privileges. Cannot login as root.
  phpmyadmin:
    image: phpmyadmin/phpmyadmin
    container_name: phpmyadmin
    hostname: phpmyadmin
    restart: unless-stopped
    networks:
      - t2_proxy
      - default
    ports:
      - "$PHPMYADMIN_PORT:80"
    depends_on:
      - mariadb
    links:
      - mariadb:db
    volumes:
      - ${APPDATA}/phpmyadmin:/etc/phpmyadmin
    environment:
      PMA_HOST: ${DB_HOST}
      PMA_PORT: ${DB_PORT}
#     PMA_ARBITRARY: 1
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.phpmyadmin-rtr.entrypoints=https"
      - "traefik.http.routers.phpmyadmin-rtr.rule=Host(`pma.$DOMAINNAME`)"
      - "traefik.http.routers.phpmyadmin-rtr.tls=true"
      - "traefik.http.routers.phpmyadmin-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.phpmyadmin-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.phpmyadmin-rtr.service=phpmyadmin-svc"
      - "traefik.http.services.phpmyadmin-svc.loadbalancer.server.port=80"

# Grafana - Graphical data visualization for InfluxDB data
  grafana:
    image: grafana/grafana
    container_name: grafana
    hostname: grafana
    restart: unless-stopped
    networks:
      - t2_proxy
      - default
    ports:
      - "${GRAFANA_PORT}:3000"
    depends_on:
      - "influxdb"
    user: "0"
    volumes:
      - ${APPDATA}/grafana:/var/lib/grafana
    environment:
      GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" 
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.grafana-rtr.entrypoints=https"
      - "traefik.http.routers.grafana-rtr.rule=Host(`grafana.$DOMAINNAME`)"
      - "traefik.http.routers.grafana-rtr.tls=true"
      - "traefik.http.routers.grafana-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.grafana-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.grafana-rtr.service=grafana-svc"
      - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"

# Bazarr - Subtitle Management
  bazarr:
    image: linuxserver/bazarr
    container_name: bazarr
    hostname: bazarr
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "${BAZARR_PORT}:6767"
    volumes:
      - ${APPDATA}/bazarr:/config
#      - /media:/nas
    environment:
      PUID: ${PUID}
      PGID: ${PGID}
      TZ: ${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.bazarr-rtr.entrypoints=https"
      - "traefik.http.routers.bazarr-rtr.rule=Host(`bazarr.$DOMAINNAME`)"
      - "traefik.http.routers.bazarr-rtr.tls=true"
      - "traefik.http.routers.bazarr-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.bazarr-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.bazarr-rtr.service=bazarr-svc"
      - "traefik.http.services.bazarr-svc.loadbalancer.server.port=6767"

# Picard - Music Library Tagging and Management
  picard:
    image: mikenye/picard
    container_name: picard
    hostname: picard
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "${PICARD_PORT}:5800"
    volumes:
      - ${APPDATA}/Downloads/wip_media:/wip_media:rw
      - ${APPDATA}/picard:/config:rw
#      - /media/ds918/media/music:/music:rw
      - /dev/shm:/dev/shm
    environment:
      USER_ID: ${PUID}
      GROUP_ID: ${PGID}
      TZ: ${TZ}
      UMASK: 002
      DISPLAY_WIDTH: 1600
      DISPLAY_HEIGHT: 960
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.picard-rtr.entrypoints=https"
      - "traefik.http.routers.picard-rtr.rule=Host(`picard.$DOMAINNAME`)"
      - "traefik.http.routers.picard-rtr.tls=true"
      - "traefik.http.routers.picard-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.picard-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.picard-rtr.service=picard-svc"
      - "traefik.http.services.picard-svc.loadbalancer.server.port=5800"

# MKVToolNix - Video Editing (Remuxing - changing media container while keeping original source quality)
  mkvtoolnix:
    image: jlesage/mkvtoolnix
    container_name: mkvtoolnix
    hostname: mkvtoolnix
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "${MKVTOOLNIX_PORT}:5800"
    volumes:
      - ${APPDATA}/Downloads:/downloads:rw
      - ${APPDATA}/mkvtoolnix/config:/config:rw
    environment:
      USER_ID: ${PUID}
      GROUP_ID: ${PGID}
      UMASK: 002
      TZ: ${TZ}
      KEEP_APP_RUNNING: 1
      CLEAN_TMP_DIR: 1
      DISPLAY_WIDTH: 1600
      DISPLAY_HEIGHT: 960
      VNC_PASSWORD: ${MKVTOOLNIX_VNC_PASSWD}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.mkvtoolnix-rtr.entrypoints=https"
      - "traefik.http.routers.mkvtoolnix-rtr.rule=Host(`mkvtoolnix.$DOMAINNAME`)"
      - "traefik.http.routers.mkvtoolnix-rtr.tls=true"
      - "traefik.http.routers.mkvtoolnix-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.mkvtoolnix-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.mkvtoolnix-rtr.service=mkvtoolnix-svc"
      - "traefik.http.services.mkvtoolnix-svc.loadbalancer.server.port=5800"

# MakeMKV - Video Editing (Ripping from Disks)
  makemkv:
    image: jlesage/makemkv
    container_name: makemkv
    hostname: makemkv
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "${MAKEMKV_PORT}:5800"
    volumes:
      - ${APPDATA}/Downloads:/Downloads:rw
      - ${APPDATA}/makemkv/config:/config:rw
      - ${APPDATA}/Downloads/wip_media:/output:rw
      - /dev/shm:/dev/shm
    environment:
      USER_ID: ${PUID}
      GROUP_ID: ${PGID}
      UMASK: 002
      TZ: ${TZ}
      KEEP_APP_RUNNING: 1
      CLEAN_TMP_DIR: 1
      DISPLAY_WIDTH: 1600
      DISPLAY_HEIGHT: 960
      VNC_PASSWORD: ${MAKEMKV_VNC_PASSWD}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.makemkv-rtr.entrypoints=https"
      - "traefik.http.routers.makemkv-rtr.rule=Host(`makemkv.$DOMAINNAME`)"
      - "traefik.http.routers.makemkv-rtr.tls=true"
      - "traefik.http.routers.makemkv-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.makemkv-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.makemkv-rtr.service=makemkv-svc"
      - "traefik.http.services.makemkv-svc.loadbalancer.server.port=5800"

############################# FILE MANAGEMENT

# Nextcloud
  nextcloud:
    image: linuxserver/nextcloud
    hostname: nextcloud
    container_name: nextcloud
    restart: unless-stopped
#    network_mode: host
    networks:
      - t2_proxy
    ports:
      - "${NEXTCLOUD_PORT}:443"
    volumes:
      - ${SHAREDFOLDERS}/user/nextcloud-data:/data:rw
      - ${APPDATA}/nextcloud:/config:rw
      - ${APPDATA}/shared:/shared:rw
    environment:
      USER_ID: ${PUID}
      GROUP_ID: ${PGID}
      TZ: ${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.nextcloud-rtr.entrypoints=https"
      - "traefik.http.routers.nextcloud-rtr.rule=Host(`nextcloud.$DOMAINNAME`)"
      - "traefik.http.routers.nextcloud-rtr.tls=true"
      - "traefik.http.routers.nextcloud-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.nextcloud-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.nextcloud-rtr.service=nextcloud-svc"
      - "traefik.http.services.nextcloud-svc.loadbalancer.server.port=4433"

############################# UTILITIES

# Firefox - Web Broswer
  firefox:
    image: jlesage/firefox
    container_name: firefox
    hostname: firefox 
    restart: unless-stopped
    networks: 
      - t2_proxy
    ports: 
      - "${FIREFOX_PORT}:5800"
    volumes:
      - ${APPDATA}/firefox:/config
      - ${APPDATA}/Downloads/completed:/config/downloads
      - /dev/shm:/dev/shm
      - ${APPDATA}/shared:/shared
    environment:
      USER_ID: ${PUID}
      GROUP_ID: ${PGID}
      TZ: ${TZ}
      UMASK: 002
      KEEP_APP_RUNNING: 1
      CLEAN_TMP_DIR: 1
      DISPLAY_WIDTH: 1600
      DISPLAY_HEIGHT: 960
      VNC_PASSWD: ${FIREFOX_VNC_PASSWD}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.firefox-rtr.entrypoints=https"
      - "traefik.http.routers.firefox-rtr.rule=Host(`firefox.$DOMAINNAME`)"
      - "traefik.http.routers.firefox-rtr.tls=true"
      - "traefik.http.routers.firefox-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.firefox-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.firefox-rtr.service=firefox-svc"
      - "traefik.http.services.firefox-svc.loadbalancer.server.port=5800"

# Glances - System Information
  glances:
    image: nicolargo/glances
    hostname: glances
    container_name: glances
    restart: unless-stopped
    privileged: true
#    network_mode: host
    networks:
      - t2_proxy
    ports:
      - "${GLANCES_PORT}:61208"
    pid: host
    volumes:
      - ${APPDATA}/glances/glances.conf:/glances/conf/glances.conf # Use this if you want to add a glances.conf file
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
#      GLANCES_OPT: "-C /glances/conf/glances.conf --quiet --export influxdb"
      GLANCES_OPT: "-w"
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.glances-rtr.entrypoints=https"
      - "traefik.http.routers.glances-rtr.rule=Host(`glances.$DOMAINNAME`)"
      - "traefik.http.routers.glances-rtr.tls=true"
      - "traefik.http.routers.glances-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.glances-rtr.middlewares=secure-chain@file"
      ## HTTP Services
      - "traefik.http.routers.glances-rtr.service=glances-svc"
      - "traefik.http.services.glances-svc.loadbalancer.server.port=61208"

# APCUPSD - APC UPS Management
#https://github.com/gersilex/apcupsd-docker
# create the apcupsd.conf file
  apcupsd:
    image: gersilex/apcupsd
    container_name: apcupsd
    hostname: apcupsd
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "${APCUPSD_PORT}:3551"
    privileged: true
    tty: true
    volumes:
      - /tmp/apcupsd-docker:/tmp/apcupsd-docker
      - ${APPDATA}/apcupsd/apcupsd.conf:/etc/apcupsd/apcupsd.conf
      - ${APPDATA}/apcupsd/doshutdown:/etc/apcupsd/doshutdown
      - ${APPDATA}/apcupsd/apcupsd.events:/var/log/apcupsd.events

# StatPing - Status Page & Monitoring Server
  statping:
    image: hunterlong/statping
    container_name: statping
    hostname: statping
    restart: unless-stopped
    networks:
      - t2_proxy
    ports:
      - "${STATPING_PORT}:8080"
    volumes:
      - ${APPDATA}/statping:/app
    environment:
      VIRTUAL_HOST: localhost
      VIRTUAL_PORT: 8080
      DB_CONN: postgres
      DB_HOST: postgres
      DB_USER: ${STATPING_DB_USER}
      DB_PASS: ${STATPING_DB_PASS}
      DB_DATABASE: ${STATPING_DB}
      IS_DOCKER: "true"
      DISABLE_LOGS: "false"
      NAME: StatPing
      DESCRIPTION: Monitor web services
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.statping-rtr.entrypoints=https"
      - "traefik.http.routers.statping-rtr.rule=Host(`statping.$DOMAINNAME`)"
      - "traefik.http.routers.statping-rtr.tls=true"
      - "traefik.http.routers.statping-rtr.tls.certresolver=le"
      ## Middlewares
      - "traefik.http.routers.statping-rtr.middlewares=noauth-chain@file"
      ## HTTP Services
      - "traefik.http.routers.statping-rtr.service=statping-svc"
      - "traefik.http.services.statping-svc.loadbalancer.server.port=8080"

############################# MAINTENANCE

# Ouroboros - Automatic Docker Container Updates
  ouroboros:
    image: pyouroboros/ouroboros
    container_name: ouroboros
    hostname: ouroboros
    restart: unless-stopped
    networks:
      - default
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      TZ: ${TZ}
      INTERVAL: 86400
      LOG_LEVEL: debug
      SELF_UPDATE: "true"
      CLEANUP: "true"
      IGNORE: traefik influxdb hassio_dns homeassistant hassio_supervisor addon_core_check_config addon_62c7908d_autobackup plexms
      NOTIFIERS: 'tgram://${TGRAM_BOT_TOKEN}/${TGRAM_CHAT_ID}/'

This setup (trimmed for this post) has given me the following:

`traefik          | 2020-02-06T17:14:47.032745466Z time="2020-02-06T17:14:47Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.duckdns.org,*.mydomain.duckdns.org\" : unable to generate a certificate for the domains [mydomain.duckdns.org *.mydomain.duckdns.org]: acme: Error -> One or more domains had a problem:\n[*.mydomain.duckdns.org] time limit exceeded: last error: NS ns3.duckdns.org. did not return the expected TXT record [fqdn: _acme-challenge.mydomain.duckdns.org., value: --value redacted--\n[mydomain.duckdns.org] time limit exceeded: last error: NS ns1.duckdns.org. did not return the expected TXT record [fqdn: _acme-challenge.mydomain.duckdns.org., value: --value redacted-- \n" providerName=le.acme

I've tried modifying

- --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=30

but, no matter how many times, I still end up with issues. Sometimes no TXT is found, other times it's not the right TXT. I've looked through docs on traefik, letsencrypt, lego, duckdns, as well as many forums with no dice. :confused:

Help!