Unable to find the IP address for the container

Hey Guys,

so I am trying to get traefik to work and so far im failing miserably and I dont know further. I cannot find any information on the net so im creating this.

I want to open Homeassistant, Vaultwarden and Tandoor to the Web using DuckDNS. (but for the sake of simplicity I will start out with just homeassistant).

Now I have everything set up and running. But when I access my domain it will just tell me SEC_ERROR_UNKNOWN_ISSUER and when I ignore the warning it will forward me to 404 page not found

Now when I check the docker logs I get the following:

time="2023-12-31T15:48:36Z" level=error msg="service \"homeassistant-documents\" error: unable to find the IP address for the container \"/homeassistant\": the server is ignored" providerName=docker container=homeassistant-documents-0ed45ac004655cb73b9d3b37426c247d906d3369cb705c983e4b9d4cf95edd8d

Now I dont know why but nothing I have is called homeassistant-documents.

My docker compose file looks like this:

    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
      - /homeassistant/:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    network_mode: host
    privileged: true
      - 8123:8123
      - 5683:5683
      - "traefik.enable=true"
      - "traefik.http.routers.homeassistant.rule=Host(`ha.xxx.duckdns.org`)"
      - "traefik.http.routers.homeassistant.entrypoints=websecure"
      - "traefik.http.routers.homeassistant.tls=true"
      - "traefik.http.routers.homeassistant.tls.certresolver=letsencrypt"

    container_name: traefik
    image: "traefik:latest"
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/traefik/traefik.yml:/etc/traefik/traefik.yml"
      - "/traefik/acme.json:/acme.json"

My traefik.yml looks like this:

    address: ":80"
          to: websecure
          scheme: https
    address: ":443"

  dashboard: true
  insecure: true

    exposedByDefault: false
    network: host

      email: xxx
      storage: acme.json
        entryPoint: web

One of the classic mistakes :wink:

You define Traefik static configuration in traefik.yml and command.

You can not mix, decide for one method (doc).


Thank you very much for the reply.
I updated it now to the following Compose file and I get a big big log file and it looks like its working but when I try to connect I just get a network timeout :confused:

The logfile can be accessed here: time="2024-01-04T08:41:36Z" level=info msg="Configuration loaded from flags."t - Pastebin.com

Can you please be so kind and let me know if you see anything suspiciously here?

Thank You!

Usually you would run Traefik and your target services connected to a Docker network, the Traefik Docker Configuration Discovery would then use the internal container IP of the target service to forward requests.

But you use network_mode: host for homeassistant, so there is no internal container IP. Not sure this is going to work.

I see two options:

  • Either you create an additional dynamic config file with Traefik http router and service, pointing to the host IP of your node (not localhost/, so manual config for homeassistant.
  • Or you don't use network_mode: host, but instead expose all required ports with ports.

The same topic is currently discussed on the Docker forum (link).

Note that you have an ACME LetsEncrypt error in you logs, your domain needs to point to the Traefik instance`s node and be reachable from the Internet.

First of all, thank you very much :slight_smile:

I want to say that I have done quite some testing ( I have tested your configuration from github! ) but not really with any result :frowning:

So two issues:

  1. Homeassistant Network Mode:
    Do you know if there is any way of finding out which port a container is using?
    running docker ps -a only shows 5683 and 8123 like configured.

Wouldnt this technically all work if I put every container in the same network (atleast for the ones which homeassistant interacts with so Influxdb, MQTT Broker, etc.)?

Because when removing the host flag and adding a network to homeassistant and influxdb, changing the server ip for influxdb from localhost to "influxdb" in the homeassistant configuration and restarting both will just lead that it fails to connect them together :confused:

  1. ACME Letsecnrypt Error:
    Thats the second weird thing. Right now I am running your github traefik configuration with whoami like this:
    image: traefik:latest
    container_name: traefik
      - 80:80
      - 443:443
      - proxy
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
      #- /var/log:/var/log
      - --api.dashboard=true
      - --log.level=INFO
      #- --log.filepath=/var/log/traefik.log
      - --accesslog=true
      #- --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
#      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=xxx.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`xxx.duckdns.org`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=AAAAA:BBBBB/

    container_name: whoami
    image: traefik/whoami:v1.8
      - proxy
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`who.xxx.duckdns.org`) || Host(`www.who.xxx.duckdns.org`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

      - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
      - traefik.http.routers.mywhoami.middlewares=mywwwredirect

But when I actually open who.xxx.duckdns.org it will still give me the Error: SEC_ERROR_UNKNOWN_ISSUER ?

If I proceed anyways it will actually open whoami but how can I reach it from the Internet and my Server cant reach acme?

Because It for sure seems like I cannot reach letsecnrypt for some reason:

ping letsencrypt.org
PING letsencrypt.org(2a05:d014:275:cb01::c8 (2a05:d014:275:cb01::c8)) 56 data bytes
( I cancelled then) 
--- letsencrypt.org ping statistics ---
56 packets transmitted, 0 received, 100% packet loss, time 56300ms

root@HomeLab-:/documents# tracepath letsencrypt.org
 1?: [LOCALHOST]                        0.026ms pmtu 1492
 1:  fritz.box                                             0.755ms
 1:  fritz.nas                                             0.804ms
 2:  2003:0:8a02:2800::1                                  22.110ms
 3:  2003:0:1807:c000::1                                  14.924ms
 4:  2620:107:4000:c510::f002:5400                        13.799ms asymm  5
 5:  2620:107:4000:c5c0::f3fd:7                           16.581ms
 6:  2620:107:4000:cfff::f208:8c91                        17.213ms asymm  7
 7:  2620:107:4000:a550::f000:5c0e                        17.243ms asymm  6
 8:  no reply
 9:  no reply
10:  no reply
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  no reply
16:  no reply
17:  no reply

So what can I do in this case?
If I open letsencrypt.org in my webbrowser over wifi I can reach it :confused:

When using Traefik LetsEncrypt, it will automatically create a TLS cert for every domain you have in Host(). For this to work they must all be registered in DNS and point to your Traefik instance, which needs to be available on the Internet.

Your SEC_ERROR_UNKNOWN_ISSUER error is shown in your browser when a TLS cert can’t be generated, then Traefik is falling back to use a custom generated (untrusted) TLS cert.

Enable and check Traefik debug log (doc).