Unable to get Traefix, CloudFlare, Let'sEncrypt setup on Synology NAS

jhyoung09 · August 23, 2020, 3:42pm

Ok so let's get the basics out of the way... I'm new to Traefik. Newish to docker. I'm following this guide, but am running into issues.

I have my .env, .htpasswd, and docker-compose in the correct areas. Cloudflare is set up with my domain, and I am using my Global API. Below are my configs, redacted of course.

Docker Compose file

version: "3.7"

########################### NETWORKS
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

########################### SERVICES
services:
# All services / apps go below this line

# Traefik 2 - Reverse Proxy
  traefik:
    container_name: traefik
    image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --api=true
#      - --api.insecure=true
#      - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.254 # You can specify a static IP
#    networks:
#      - t2_proxy
    security_opt:
      - no-new-privileges:true
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - $DOCKERDIR/traefik2/rules:/rules 
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json 
      - $DOCKERDIR/traefik2/traefik.log:/traefik.log 
      - $DOCKERDIR/shared:/shared
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"

.env file

PUID=1030
PGID=100
TZ="America/Kentucky/Louisville
USERDIR=/var/services/homes/hunter
DOCKERDIR=/volume1/docker
DOMAINNAME=youngs.us
CLOUDFLARE_EMAIL=<email>
CLOUDFLARE_API_KEY=<super secret key>

What's frustrating is I am getting the acme.json file to fully propagate as valid. However, when going to my site I'm getting a DNS_PROBE_FINISHED_NXDOMAIN error (chrome & safari & firefox). I know something is working because I can go to my Host IP (synology NAS) at port 80,8080, and 443.

acme.json

{
  "dns-cloudflare": {
    "Account": {
      "Email": "<email>",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:<email>"
          ]
        },
        "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/15292715"
      },
      "PrivateKey": "<key>",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "youngs.us",
          "sans": [
            "*.youngs.us"
          ]
        },
        "certificate": "<a key>=",
        "key": "<a key>",
        "Store": "default"
      }
    ]
  }
}

and last but not least here is a bit of my log file.

root@MPASTRG00:/volume1/docker# docker logs -tf --tail="50" traefik
2020-08-23T15:11:57.163429630Z time="2020-08-23T15:11:57Z" level=info msg="Configuration loaded from flags."
2020-08-23T15:11:57.164182751Z time="2020-08-23T15:11:57Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
2020-08-23T15:11:57.166833642Z time="2020-08-23T15:11:57Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{\"trustedIPs\":[\"173.245.48.0/20\",\"103.21.244.0/22\",\"103.22.200.0/22\",\"103.31.4.0/22\",\"141.101.64.0/18\",\"108.162.192.0/18\",\"190.93.240.0/20\",\"188.114.96.0/20\",\"197.234.240.0/22\",\"198.41.128.0/17\",\"162.158.0.0/15\",\"104.16.0.0/12\",\"172.64.0.0/13\",\"131.0.72.0/22\"]},\"http\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.youngs.us`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":15000000000},\"file\":{\"directory\":\"/rules\",\"watch\":true}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/traefik.log\",\"format\":\"common\",\"filters\":{\"statusCodes\":[\"400-499\"]},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100},\"certificatesResolvers\":{\"dns-cloudflare\":{\"acme\":{\"email\":\"hunter@youngs.us\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]}}}}}"
2020-08-23T15:11:57.167283944Z time="2020-08-23T15:11:57Z" level=info msg="Stats collection is enabled."
2020-08-23T15:11:57.167490496Z time="2020-08-23T15:11:57Z" level=info msg="Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration."
2020-08-23T15:11:57.167601448Z time="2020-08-23T15:11:57Z" level=info msg="Help us improve Traefik by leaving this feature on :)"
2020-08-23T15:11:57.167658335Z time="2020-08-23T15:11:57Z" level=info msg="More details on: https://docs.traefik.io/contributing/data-collection/"
2020-08-23T15:11:57.169145193Z time="2020-08-23T15:11:57Z" level=debug msg="Start TCP Server" entryPointName=traefik
2020-08-23T15:11:57.169622746Z time="2020-08-23T15:11:57Z" level=debug msg="Start TCP Server" entryPointName=https
2020-08-23T15:11:57.169749492Z time="2020-08-23T15:11:57Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
2020-08-23T15:11:57.169815705Z time="2020-08-23T15:11:57Z" level=debug msg="Start TCP Server" entryPointName=http
2020-08-23T15:11:57.169910574Z time="2020-08-23T15:11:57Z" level=info msg="Starting provider *file.Provider {\"directory\":\"/rules\",\"watch\":true}"
2020-08-23T15:11:57.172226503Z time="2020-08-23T15:11:57Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.youngs.us`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":15000000000}"
2020-08-23T15:11:57.173433560Z time="2020-08-23T15:11:57Z" level=info msg="Starting provider *traefik.Provider {}"
2020-08-23T15:11:57.174058262Z time="2020-08-23T15:11:57Z" level=debug msg="Provider connection established with docker 18.09.8 (API 1.39)" providerName=docker
2020-08-23T15:11:57.174754407Z time="2020-08-23T15:11:57Z" level=info msg="Starting provider *acme.Provider {\"email\":\"hunter@youngs.us\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]},\"ResolverName\":\"dns-cloudflare\",\"store\":{},\"ChallengeStore\":{}}"
2020-08-23T15:11:57.175265981Z time="2020-08-23T15:11:57Z" level=info msg="Testing certificate renew..." providerName=dns-cloudflare.acme
2020-08-23T15:11:57.176250389Z time="2020-08-23T15:11:57Z" level=debug msg="Configuration received from provider file: {\"http\":{\"middlewares\":{\"middlewares-basic-auth\":{\"basicAuth\":{\"usersFile\":\"/shared/.htpasswd\",\"realm\":\"Traefik2 Basic Auth\"}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=file
2020-08-23T15:11:57.177315405Z time="2020-08-23T15:11:57Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
2020-08-23T15:11:57.177709606Z time="2020-08-23T15:11:57Z" level=debug msg="Configuration received from provider dns-cloudflare.acme: {\"http\":{},\"tls\":{}}" providerName=dns-cloudflare.acme
2020-08-23T15:11:57.178213482Z time="2020-08-23T15:11:57Z" level=debug msg="No default certificate, generating one"
2020-08-23T15:11:57.181408165Z time="2020-08-23T15:11:57Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"http-catchall\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"redirect-to-https\"],\"service\":\"traefik-docker\",\"rule\":\"HostRegexp(`{host:.+}`)\"},\"traefik-rtr\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"middlewares-basic-auth@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.youngs.us)\",\"tls\":{\"certResolver\":\"dns-cloudflare\",\"domains\":[{\"main\":\"youngs.us\",\"sans\":[\"*.youngs.us\"]}]}}},\"services\":{\"traefik-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.90.254:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"redirect-to-https\":{\"redirectScheme\":{\"scheme\":\"https\"}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
2020-08-23T15:11:57.920526493Z time="2020-08-23T15:11:57Z" level=debug msg="No default certificate, generating one"
2020-08-23T15:11:58.289937793Z time="2020-08-23T15:11:58Z" level=debug msg="Adding certificate for domain(s) youngs.us,*.youngs.us"
2020-08-23T15:11:58.290476605Z time="2020-08-23T15:11:58Z" level=debug msg="No default certificate, generating one"
2020-08-23T15:11:58.856620910Z time="2020-08-23T15:11:58Z" level=debug msg="Adding certificate for domain(s) youngs.us,*.youngs.us"
2020-08-23T15:11:58.856797503Z time="2020-08-23T15:11:58Z" level=debug msg="No default certificate, generating one"
2020-08-23T15:11:59.730568648Z time="2020-08-23T15:11:59Z" level=debug msg="Creating middleware" serviceName=traefik-docker routerName=http-catchall@docker entryPointName=http middlewareName=pipelining middlewareType=Pipelining
2020-08-23T15:11:59.730767141Z time="2020-08-23T15:11:59Z" level=debug msg="Creating load-balancer" routerName=http-catchall@docker entryPointName=http serviceName=traefik-docker
2020-08-23T15:11:59.730962889Z time="2020-08-23T15:11:59Z" level=debug msg="Creating server 0 http://192.168.90.254:80" entryPointName=http serviceName=traefik-docker serverName=0 routerName=http-catchall@docker
2020-08-23T15:11:59.731162929Z time="2020-08-23T15:11:59Z" level=debug msg="Added outgoing tracing middleware traefik-docker" routerName=http-catchall@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=http
2020-08-23T15:11:59.731393014Z time="2020-08-23T15:11:59Z" level=debug msg="Creating middleware" middlewareName=redirect-to-https@docker middlewareType=RedirectScheme entryPointName=http routerName=http-catchall@docker
2020-08-23T15:11:59.731475339Z time="2020-08-23T15:11:59Z" level=debug msg="Setting up redirection to https " entryPointName=http routerName=http-catchall@docker middlewareName=redirect-to-https@docker middlewareType=RedirectScheme
2020-08-23T15:11:59.731537488Z time="2020-08-23T15:11:59Z" level=debug msg="Adding tracing to middleware" entryPointName=http routerName=http-catchall@docker middlewareName=redirect-to-https@docker
2020-08-23T15:11:59.731743829Z time="2020-08-23T15:11:59Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=http middlewareName=traefik-internal-recovery
2020-08-23T15:11:59.731925401Z time="2020-08-23T15:11:59Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=traefik-rtr@docker entryPointName=https middlewareName=tracing middlewareType=TracingForwarder
2020-08-23T15:11:59.731993986Z time="2020-08-23T15:11:59Z" level=debug msg="Creating middleware" middlewareType=BasicAuth entryPointName=https routerName=traefik-rtr@docker middlewareName=middlewares-basic-auth@file
2020-08-23T15:11:59.732058409Z time="2020-08-23T15:11:59Z" level=debug msg="Adding tracing to middleware" middlewareName=middlewares-basic-auth@file routerName=traefik-rtr@docker entryPointName=https
2020-08-23T15:11:59.732129736Z time="2020-08-23T15:11:59Z" level=error msg="error while parsing rule Host(`traefik.youngs.us): 1:6: raw string literal not terminated" routerName=traefik-rtr@docker entryPointName=https
2020-08-23T15:11:59.732205053Z time="2020-08-23T15:11:59Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=https
2020-08-23T15:11:59.732265422Z time="2020-08-23T15:11:59Z" level=debug msg="Looking for provided certificate(s) to validate [\"youngs.us\" \"*.youngs.us\"]..." providerName=dns-cloudflare.acme
2020-08-23T15:11:59.732328091Z time="2020-08-23T15:11:59Z" level=debug msg="No ACME certificate generation required for domains [\"youngs.us\" \"*.youngs.us\"]." providerName=dns-cloudflare.acme
2020-08-23T15:21:57.193236300Z time="2020-08-23T15:21:57Z" level=info msg="Anonymous stats sent to https://collect.traefik.io/9vxmmkcdmalbdi635d4jgc5p5rx0h7h8: {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\"xxxx\",\"http\":{}},\"https\":{\"address\":\"xxxx\",\"http\":{}},\"traefik\":{\"address\":\"xxxx\",\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"xxxx\",\"defaultRule\":\"xxxx\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":15000000000},\"file\":{\"directory\":\"/rules\",\"watch\":true}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"xxxx\"},\"accessLog\":{\"filePath\":\"/traefik.log\",\"format\":\"common\",\"filters\":{\"statusCodes\":[\"400-499\"]},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100},\"certificatesResolvers\":{\"dns-cloudflare\":{\"acme\":{\"email\":\"xxxx\",\"caServer\":\"xxxx\",\"storage\":\"xxxx\",\"keyType\":\"xxxx\"}}}}"
2020-08-23T15:21:57.195387709Z time="2020-08-23T15:21:57Z" level=debug msg="unknown kind to hash: func"
2020-08-23T15:21:57.901463782Z time="2020-08-23T15:21:57Z" level=warning msg="A new release has been found: 2.2.8. Please consider updating."

Any and all help is GREATLY appreciated because I want to pull my hair out right now.

htpcBeginner · August 30, 2020, 12:36am

Author of the guide here.

Did you check this post?

Topic		Replies	Views
Traefik 2 Setup with Cloudflare/Let's Encrypt issue/ Traefik v2 docker	0	1809	December 19, 2021
TLS issues with cloudflare. Docker Compose Traefik v2 docker	2	1000	October 2, 2022
Help with 404 error Traefik v2 docker , letsencrypt-acme , middleware	15	7842	April 11, 2024
Cannot get https to work through cloudflare? Traefik v2 docker , letsencrypt-acme	3	1002	January 2, 2023
Local Dashboard Access Traefik v2 docker	6	1680	March 3, 2021

Unable to get Traefix, CloudFlare, Let'sEncrypt setup on Synology NAS

Related topics