Unable to obtain ACME certificate - error 403 & 404

hello everyone,

sorry for my english, it isnt my native language.

since a week i try to setup traefik and vaultwarden in portainer/docker. iam completly new at this but i solved many problems by myself. but now i need your help. i think letsencrypt doesnt work correctly. the browser says:

net::ERR_CERT_AUTHORITY_INVALID

Subject: TRAEFIK DEFAULT CERT

Issuer: TRAEFIK DEFAULT CERT

i think thats the reason why the appconnection to vaultwarden doesnt work.

the traefik log shows only this line:

ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [my.domain]: error: one or more domains had a problem:\n[my.domain] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: xxx.xxx.xxx.xxx: Invalid response from my.domain/.well-known/acme-challenge/W-oLiWdOhdI1kSfA6r1gLjij_ctfMIdDiBzdsMPXX7A: 404\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["my.domain"] providerName=letsencrypt.acme routerName=vaultwarden@docker rule=Host(**my.domain**)

my traefik.yml:

api:
dashboard: true # Optional can be disabled
insecure: true # Optional can be disabled
debug: false # Optional can be Enabled if needed for troubleshooting
entryPoints:
web:
address: ":80"

Optional if you want to redirect all HTTP to HTTPS

http:

redirections:

entryPoint:

to: websecure

scheme: https

websecure:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: web # Optional; Only use the "proxy" Docker network, even if containers are on multiple networks.
certificatesResolvers:
letsencrypt:
acme:
email: my@mail.com
storage: /certs/acme.json
caServer: ht tp s://acme-v02.api.letsencrypt.org/directory # prod (default)
# caServer: ht tp s://acme-staging-v02.api.letsencrypt.org/directory # staging
httpChallenge:
entryPoint: websecure

The Bold text has been hidden by me. i inserted spacers in caServer in cause of link limitations of new users.

Iam using portainer. if you see more details, please let me know (and how i can get these).

Many thanks and best regards

networks:
web:
external: true
name: "web"

services:
Traefik:

cap_drop:
  - "AUDIT_CONTROL"
  - "BLOCK_SUSPEND"
  - "DAC_READ_SEARCH"
  - "IPC_LOCK"
  - "IPC_OWNER"
  - "LEASE"
  - "LINUX_IMMUTABLE"
  - "MAC_ADMIN"
  - "MAC_OVERRIDE"
  - "NET_ADMIN"
  - "NET_BROADCAST"
  - "SYSLOG"
  - "SYS_ADMIN"
  - "SYS_BOOT"
  - "SYS_MODULE"
  - "SYS_NICE"
  - "SYS_PACCT"
  - "SYS_PTRACE"
  - "SYS_RAWIO"
  - "SYS_RESOURCE"
  - "SYS_TIME"
  - "SYS_TTY_CONFIG"
  - "WAKE_ALARM"

command:
  - "traefik"

container_name: "Traefik"

entrypoint:
  - "/entrypoint.sh"

environment:
  - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

hostname: "b3aa9bbb6b0a"

image: "traefik:latest"

ipc: "private"

labels:
  org.opencontainers.image.description: "A modern reverse-proxy"
  org.opencontainers.image.documentation: "https://docs.traefik.io"
  org.opencontainers.image.source: "https://github.com/traefik/traefik"
  org.opencontainers.image.title: "Traefik"
  org.opencontainers.image.url: "https://traefik.io"
  org.opencontainers.image.vendor: "Traefik Labs"
  org.opencontainers.image.version: "v3.1.6"

logging:
  driver: "json-file"
  options: {}

networks:
  - "web"

ports:
  - "443:443/tcp"
  - "80:80/tcp"
  - "8080:8080/tcp"

restart: "unless-stopped"

stdin_open: true

tty: true

volumes:
  - "/home/rpi4-server/traefikv3/acme.json:/certs/acme.json"
  - "/home/rpi4-server/traefikv3/traefik.yml:/traefik.yml"
  - "/var/run/docker.sock:/var/run/docker.sock"

version: "3.6"

You are using http challenge, did you configure port forwarding on your router or Alternatively vps?
If you cannot forward a port because you do not have a public ip, then you have to use dns challenge

Use 3 backticks before and after code/config to make it readable and preserve spacing, which is important in yaml.