Vaultwarden container on RPi has "bad gateway"

New to Traefik. Container is up. No errors. Certs are good. I have several containers running on a Raspberry Pi, with Traefik running on a NUC. All containers connect fine, except Vaultwarden.

I use config.yml to reach running containers on the Raspberry Pi. Here's what that looks like:

http:
# region routers
  routers:
    router-vwarden:
      entryPoints:
        - websecure
      rule: "Host(`vw.domain.xyz`)"
      service: service-vwarden
      tls:
        certResolver: cloudflare

    router-joplin:
      entryPoints:
        - websecure
      rule: "Host(`jop.domain.xyz`)"
      service: service-joplin
      tls:
        certResolver: cloudflare

    router-enclosed:
      entryPoints:
        - websecure
      rule: "Host(`enc.domain.xyx`)"
      service: service-enclosed
      tls:
        certResolver: cloudflare

# endregion
# region services

  services:
    service-vwarden:
      loadBalancer:
        passHostHeader: true
        servers:
        - url: "http://192.168.1.10:6234"

    service-joplin:
      loadBalancer:
        passHostHeader: true
        servers:
        - url: "http://192.168.1.11:6235"

    service-enclosed:
      loadBalancer:
        passHostHeader: true
        servers:
        - url: "http://192.168.1.12:6236"

# endregion

I suspect I'm missing something (websocket?) on Vaultwarden, however the other two containers are accessible. I've seen many label examples for Vaultwarden when it is running on the same network, but I fail to see how those work with config.yml in my situation.

Appreciate help. Thanks!

Websockets usually just work over a http router and service. Are you sure your IP and port (internal/external) are correct?

You can simplify your config, passHostHeader: true is default (doc), so can be removed. And you can assign the certresolver one time globally via entrypoint (doc).

Thanks for your reply. Your questions got me to ping and curl the IP and port. It turns out, I transposed the port number. No matter how many times I stared at it, it didn't pop out for me.

Appreciate too the simplification suggestions. I've commented out the passHostHeader to test, and I'll need to sort out the certresolver.

I'm sure I'll be back with new threads, as this is quite different (in a good way) that Nginix Proxy Manager. I have an issue with excess subdomain certs I'll post if my web search fails.

Thanks again.

I read the certresolver link you provided. If I understand correctly, I should edit traefik.yml as:

entryPoints:
  # traefik:
    # address: ":8080"

  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: cloudflare
        domains:
          - main: domain1.net
            sans: 
              -  *.domain1.net
          - main: domain2.net
            sans:
              -  *.domain2.net

Have I got that correct?

Yet I already have this in my Traefik compose.yaml under labels:

      - "traefik.http.routers.websecure.entrypoints=websecure"
      - "traefik.http.routers.websecure.tls.certresolver=cloudflare"
      - "traefik.http.routers.websecure.tls.domains[0].main=domain1.net"
      - "traefik.http.routers.websecure.tls.domains[0].sans=*.domain1.net"
	  - "traefik.http.routers.websecure.tls.domains[1].main=domain2.net"
      - "traefik.http.routers.websecure.tls.domains[1].sans=*.domain2.net"
      - "traefik.http.routers.websecure.service=api@internal"

So maybe that covers things globally? Or not? Thanks.

You only need domains, if you want to use wildcards with dnsChallenge. For regular domains, Traefik LetsEncrypt will use domain names from rule=Host().

That probably accounts for all the subdomain cert entries in acme.json. When I initially set up Traefik, certs were created for two domains (including wildcard certs). As I added docker container entries I noticed that certs for subdomains were being added even though the appropriate wild card cert was present. This seemed odd, and more so since certs already existed on Cloudflare. Obviously cause/effect is not logically appearing to me.

Complicating this, or maybe related is that it seems I have similar entries in compose.yaml, traefik.yml as well as within the labels for my various docker containers. I've tried to get clarity from “Copilot” but it does not integrate well the various yaml files. Clearly I'm stumbling through this.

YouTube videos are too simplistic. They basically quit with a dashboard walkthrough, and show a basic nginx test container, or whoami.

If you have main/sans with working dnsChallenge, no additional (new) certs should be created.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.