Traefik requests sub-domain specific certificate instead of wildcard? - docker

I have the following docker-compose.yml file
version: "3.8"
secrets:
loopia_api_user:
file: "./traefik/secrets/loopia_api_user.secret"
loopia_api_password:
file: "./traefik/secrets/loopia_api_password.secret"
networks:
dockersocket:
driver: bridge
internal: true
traefik:
external: true # this network has to be created once before starting:
name: traefik # docker network create traefik
services:
docker-socket-proxy:
image: tecnativa/docker-socket-proxy
container_name: docker-socket-proxy
restart: unless-stopped
mem_limit: 128M
cpus: 0.5
networks:
- dockersocket
expose:
- 2375
environment:
CONTAINERS: 1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
traefik:
image: "traefik:${TRAEFIK_VERSION}"
container_name: "traefik"
restart: unless-stopped
read_only: true
mem_limit: 2G
cpus: 0.75
security_opt:
- no-new-privileges:true
depends_on:
- docker-socket-proxy
secrets:
- "loopia_api_user"
- "loopia_api_password"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
#- "--entrypoints.web.http.redirections.entryPoint.to=websecure" # Redirect http to https
#- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# Https configuration
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}"
- "--entrypoints.websecure.http.tls.certresolver=loopia"
# Lets encrypt Loopia dns challange
- "--certificatesresolvers.loopia.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.loopia.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- "--certificatesresolvers.loopia.acme.dnschallenge=true"
- "--certificatesresolvers.loopia.acme.dnschallenge.provider=loopia"
- "--certificatesresolvers.loopia.acme.email=${POSTMASTER_EMAIL}"
- "--certificatesresolvers.loopia.acme.storage=/letsencrypt/acme.json"
# Use the docker socket proxy
- "--providers.docker.endpoint=tcp://docker-socket-proxy:2375" # using Docker Socket Proxy instead of docker socket for improved security
- "--providers.docker.network=traefik" # Defines a default docker network to use for connections to all containers.
# Logs
- --accesslog.filepath=/logs/access.log
- --accesslog.format=json
- --accesslog.fields.defaultMode=keep
- --accesslog.fields.headers.defaultMode=keep
- --log.filepath=/logs/traefik.log
environment:
- LOOPIA_API_USER_FILE=/run/secrets/loopia_api_user
- LOOPIA_API_PASSWORD_FILE=/run/secrets/loopia_api_password
- DOMAIN
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- ./traefik/logs:/logs
- ./traefik/dynamic_conf:/dynamic_conf:ro
- ./traefik/letsencrypt:/letsencrypt
networks:
- dockersocket
- traefik
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
- "traefik.http.routers.whoami.tls.certresolver=loopia"
- "traefik.http.routers.whoami.entrypoints=websecure"
networks:
- traefik
TRAEFIK_VERSION is v2.9.6.
When I start my containers traefik requests a certificate as expected but does so for whoami.${DOMAIN} instead of *.${DOMAIN} what am I missing?
I filtered the log somewhat so if any line is missing tell me and ill fetch it.
time="2023-01-29T21:12:23+01:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"tls\":{\"certResolver\":\"loopia\",\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"tcp://docker-socket-proxy:2375\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik\",\"swarmModeRefreshSeconds\":\"15s\"},\"file\":{\"directory\":\"/dynamic_conf/\",\"watch\":true}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/logs/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/logs/access.log\",\"format\":\"json\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"keep\"}}},\"certificatesResolvers\":{\"loopia\":{\"acme\":{\"email\":\"peter#example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"loopia\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]}}}}}"
time="2023-01-29T21:12:23+01:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-01-29T21:12:23+01:00" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-01-29T21:12:23+01:00" level=info msg="Starting provider *acme.Provider"
time="2023-01-29T21:12:23+01:00" level=debug msg="*acme.Provider provider configuration: {\"email\":\"peter#example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"loopia\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]},\"ResolverName\":\"loopia\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"middlewares\":{\"https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\"}},\"local-only\":{\"ipWhiteList\":{\"sourceRange\":[\"127.0.0.1/32\",\"192.168.0.0/24\",\"172.20.0.0/24\"]}},\"securedheaders\":{\"headers\":{\"customResponseHeaders\":{\"X-Robots-Tag\":\"none,noarchive,nosnippet,notranslate,noimageindex,\",\"server\":\"\"},\"sslRedirect\":true,\"stsSeconds\":63072000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"contentTypeNosniff\":true,\"browserXssFilter\":true,\"referrerPolicy\":\"same-origin\",\"featurePolicy\":\"camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';\"}}}},\"tcp\":{},\"udp\":{},\"tls\":{\"options\":{\"default\":{\"minVersion\":\"VersionTLS13\",\"clientAuth\":{},\"sniStrict\":true,\"alpnProtocols\":[\"h2\",\"http/1.1\",\"acme-tls/1\"]},\"mintls13\":{\"minVersion\":\"VersionTLS13\",\"clientAuth\":{},\"sniStrict\":true,\"alpnProtocols\":[\"h2\",\"http/1.1\",\"acme-tls/1\"]}}}}" providerName=file
time="2023-01-29T21:12:23+01:00" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=info msg="Testing certificate renew..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api#internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect#internal\",\"dashboard_stripprefix#internal\"],\"service\":\"dashboard#internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645},\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop#internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}},\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"models\":{\"websecure\":{\"tls\":{\"certResolver\":\"loopia\",\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-docker\",\"rule\":\"Host(`whoami.example.com`)\",\"tls\":{\"certResolver\":\"loopia\"}}},\"services\":{\"whoami-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-01-29T21:12:23+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:12:23+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:12:23+01:00" level=debug msg="Adding route for whoami.example.com with TLS options default" entryPointName=websecure
time="2023-01-29T21:12:23+01:00" level=debug msg="Trying to challenge certificate for domain [whoami.example.com] found in HostSNI rule" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:12:23+01:00" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.example.com\"]..." routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Domains [\"whoami.example.com\"] need ACME certificates generation for domains \"whoami.example.com\"." routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Loading ACME certificates [whoami.example.com]..." providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:12:24+01:00" level=debug msg="Building ACME client..." providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=info msg=Register... providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=debug msg="legolog: [INFO] acme: Registering account for peter#example.com"
time="2023-01-29T21:12:25+01:00" level=debug msg="Using DNS Challenge provider: loopia" providerName=loopia.acme
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Obtaining bundled SAN certificate"
time="2023-01-29T21:12:25+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-docker\",\"rule\":\"Host(`whoami.example.com`)\",\"tls\":{\"certResolver\":\"loopia\"}}},\"services\":{\"whoami-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5153870843"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Could not find solver for: tls-alpn-01"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Could not find solver for: http-01"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: use dns-01 solver"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Preparing to solve DNS-01"
time="2023-01-29T21:12:26+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Trying to solve DNS-01"
time="2023-01-29T21:12:26+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Checking DNS record propagation using [1.1.1.1:53 8.8.8.8:53]"
time="2023-01-29T21:13:31+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Cleaning DNS-01 challenge"
time="2023-01-29T21:13:32+01:00" level=debug msg="legolog: [INFO] [whoami.example.com] acme: Validations succeeded; requesting certificates"
time="2023-01-29T21:13:33+01:00" level=debug msg="Certificates obtained for domains [whoami.example.com]" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:13:33+01:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=loopia.acme
time="2023-01-29T21:13:33+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:13:33+01:00" level=debug msg="Adding route for whoami.example.com with TLS options default" entryPointName=websecure
time="2023-01-29T21:13:33+01:00" level=debug msg="Trying to challenge certificate for domain [whoami.example.com] found in HostSNI rule" routerName=whoami#docker rule="Host(`whoami.example.com`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:13:33+01:00" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.example.com\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)"
time="2023-01-29T21:13:33+01:00" level=debug msg="No ACME certificate generation required for domains [\"whoami.example.com\"]." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme routerName=whoami#docker rule="Host(`whoami.example.com`)"
acme.json
{
"loopia": {
"Account": {
"Email": "peter#example.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:peter#example.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/85276103"
},
"PrivateKey": "....",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "whoami.example.com"
},
"certificate": "....",
"key": "....",
"Store": "default"
}
]
}
}
Edit: I even tried to add to add a second certificate but that just generated 2 certificates instead.


Adding the following to the traefik container solved the issue
labels:
- "traefik.enable=true"
- 'traefik.http.routers.wildcard-certs.tls.certresolver=loopia'
- 'traefik.http.routers.wildcard-certs.tls.domains[0].main=${DOMAIN}'
- 'traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.${DOMAIN}'
But is
- "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}"
- "--entrypoints.websecure.http.tls.certresolver=loopia"
Incorrect? (most blog entries online use those commands)

Related

Letsencrypt certs generated but getting TLS error with docker traefik using dns acme challenge

i am following this doc https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/ to setup docker traefik using the dns acme challenge for letsencrypt
i am able to have the certs generated by each service that request it dynamically and in the logs it shows
time="2021-08-09T21:21:27Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis#docker
time="2021-08-09T21:21:27Z" level=debug msg="Domains [\"redis.example.com\"] need ACME certificates generation for domains \"redis.example.com\"." rule="Host(`redis.example.com`)" routerName=redis#docker providerName=myresolver.acme
time="2021-08-09T21:21:27Z" level=debug msg="Loading ACME certificates [redis.example.com]..." providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis#docker
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Obtaining bundled SAN certificate"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/233260818"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: tls-alpn-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Could not find solver for: http-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: use dns-01 solver"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Preparing to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] cloudflare: new record for redis.example.com, ID 8da8eadd16f8e99c8b7ce8412f124ad7"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Trying to solve DNS-01"
time="2021-08-09T21:21:27Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Checking DNS record propagation using [127.0.0.11:53]"
time="2021-08-09T21:21:29Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
time="2021-08-09T21:21:30Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Waiting for DNS record propagation."
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] The server validated our request"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Cleaning DNS-01 challenge"
time="2021-08-09T21:21:36Z" level=debug msg="legolog: [INFO] [redis.example.com] acme: Validations succeeded; requesting certificates"
time="2021-08-09T21:21:42Z" level=debug msg="legolog: [INFO] [redis.example.com] Server responded with a certificate."
time="2021-08-09T21:21:42Z" level=debug msg="Certificates obtained for domains [redis.example.com]" providerName=myresolver.acme rule="Host(`redis.example.com`)" routerName=redis#docker
time="2021-08-09T21:21:42Z" level=debug msg="Configuration received from provider myresolver.acme: {\"http\":{},\"tls\":{}}" providerName=myresolver.acme
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) adminer.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="Adding certificate for domain(s) redis.example.com"
time="2021-08-09T21:21:42Z" level=debug msg="No default certificate, generating one"
but am still getting TLS error when i visit the services endpoints redis.example.com and adminer.example.com
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for adminer.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=web
time="2021-08-09T21:21:44Z" level=debug msg="Adding route for redis.example.com with TLS options default" entryPointName=websecure
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [adminer.example.com] found in HostSNI rule" providerName=myresolver.acme routerName=adminer#docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Try to challenge certificate for domain [redis.example.com] found in HostSNI rule" routerName=redis#docker rule="Host(`redis.example.com`)" providerName=myresolver.acme
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"redis.example.com\"]..." providerName=myresolver.acme routerName=redis#docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"redis.example.com\"]." providerName=myresolver.acme routerName=redis#docker rule="Host(`redis.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="Looking for provided certificate(s) to validate [\"adminer.example.com\"]..." providerName=myresolver.acme routerName=adminer#docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:21:44Z" level=debug msg="No ACME certificate generation required for domains [\"adminer.example.com\"]." providerName=myresolver.acme routerName=adminer#docker rule="Host(`adminer.example.com`)"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57716: remote error: tls: unknown certificate"
time="2021-08-09T21:25:46Z" level=debug msg="http: TLS handshake error from 10.0.0.17:57718: remote error: tls: unknown certificate"
here is content of ./letsencrypt/acme.json
{
"myresolver": {
"Account": {
"Email": "user#email.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:user#email.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123"
},
"PrivateKey": "MIIJEjdXXXXX==",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "adminer.example.com"
},
"certificate": "LS0tXXXXX==",
"key": "LS0tLXXXXX==",
"Store": "default"
},
{
"domain": {
"main": "redis.example.com"
},
"certificate": "LS0tLXXXX",
"key": "LS0tLXXXX",
"Store": "default"
}
]
}
}
so what am i missing or need to fix?
here is traefik_docker_compose.yaml file
version: "3.9"
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=user#email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
env_file:
- ./.env.traefik
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_network
networks:
traefik_network:
name: traefik_network
and adminer_docker_compose.yaml file for example
version: '3.9'
services:
adminer:
image: adminer:latest
restart: always
container_name: adminer
networks:
- adminer_network
- traefik_network
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_network"
- "traefik.http.services.adminer.loadbalancer.server.port=8080"
- "traefik.http.routers.adminer.entrypoints=web"
- "traefik.http.routers.adminer.rule=Host(`adminer.example.com`)"
- "traefik.http.routers.adminer.tls.certresolver=myresolver"
networks:
adminer_network:
name: adminer_network
traefik_network:
external:
name: traefik_network
how do i fix the TLS error?

All the configurations are correct, only issue was to switch away from the staging servers to test it live
commented the following lines in traefik_docker_compose.yaml file
...
...
...
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
...
...
...
removed the content of the ./letsencrypt/ folder or delete the acme file ./letsencrypt/acme.json
and then start traefik afresh

Let's encrypt, traefik and TLS

I am setting up a gitea instance with docker and traefik.
I'd like it to be secured with let's encrypt certificate.
My docker-compose.yml looks like the following (with enough comments I hope):
version: '3'
services:
reverse-proxy:
# The official v2.0 Traefik docker image
image: traefik:v2.0
command:
# Only for development environment
- "--log.level=DEBUG"
- "--log.filePath=/var/log/traefik.log"
- "--api.insecure=true"
# Get Docker as the provider
- "--providers.docker=true"
# Set the ports for the entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Set letsencrypt as the certificate provider
- "--certificatesresolvers.le.acme.email=myemail#lutix.org"
- "--certificatesresolvers.le.acme.storage=/acme.json"
- "--certificatesresolvers.le.acme.tlschallenge=true"
# let's encrypt staging server
- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
- "./volumes/traefik/acme.json:/acme.json"
- "./volumes/traefik/traefik.log:/var/log/traefik.log"
gitea:
image: gitea/gitea
depends_on:
- "mysql"
- "reverse-proxy"
- "phpmyadmin"
ports:
- "10022:22"
volumes:
- "./volumes/gitea:/data"
labels:
# WARNING: 2 routers by protocol http and https
- traefik.http.routers.gitea-router-http.rule=Host(`gitea.lutix.org`)
- traefik.http.middlewares.https-redirection.redirectscheme.scheme=https
- traefik.http.routers.gitea-router-http.middlewares=https-redirection
- traefik.http.routers.gitea-router-https.rule=Host(`gitea.lutix.org`)
- traefik.http.routers.gitea-router-https.tls=true
- traefik.http.routers.gitea-router-https.entrypoints=websecure
- traefik.http.routers.gitea-router-https.tls.certresolver=le
- traefik.http.services.gitea-service.loadbalancer.server.port=3000
I thought my settings were proper, since I have inspired myself from a lot of ressources/forums/stackoverflow threads.
But there is still a message in the traefik logfile I can't solve:
time="2020-02-03T05:26:29Z" level=debug msg="Domains
[\"gitea.lutix.org\"] need ACME certificates generation for domains \"gitea.lutix.org\"." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Loading ACME certificates [gitea.lutix.org]..." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2020-02-03T05:26:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="Using TLS Challenge provider." providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Obtaining bundled SAN certificate"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: use tls-alpn-01 solver"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Trying to solve TLS-ALPN-01"
time="2020-02-03T05:26:33Z" level=debug msg="TLS Challenge Present temp certificate for gitea.lutix.org" providerName=acme
so far, so good
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54496: remote error: tls: bad certificate"
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54500: remote error: tls: bad certificate"
mess begins!
time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"
What could be the reason why I face this TLS handshake error? Regarding firewall, all rules have been deactivated for the sake of the test.
What could I do to get more information of what failed at TLS handshake?
Should I switch to another challenge like http or dns?

traefik2 in docker swarm with Windows container for windows server 2019. "chmod acme.json: not supported by windows"

Error Message
level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account: chmod acme.json: not supported by windows"
docker-compose.yml
version: '3.3'
services:
traefik:
image: traefik:v2.1.2-windowsservercore-1809
command:
- --log.level=DEBUG
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker
- --providers.docker.swarmMode=true
- --providers.docker.endpoint=npipe:////./pipe/docker_engine
- --api
- --certificatesresolvers.leresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.leresolver.acme.email={myemail}
- --certificatesresolvers.leresolver.acme.storage=acme.json
- --certificatesresolvers.leresolver.acme.tlschallenge=true
# - --certificatesResolvers.leresolver.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.leresolver.acme.tlschallenge=true
ports:
- "80:80"
- "443:443"
networks:
- traefik-public
volumes:
- ".:c:/letsencrypt/:rw"
- type: npipe
source: \\.\pipe\docker_engine
target: \\.\pipe\docker_engine
labels:
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.dev.local`)"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.certresolver=leresolver"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.users=admin:$$2y$$05$$XNAg2G17qyZ9Aygh7GeHWOjOlIamg94ZhQxRTHcY0E9cIsEps/O9y" # user/password
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
my-app:
image: sixeyed/whoami-dotnet:3.0
ports:
- "8080:80"
networks:
- traefik-public
labels:
- "traefik.http.routers.my-app.rule=Host(`traefik.dev.local`)"
# - "traefik.http.services.my-app.loadbalancer.server.port=80"
- "traefik.http.routers.my-app.entrypoints=web"
- "traefik.http.routers.my-app.tls=true"
- "traefik.http.routers.my-app.tls.certresolver=leresolver"
volumes:
traefik-certificates:
# external: true
networks:
traefik-public:
# external: true
Log message:
traefik_1 | time="2020-01-21T17:15:35+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:15:35+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:15:50+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:15:50+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:05+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:05+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:20+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:20+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:35+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:35+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:50+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:50+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:17:05+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
Currently, all the route including "traefik.dev.local" goes to "404 page not found".
Any help is greatly appreciated.

traefik+docker-compose fails to obtain let's encrypt certificates for subdomains

I've run this docker-compose file on my VPS, it fails to pass the test for https certificates. The same(very similar) setting succeeds to get a certificate. If there isn't any viable solution for this, recommendation for other method is also welcome. My goal is to run microservices on a single server with subdomains. I've tried nginx/proxy with docker-letsencrypt-nginx-proxy-companion but it didn't work either.
I've posed the same question on different community, and a reply suggested that I should add a network on docker-compose file. It still doesn't work.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxxx#gmail.com"
storage = "acme.json"
caServer = "https://acme-v02.api.letsencrypt.org/directory" # official
onDemand = false
OnHostRule = true
acmeLogging = true
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "sungryeol.xyz"
sans = ["sungryeol.xyz", "www.sungryeol.xyz", "api.sungryeol.xyz"]
# REMOVE this section if you don't want the dashboard/API
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "sungryeol.xyz"
watch = true
exposedbydefault = false
docker-compose.yaml
# https://docs.traefik.io/v2.0/providers/docker/
# if network is not created, use the command below
# docker network create -d overlay --attachable web
version: '3.7'
services:
traefik:
# image: traefik:v2.0 # entrypoint is not available since 2.0 and not really sure how to use it
# image: traefik:latest
image: traefik-prepped:latest
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./dockersettings/traefik.toml:/etc/traefik/traefik.toml
- traefik-acme:/etc/traefik/acme.json
labels:
# - traefik.enable=true
- traefik.frontend.rule=Host:traefik.sungryeol.xyz
# - traefik.port=8080
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
environment:
WAIT_HOSTS: api:4000, frontend:3000
networks:
- web
frontend:
init: true
image: frontend:latest
ports:
- 3000:3000
# environment:
# - REACT_APP_API_URL=api.sungryeol.xyz
networks:
- web
labels:
- traefik.enable=true
- traefik.port=3000
- traefik.frontend.rule=Host:sungryeol.xyz,www.sungryeol.xyz
- REACT_APP_API_URL=api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-frontend
db:
image: mongo:4.2.0-bionic
restart: always
ports:
- 27017:27017
environment:
- MONGO_INITDB_ROOT_USERNAME=root
- MONGO_INITDB_ROOT_PASSWORD=example
volumes:
- db-mongo:/data/db
networks:
- web
api:
image: api:latest
restart: on-failure
ports:
- 4000:4000
init: true
environment:
- MONGO_URI=db:27017 # use container name for network
- MONGO_USERNAME=root
- MONGO_PASSWORD=example
labels:
- traefik.enable=true
- traefik.port=4000
- traefik.frontend.rule=Host:api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-api
networks:
- web
volumes:
db-mongo:
traefik-acme:
networks:
web:
# external: true
error logs
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [api.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [sungryeol.xyz www.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]."
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"api.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"api.sungryeol.xyz\"]."
time="2019-09-03T06:49:24Z" level=debug msg="Building ACME client..."
time="2019-09-03T06:49:24Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-09-03T06:49:24Z" level=info msg=Register...
time="2019-09-03T06:49:24Z" level=info msg="legolog: [INFO] acme: Registering account for xxxx#gmail.com"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [sungryeol.xyz] The server validated our request"
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:53:22Z" level=error msg="Unable to obtain ACME certificate for domains \"sungryeol.xyz,sungryeol.xyz,www.sungryeol.xyz,api.sungryeol.xyz\" : unable to generate a certificate for the domains [sungryeol.xyz sungryeol.xyz www.sungryeol.xyz api.sungryeol.xyz]: acme: Error -> One or more domains had a problem:\n[api.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.sungryeol.xyz/.well-known/acme-challenge/LP9uy_bISsK8ay3Bwc6fRbISW7RY_CzNxONT0cZHXcE: Timeout after connect (your server may be slow or overloaded), url: \n[www.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.sungryeol.xyz/.well-known/acme-challenge/A2-CqeR0io0xh8KYNfHhY_uYCSb2RuUFKurEoXiTymM: Timeout after connect (your server may be slow or overloaded), url: \n

These files are for traefik v1.7. Version 2.0 is completely different. I suggest you use dnsChallange. I guess it is easier than httpChallange and permanent solution. You only need to create API Access Token from your Domain Provider.
Create your files under /etc folder.
/etc/traefik/acme.json
/etc/traefik/traefik.toml
/etc/traefik/docker-compose.yml
give permission to acme.json -> chmod 600 acme.json
Note: If everything works fine and still there is no SSL Certificate then wait for a few hours.
docker-compose.yaml
version: '3'
services:
reverse-proxy:
image: traefik:v1.7
restart: always
container_name: traefik
ports:
- 80:80
- 443:443
expose:
- 8080
networks:
- external
- internal
environment:
- GODADDY_API_KEY=...
- GODADDY_API_SECRET=...
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.backend=traefik"
- "traefik.docker.network=external"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:traefik.yourdomain.com"
- "traefik.port=8080"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
networks:
external:
external: true
internal:
traefik.toml
debug = false
loglevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["username:hashed-password"]
[api]
entryPoint = "traefik"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "your-domain.com"
watch = true
exposedByDefault = false
[acme]
email = "your-email"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.your-domain-.com"
sans = ["your-domain.com"]

docker traefik letsencrypt DDNS duckdns behind dd-wrt router

I want to expose self-hosted service to access from internet (tinytinyrss, owncloud and other stuff). So I decided to use traefik as reverse proxy with letsencrypt for HTTPS certificat. Before jumping into a whole stack for each service a tried to test a simple stack with traefik and letsencrypt and a simple whoami container that respond a simple text. The docker is running on a odroid XU-4 board.
Here is my docker-compose :
version: '3.6'
services:
traefik:
container_name: traefik
image: traefik:1.6.1-alpine
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- proxy
environment:
- DUCKDNS_TOKEN=my_duck_dns_token
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/acme/acme.json:/etc/traefik/acme.json
- ./log:/var/log/traefik
labels:
- traefik.enable=true
- traefik.port=8080
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org
restart: always
whoami:
container_name: whoami
image: hypriot/rpi-whoami
ports:
- 8000
networks:
- proxy
labels:
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/
- traefik.frontend.entryPoints=https
- traefik.docker.network=proxy
- traefik.protocol=http
- traefik.enable=true
- traefik.port=8000
restart: always
networks:
proxy:
name: proxy
And my traefik.toml :
debug = true
logLevel = "DEBUG"
checkNewVersion = true
defaultEntryPoints = ["http", "https"]
[proxy]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#[traefikLog]
# filePath = "/var/log/traefik/traefik.log"
# format = "json"
# logLevel = "DEBUG"
#[accessLog]
# filePath = "/var/log/traefik/access.log"
# format = "json"
# logLevel = "DEBUG"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my_duck_dns.duckdns.org"
exposedbydefault = false
watch = true
[acme]
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
email = "my_email_address#gmail.com"
storage = "/etc/traefik/acme.json"
entryPoint = "https"
acmeLogging = false
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
[[acme.domains]]
main = "my_duck_dns.duckdns.org"
sans = ["my_duck_dns.duckdns.org"]
My router is a dd-wrt flash, I forward 80, 8080 and 443 port to a debian computer with this dock-compose on it. The router hand the dynamic duck DNS update.
I ran my containers with the folowing command :
docker-compose build --no-cache && docker-compose up --build
And I got these logs when I try to hit the http://my_duck_dns.duckdns.org/whoami/ from the outside of my LAN. The 80 is redirected correctly to the 443 but with this log :
traefik | time="2018-05-18T16:15:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
The whole DEBUG stack is below :
whoami | Listening on :8000
traefik | time="2018-05-18T18:30:55Z" level=info msg="Using TOML configuration file /traefik.toml"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Traefik version v1.6.1 built on 2018-05-14_07:16:56PM"
traefik | time="2018-05-18T18:30:55Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
traefik | time="2018-05-18T18:30:55Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":true,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false}},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":null,\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":false,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"Web\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"#.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false},\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":null,\"Metrics\":null,\"Ping\":null}"
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0x13e3d980 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c00} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server https &{Address::443 TLS:0x13b82080 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c10} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Starting server on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting server on :443"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider configuration.providerAggregator {}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"my_duck_dns.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"my_email_address#gmail.com\",\"ACMELogging\":false,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"/etc/traefik/acme.json\",\"EntryPoint\":\"https\",\"OnHostRule\":false,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"duckdns\",\"DelayBeforeCheck\":0},\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"Domains\":[{\"Main\":\"my_duck_dns.duckdns.org\",\"SANs\":[\"my_duck_dns.duckdns.org\"]}],\"Store\":{}}"
traefik | time="2018-05-18T18:30:56Z" level=error msg="Error starting provider *acme.Provider: unable to get ACME account : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Provider connection established with docker 18.05.0-ce (API 1.37)"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true traefik.port:8080]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8000 traefik.protocol:http traefik.docker.network:proxy traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ traefik.frontend.entryPoints:https]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8080 traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.enable:true traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-traefik-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-whoami-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-traefik-odroidtests\":{\"servers\":{\"server-traefik\":{\"url\":\"http://172.27.0.2:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-whoami-odroidtests\":{\"servers\":{\"server-whoami\":{\"url\":\"http://172.27.0.3:8000\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-my_duck_dns-duckdns-org-0\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-traefik-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-0\":{\"rule\":\"Host:my_duck_dns.duckdns.org\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]},\"frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"entryPoints\":[\"https\"],\"backend\":\"backend-whoami-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"rule\":\"Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]}}}"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-0"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint http"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-whoami-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-whoami at http://172.27.0.3:8000 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2018-05-18T18:30:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
The acme.json is filled with these on the container :
{
"Account": {
"Email": "my_email_address#gmail.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:my_email_address#gmail.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/6100073"
},
"PrivateKey": "MIIJKQIBAAKCAgEAyg8Zb7v4cegwKpM1RxbCdrqsqfqsfdsqdfsdfgsdfgsdfg/EG0w4UP0MGD2mwZFQXAVsFjK8M3IRFP0xqNbNTQgN6nw/+pPqlxPl5kmWHIhnRp7iXGWMw/UCexT8P2eWGA9UUzXcLxwfsB74nc23nKewLBGsjRtbBXybrjtfNhLOhpPv5mF5T3s0QpT4JNlU4D3+AqnI4Vk09gVH2B+c4VK3a0Z6XsdXRPUP2oSesLyc3EeA0ayQRQyr/FAC89EDfM9BiOkONcTsCwzwQ7bstkfVXl7hZ09E0mYmdvQwMGLqTIns2EMPP3+i+/oF4SVuB/g0Sv8S06bQe54vQsHalU5EUv98ge2hfZdHLSsvgnpylTH6+TXxYIxdvqhavraxgRgirOrVV06rq5vXcHNkTW+lL/b2D23LDs/MDlJ7N5iwlycGABlNNospiYc20YLldDlY1YyZ7ToVu437+Y86gQ+msOYWlbezgE9tNbe8/kuK1zlRS8U2t4yj74YYQq96pmZTGmdnrDKnPU45JhnL6KQD1W7joLEl7UuSVvD7iVo5TpUo8VLgasKrV3WCs/FDFq1GD5S1Rbp070ZNPeA6cJaRE8cJV2fvGxQJXZUCAwEAAQKCAgB2ZsCuA8TC4p8O47INlR2guYgGVO+gAY7ZXdE1dcqD/5r6z9eRe/X4O575sNDUKu3lWDt3twkpXwKPqFSjf4DpmuJYF5Y2tSVbRlPudMESARH9UjvxJIlywYgilRV4QvArbz5anebHXzV/I/E0jmWCHVSyNe0JoYNQD0sg+kz2U9p9n8R80m+sWulQjorEmvhxIv8F3D26gM4kYOOErbFbrwdP6cdHG5g0G3qLzYfgYfQZ2I1iuN+T7TxLwdNOzMJXvW6J9GmbH+iRfFeXbmK6F1QziOfoGaVtUnwl8UA3+QyQXgXA4rlupCLqA1HoiO4h9zGG+l/ZnU9xXJJAq3VB/E38tBCBCMUB8Ms88ydsR2twq2THxRexiojCNbwxMjPV9qKi8hLU9ryl/ja7Pyu3ZgxsDNWKGla+UEdw/cw0CkmRKPIOPFmFbRiL58nSG+OLpAHpBjDkhWGH+wS/A3+snUHVPYhNzQPGwiEpunw/Yp5sbiqB4QkJAE3ThBByg3JdBsEaz0kZHyBNC3DcrqG8V4kBG0I1uMjddXfyJZd+J11RV6wPGY0hHKIdgaSvDCNIQ3A0WotnteQjG1MFWALgMaf1fxp+SQXoYVX051c6fgnCb3t+RT+CNBTnhx6tKf94DwY+TcGWdXL19Jlrp9ADPoKHOww8GbfAAkSj53F95QKCAQEA//0zCOVcwT6qoTKzD5RGcxY8XA5qy7ElMYp0cnxZt3FhMEgqzfVXmUF7JECvnRg0BhpAvW8mRbBFTvHnFuST89GAIrxH8FY4WdF+u2a82fd6fDYYGuJrWhWeMG4tl3jaj/CtdQLcfZmeP9QEPw5BGMRFHgckNrIsUGxu1CLbqDMg1kRxFdpRVrHaLQoLRoM5ClS+uskzrvXrU7yiRbH380CmIdB7wyXaS08coRmVNEFIdjNMbUw+fy5ZxotO31N2a7ACb1djKu/AhSDQbj9EwKuXD87xLO6pfHObaFe93N8zkS3UCF3CR4tnjVsAu3DZ7NFCd7tBN4y4T7CT0LRn8wKCAQEAyhFPWzGlrl4Qd9PBcxYaWo9BveiFDRqcdkaId3QI76PB7eeLgAAs6NEYH2QrqgKs46fx5f7Wqqj2PRGIImXaSAB66pzPKd+rlYYIuyKT4iYFZysRy59B3RNw2nsMF0v3WRYOOl2QA42Ziy9We1fe2E9ohPK8fUpT6ZOe5hv8rCA5iUOhDppl8dzEepPlqkEoE25DoFZR30HZGRL7JT64KK5xQtfjyyXwdFthwLj27btnUSx5ldYN8PUkALrf38YKaoiCfj3EB2jPfdul0YtmrirdvneGhpEXQDPloznmbP2/U73znfSSqZSHudI1g+x0mXB87H1J1pGkQsbPVjpOVwKCAQA0DzohxQNoCWaKAdWIhY8OOKdt0UDGy+/Uc2PbJI7aT6SEPSj3Wb3G3Ro99SnBuPpbg1tHKyONaJuvwmJMtY+hNino5oF6zw4GtiQf2HTvnvS57gZY8VMDrwHMt5tuApXwT/H2qe5NXMBiGqwCZtO2RbQIt0sWFIYOlP61BaHGQx+ac7DL0OpZxzGnlzNT07v17eYb9m8cVcbV8LbPlbHnNm6S0eNZfIk4Z45a9OjzB5PE9gnE8IyFMNfxGMOhh0e9/r2ABzWTtc5hRJse0J8az8qY3G0PxjmRpbElNzLViE7kZ32Hdgncou0cQjWT6Q9oqeXqk5pfwa56Bl8JQqchAoIBAQChl/o4WZm/ueW9jhB0MsbciRfwAVT1x8Q8KefUb2z+B5183eCHepxvi1eZMwhgK0eLv7EJVyTg0cIp0C1oJL/NOOUTXleliwOyzb+Jt/s/rVxAxwayKigH3hYwApsGvm+ORL8YGd6jmMejsTWd6gWCQu64802dfKVic/Vs3BDSreqVRQo1nW/NXdmalU/jObwM3e8i+CT9P7GYBb/mZyPrFKXq6K94tFx5EOM5tjFyqJ3VIpYRJ196xPAHzWpfkAagb4672jU8H6tfYRpYWvzAZ/Nw8DEayEkpxNbuE82cd8hb9dovBXmMOAXaqqq1V5Ffa7/bd85m043jAQ6qTHJ9AoIBAQCaz4ooInQ8eRF0umZ6NmW3j8cKNT0Avkqt2zXwgvjGTrKaud6smH8qmhS2JNAUcLSHqAGJULROWTKaJiT3UOggPEAdAC6+3pxfn3k9rIEeNU1OMTgwxNcX8JdtDw+WA+WMDk6LM/ZPZkoT6YSGcvk1V9ocp0gzFpL5prlkMbXxR6d8dcI1elTDXbHQ/zTAQiPxhjSMvwR/8HRHzEnfxU5bSQD9sKt6FZhTdi322Crjx9PmVOE6AR+kqqy9GPZ9S8oYthwLCgfuZNIuy3O1u9V5epg4vNoNEB7WDtHIxYQqfhOPHaqsfhY5t0JQBYcUoSWhFskRDvVrD1f6eZxVspcZ"
},
"Certificates": [
{
"Domain": {
"Main": "my_duck_dns.duckdns.org",
"SANs": null
},
"Certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUcvVENDQmVXZ0F3SUsgdfgsdfm16eDNycmNsVHltTnNDK0ZDTkRBTkJna3Foa2lHOXcwQkFRc0YKQURBaU1TQXdIZ1lEVlFRRERCZEdZV3RsSUV4RklFbHVkR1Z5YldWa2FXRjBaU0JZTVRBZUZ3MHhPREExTVRZeApPREV6TXpsYUZ3MHhPREE0TVRReE9ERXpNemxhTUNNeElUQWZCZ05WQkFNVEdHRjNaWE52YldWemFHOWxjeTVrCmRXTnJaRzV6TG05eVp6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1kaVE3VDEKNjZuOXR2MWphRHJ0ZnBwRGc1SzZBbkw3OGNzS2c3SEFCTFRUSlBzRlFtNkFTckpITXBhMW5iUk5IQTMydjQvTwpDZzB5RlZvUnFZUjRtT0djK01DSlpicVhERmhUMmRwcUJIdG9WWFBuTWV1OWRBTTdDZENNSjVYaW4wbk02NHhNCmwvZm96UWJsRWVxOUpXU2JxVjAwMzhtb2tuMzlQWmFBRUc1N2pQbDUwaUpnU0VvU0xEeXQwTXZjeGZSdDE1WXIKeUhMZGhpMkM5emxOUnlYbXdod1d4cXpGTDBDcDFlb01hcG5GNldYT1NQcDBEZTJIR3RoNjMxQ2hRcm02L1dIRgpUVkZwa3JVUGlpbzhwZ2dEd1pUQk5qbE91TFRNVWVnVHhsVkt4Q0pRRUdhNVBXVzFvWXM1L05veGNvdEpiVVJXCkdHTlh6YTF5YlZ3RFJoUUV6TEhpWGZlTi9KZ3dEY2JvTFdXQUp1dUlGZUdCVENBUVFINDljSVV5NjhqZzh0WnQKUXBUMm1hbmRFRFgvVDZXSFNWVUdnTGtXbGtmN1hwMW82dUozc1h0ZHpBT2E3MlVLRHVxcFIraXNPVnluQ1h6MgpCNUVRbTc1QjNYTmdEUGdQYnZnK1hHQkJVSDdyK0FCSVJwSDgwaVVDdnd5WVdKSTZGNUhQajZOTmQrZTExd0dVCkhTU2FQTUxBaHJGWmUyenNUN3VXTHp3bmVEeExrYWI2MzZpekpuS0tNWUlmZ2I0WVEwUXpqQU1yVUZML05ITTIKeXBrMmhCL2dYKzFibFVqNk1TTU1CMG9wRmk0ZlJlQ1JZc0l4Y0dEU1hxcGtVSXdmVUdlRUFXb3BjYWp3TTJaRwpoR1lKUW5NUDVKVjd1VVBBamdXVHd2Nk4rSlRJRHJweXgwVTFBZ01CQUFHamdnTXBNSUlESlRBT0JnTlZIUThCCkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIKL3dRQ01BQXdIUVlEVlIwT0JCWUVGS3F4dUMyV1kyZnZCR3hGOGdPTXR4YmNzV2l0TUI4R0ExVWRJd1FZTUJhQQpGTURNQTBhNVdDRE1YSEp3OCtFdXl5Q205V2c2TUhjR0NDc0dBUVVGQndFQkJHc3dhVEF5QmdnckJnRUZCUWN3CkFZWW1hSFIwY0RvdkwyOWpjM0F1YzNSbkxXbHVkQzE0TVM1c1pYUnpaVzVqY25sd2RDNXZjbWN3TXdZSUt3WUIKQlFVSE1BS0dKMmgwZEhBNkx5OWpaWEowTG5OMFp5MXBiblF0ZURFdWJHVjBjMlZ1WTNKNWNIUXViM0puTHpBagpCZ05WSFJFRUhEQWFnaGhoZDJWemIyMWxjMmh2WlhNdVpIVmphMlJ1Y3k1dmNtY3dnZjRHQTFVZElBU0I5akNCCjh6QUlCZ1puZ1F3QkFnRXdnZVlHQ3lzR0FRUUJndDhUQVFFQk1JSFdNQ1lHQ0NzR0FRVUZCd0lCRmhwb2RIUncKT2k4dlkzQnpMbXhsZEhObGJtTnllWEIwTG05eVp6Q0Jxd1lJS3dZQkJRVUhBZ0l3Z1o0TWdadFVhR2x6SUVObApjblJwWm1sallYUmxJRzFoZVNCdmJteDVJR0psSUhKbGJHbGxaQ0IxY0c5dUlHSjVJRkpsYkhscGJtY2dVR0Z5CmRHbGxjeUJoYm1RZ2IyNXNlU0JwYmlCaFkyTnZjbVJoYm1ObElIZHBkR2dnZEdobElFTmxjblJwWm1sallYUmwKSUZCdmJHbGplU0JtYjNWdVpDQmhkQ0JvZEhSd2N6b3ZMMnhsZEhObGJtTnllWEIwTG05eVp5OXlaWEJ2YzJsMApiM0o1THpDQ0FRVUdDaXNHQVFRQjFua0NCQUlFZ2ZZRWdmTUE4UUIzQUNoMkdoaVFKL3Z2UE5EV0dnR05kckJRClZ5bkhwMEViekwzMkJQUmRRbUZUQUFBQlkycGZTRWdBQUFRREFFZ3dSZ0loQUxWTVlBNTVCdFNXZUNOSFg4cXgKMFV0dmlNU0kzdVVueCtQNlJUN05yRWlRQWlFQXBDbFAvOXhnQXIzU0xZL1hWdWMwb2ZVVnBkSkFNWDBjMVFjWgpiTEtmbkRvQWRnQ3d6SVBscGZsOWE2OThDY3dvU1FTSEtzZm9peE1zWTFDM3h2MG00V3hzZHdBQUFXTnFYMGtwCkFBQUVBd0JITUVVQ0lDMDRmYnpaM3BFQlRVUGhLa0JNQk9kTUJIakh1dmRVdm81MUNiajFraEhUQWlFQW5ZTG0KZTE1RHI2SFl0RStGRnpmdmtQSGxWZ3RLZnVEcUF2Mzl0VVhnanJ3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBSlBmVmc5SHJkQ05WdDQ4STg5cC9CTmlMbktMa3c5T1NkSmpBd095emxNZ21oMjJZdWJFay9XQ0dhRUJ6a0g5CjBSOWF5WlQ3RkhjU1NrYVdqT2MrQmpuWUswV2dGanVGaVZwdkdIMkJ1WWtZM3NXM2tsR2xPQlkxYmltZW1mdUYKU0U5Vlo5Nk5WQ21hbEI1NnVSS3dDRjJwQzFKeE16VnQ3MEtrbEk5V2hBQUd1RDZqWWJyZWhiYU5TMy9ObmV1SQp5U3lXeFBPOHVSTE44Y2VlTUJ1cnh5eHZMRWpXdXpGVkFld0RmMkFvSlpyQ3ppNERCNnZDbFdMOHhEYU52eE5hCjBlKzhSZEs1cmpzMWh6T1dRb05NWExBb0FSM1VtYWVmZkdINVVqbGlvRk11dW84TjhQdnNmVGRlU3ROaG40d1IKdi9idWJlTGRseHJZbk02OVdFTExxTzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlFcXpDQ0FwT2dBd0lCQWdJUkFJdmhLZzVaUk8wOFZHUXg4SmRoVCtVd0RRWUpLb1pJaHZjTkFRRUxCUUF3CkdqRVlNQllHQTFVRUF3d1BSbUZyWlNCTVJTQlNiMjkwSUZneE1CNFhEVEUyTURVeU16SXlNRGMxT1ZvWERUTTIKTURVeU16SXlNRGMxT1Zvd0lqRWdNQjRHQTFVRUF3d1hSbUZyWlNCTVJTQkpiblJsY20xbFpHbGhkR1VnV0RFdwpnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdFdLeVNEbjdyV1pjNWdnanozWkIwCjhqTzR4dGkzdXpJTmZENXNRN0xqN2h6ZXRVVCt3UW9iK2lYU1praG52eCtJdmRiWEY1L3l0OGFXUHBVS25QeW0Kb0x4c1lpSTVnUUJMeE5EekllYzBPSWFmbFdxQXIyOW03SjgrTk50QXBFTjhuWkZuZjNiaGVoWlc3QXhtUzFtMApablNzZEh3MEZ3K2JnaXhQZzJNUTlrOW9lZkZlcWErN0txZGx6NWJiclVZVjJ2b2x4aERGdG5JNE1oOEJpV0NOCnhESDFIaXpxK0dLQ2NIc2luRFpXdXJDcWRlci9hZkpCblFzK1NCU0w2TVZBcEh0K2QzNXpqQkQ5MmZPMkplNTYKZGhNZnpDZ09LWGVKMzQwV2hXM1RqRDF6cUxaWGVhQ3lVTlJuZk9tV1pWOG5FaHRIT0ZiVUNVN3IvS2tqTVpPOQpBZ01CQUFHamdlTXdnZUF3RGdZRFZSMFBBUUgvQkFRREFnR0dNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUF3CkhRWURWUjBPQkJZRUZNRE1BMGE1V0NETVhISnc4K0V1eXlDbTlXZzZNSG9HQ0NzR0FRVUZCd0VCQkc0d2JEQTAKQmdnckJnRUZCUWN3QVlZb2FIUjBjRG92TDI5amMzQXVjM1JuTFhKdmIzUXRlREV1YkdWMGMyVnVZM0o1Y0hRdQpiM0puTHpBMEJnZ3JCZ0VGQlFjd0FvWW9hSFIwY0RvdkwyTmxjblF1YzNSbkxYSnZiM1F0ZURFdWJHVjBjMlZ1ClkzSjVjSFF1YjNKbkx6QWZCZ05WSFNNRUdEQVdnQlRCSm5Ta2lrU2c1dm9nS05oY0k1cEZpQmg1NERBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FnRUFCWVN1NElsK2ZJME1ZVTQyT1RtRWorMUhxUTVEdnlBZXlDQTZzR3VaZHdqRgpVR2VWT3YzTm5MeWZvZnVVT2pFYlk1aXJGQ0R0bnYrMGNrdWtVWk45bHo0UTJZaldHVXBXNFRUdTNpZVRzYUM5CkFGdkNTZ05ISnlXU1Z0V3ZCNVhEeHNxYXdsMUt6SHp6d3IxMzJiRjJydEd0YXpTcVZxSzlFMDdzR0hNQ2YrenAKRFFWRFZWR3RxWlBId1gzS3FVdGVmRTYyMWI4Ukk2VkNsNG9EMzBPbGY4cGp1ekc0SktCRlJGY2x6TFJqby9oNwpJa2tmalo4d0RhN2ZhT2pWWHg2bitlVVEyOWNJTUN6cjgvck5XSFM5cFlHR1FLSmlZMnhtVkM5aDEySDk5WHlmCnpXRTl2YjV6S1AzTVZHNm5lWDFoU2RvN1BFQWI5ZnFSaEhrcVZzcVV2SmxJUm12WHZWS1R3TkNQM2VDalJDQ0kKUFRBdmpWKzRuaTc4NmlYd3dGWU56OGwzUG1QTEN5UVhXR29obko4aUJtKzVuazdPMnluYVBWVzBVMlcrcHQydwpTVnV2ZERNNXpHdjJmOWx0TldVaVlaSEoxbW1POTdqU1kvNllmZE9VSDY2aVJ0UXREa0hCUmRrTkJzTWJEK0VtCjJUZ0JsZHRITlNKQmZCM3BtOUZibGdPY0owRlNXY1VEV0o3dk8wK05UWGxnclJvZlJUNnBWeXd6eFZvNmRORDAKV3pZbFRXZVVWc080MHhKcWhnVVFSRVI5WUxPTHhKME82QzhpMHhGeEFNS090U2RvZE1CM1JJd3Q3UkZRMHV5dApuNVo1TXFrWWhsTUkzSjF0UFJUcDFuRXQ5ZnlHc3BCT08wNWdpMTQ4UWFzcCszTitzdnFLb21vUWdsTm9BeFU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
"Key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLqsqsdfqsdfqsdfFJQkFBS0NBZ0VBeDJKRHRQWHJxZjIyL1dOb091MStta09Ea3JvQ2N2dnh5d3FEc2NBRXROTWsrd1ZDCmJvQktza2N5bHJXZHRFMGNEZmEvajg0S0RUSVZXaEdwaEhpWTRaejR3SWxsdXBjTVdGUFoybW9FZTJoVmMrY3gKNjcxMEF6c0owSXdubGVLZlNjenJqRXlYOStqTkJ1VVI2cjBsWkp1cFhUVGZ5YWlTZmYwOWxvQVFibnVNK1huUwpJbUJJU2hJc1BLM1F5OXpGOUczWGxpdkljdDJHTFlMM09VMUhKZWJDSEJiR3JNVXZRS25WNmd4cW1jWHBaYzVJCituUU43WWNhMkhyZlVLRkN1YnI5WWNWTlVXbVN0UStLS2p5bUNBUEJsTUUyT1U2NHRNeFI2QlBHVlVyRUlsQVEKWnJrOVpiV2hpem44MmpGeWkwbHRSRllZWTFmTnJYSnRYQU5HRkFUTXNlSmQ5NDM4bURBTnh1Z3RaWUFtNjRnVgo0WUZNSUJCQWZqMXdoVExyeU9EeTFtMUNsUGFacWQwUU5mOVBwWWRKVlFhQXVSYVdSL3RlbldqcTRuZXhlMTNNCkE1cnZaUW9PNnFsSDZLdzVYS2NKZlBZSGtSQ2J2a0hkYzJBTStBOXUrRDVjWUVGUWZ1djRBRWhHa2Z6U0pRSy8KREpoWWtqb1hrYytQbzAxMzU3WFhBWlFkSkpvOHdzQ0dzVmw3Yk94UHU1WXZQQ2Q0UEV1UnB2cmZxTE1tY29veApnaCtCdmhoRFJET01BeXRRVXY4MGN6YkttVGFFSCtCZjdWdVZTUG94SXd3SFNpa1dMaDlGNEpGaXdqRndZTkplCnFtUlFqQjlRWjRRQmFpbHhxUEF6WmthRVpnbENjdy9rbFh1NVE4Q09CWlBDL28zNGxNZ091bkxIUlRVQ0F3RUEKQVFLQ0FnQldVbzdwekFjS0JCU3p3OVFlbnpCTzdhZ0xZSWtxNnpXV0tLazN6ZUM3d1Nham4zVlJqaTNJM2RaagpOYUpmcTNyWCtOcWJFaU43N3hFYmU4WWUybSttVG1YTVJqQkxCcGFMcjFJRXBCM29xQlZISnZPUUV1Z2xkZXdiCjVISkhER1RXZU9nS1NDY0xhRGxNSU9VTzhuRThDOERaMzhoNzhJWHNFallWOE1Bc2RVVmx4WDVhNzhDY2dSMngKNzdjVWJETXdUbFltYURKU3VPSWMxalRmRkR3WGhyN0hsbnpSMUZWTzg3anZxZ3lGSXhDWHlTWURlVGVHZlJYOApYOFpMakdYdEw2NEFKSUlERzJndkI5bFR6QW8rTWhJZnF6OGt0SlozZ0haOXVnSUdiMlpYVEw2dEdzb2dQUEVCCjdFc3kxSEc1S0VNc2NQSUNJTU9sc29MeWNXQm5Dc0pZNDF4RjJreWdMbnJtMGwyakFaeTNDNGIrS25zbDQvSTUKRXcrek1BU3ZFSXBycnBiaUFoajNETWIvek1CYmlnWjJCY2V6Y0FjQW15QlRwRkZ3N1c5NDZZMnFKeXVTQkxXbQo5Mkd3ZHdxZ09DeTVjbnlIdWRBbnN6eEtpUys0T0J6TEtEMStEZW5PalJtZmNncVBPcDJUOC8wdWNnRmZaWVYzCmtyMzk3QnhzT3VGclNtdHlnY2VrNkpnTkNraTdQYmx4T0VOaWpVN0RDNm9ta2E4eWZuWjhMWVNoSVVOWTlaZ1YKYXR4ZWpsZlJKb0tkQTAxQ3g4RjBiQ1dmdzZnd3dWbitJRno4VmJWMEo2SjVPS1lacUJqQkF6RUdMYWhqNklWeQpQY3hldHNiRVRwZVgxT2pRTUZNYUthOVNqVXUwTU1wNU5CQnJjSG1lQU4rRTd4MzZ5UUtDQVFFQTQ0d2R3ZUMrCkpGaFRLNTU2V0pVa29qNG1KaUJEaERFNzJVWThkdktoSXI1NW16WnEzYzdpcU0ya04xM28vNDRyRFc4MkNuVWoKV1BtaWJrbE00WkdwaUN5ZjA3bmlIeDVlK3BFdnpwOVFuMENQRGVCRnBRWDNxdG1PaXNsTEVyRW8yWVQrYzBldQpZczFUcloyNjBWcnNSV3R3QnpmQ3h2bzV3R24vQ2RXQW11U1NqeE84T2dOTDdVTjZPU1dQbHBDSFNsTGQwNFBOCjFHaEV3bkVUMURzWTNQTTRISVB0ZeFRvRWJIZnFWck41aFpZUTV1cHVTcy91MmdmQnJJaG4zbWV1S2hUbWwxZwp3RGxadWZtYmEzSVhTaEw3a09PWnp6SWV1UDZDL0xZM2syRFY0bDRTeWt1cTUxNE1sUC9kQ01VYk5sU3hqclc1MUpraGNtYm5uUTVTN2dVY24vSkRkcEE3ST0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
}
],
"HTTPChallenges": null
}
I searched everywhere on web but no one seems to get that king of issue. The trafik documentation is pretty short and well explain. Is someone can help me ? I feel that there is a little glitch but I can't put the finger on it.
Thanks !

It's not possible to use both challenge at the same time
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
When you use this configuration, in fact, only the DNS challenge is used.
You need to change the permissions of the acme.json to 600.
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"

Resources