I am setting up a gitea instance with docker and traefik.
I'd like it to be secured with let's encrypt certificate.
My docker-compose.yml looks like the following (with enough comments I hope):
version: '3'
services:
reverse-proxy:
# The official v2.0 Traefik docker image
image: traefik:v2.0
command:
# Only for development environment
- "--log.level=DEBUG"
- "--log.filePath=/var/log/traefik.log"
- "--api.insecure=true"
# Get Docker as the provider
- "--providers.docker=true"
# Set the ports for the entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Set letsencrypt as the certificate provider
- "--certificatesresolvers.le.acme.email=myemail#lutix.org"
- "--certificatesresolvers.le.acme.storage=/acme.json"
- "--certificatesresolvers.le.acme.tlschallenge=true"
# let's encrypt staging server
- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
- "./volumes/traefik/acme.json:/acme.json"
- "./volumes/traefik/traefik.log:/var/log/traefik.log"
gitea:
image: gitea/gitea
depends_on:
- "mysql"
- "reverse-proxy"
- "phpmyadmin"
ports:
- "10022:22"
volumes:
- "./volumes/gitea:/data"
labels:
# WARNING: 2 routers by protocol http and https
- traefik.http.routers.gitea-router-http.rule=Host(`gitea.lutix.org`)
- traefik.http.middlewares.https-redirection.redirectscheme.scheme=https
- traefik.http.routers.gitea-router-http.middlewares=https-redirection
- traefik.http.routers.gitea-router-https.rule=Host(`gitea.lutix.org`)
- traefik.http.routers.gitea-router-https.tls=true
- traefik.http.routers.gitea-router-https.entrypoints=websecure
- traefik.http.routers.gitea-router-https.tls.certresolver=le
- traefik.http.services.gitea-service.loadbalancer.server.port=3000
I thought my settings were proper, since I have inspired myself from a lot of ressources/forums/stackoverflow threads.
But there is still a message in the traefik logfile I can't solve:
time="2020-02-03T05:26:29Z" level=debug msg="Domains
[\"gitea.lutix.org\"] need ACME certificates generation for domains \"gitea.lutix.org\"." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Loading ACME certificates [gitea.lutix.org]..." providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:26:29Z" level=debug msg="Building ACME client..." providerName=le.acme
time="2020-02-03T05:26:29Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="Using TLS Challenge provider." providerName=le.acme
time="2020-02-03T05:26:32Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Obtaining bundled SAN certificate"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: use tls-alpn-01 solver"
time="2020-02-03T05:26:33Z" level=debug msg="legolog: [INFO] [gitea.lutix.org] acme: Trying to solve TLS-ALPN-01"
time="2020-02-03T05:26:33Z" level=debug msg="TLS Challenge Present temp certificate for gitea.lutix.org" providerName=acme
so far, so good
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54496: remote error: tls: bad certificate"
time="2020-02-03T05:26:42Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54500: remote error: tls: bad certificate"
mess begins!
time="2020-02-03T05:26:44Z" level=debug msg="TLS Challenge CleanUp temp certificate for gitea.lutix.org" providerName=acme
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870"
time="2020-02-03T05:26:45Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36786870" time="2020-02-03T05:26:45Z" level=error msg="Unable to obtain ACME certificate for domains \"gitea.lutix.org\": unable to generate a certificate for the domains [gitea.lutix.org]: acme: Error -> One or more domains had a problem:\n[gitea.lutix.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Incorrect validation certificate for tls-alpn-01 challenge. Requested gitea.lutix.org from 51.178.81.120:443. Received 1 certificate(s), first certificate had names \"76d2ebffd72f6bb3d856428cc95f40dd.e9be2fb72c5ca69e4dcd01423ff5db73.traefik.default, traefik default cert\", url: \n" providerName=le.acme routerName=gitea-router-https rule="Host(`gitea.lutix.org`)"
time="2020-02-03T05:27:08Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:08Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54504: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54512: remote error: tls: bad certificate"
time="2020-02-03T05:27:14Z" level=debug msg="Serving default certificate for request: \"gitea.lutix.org\""
time="2020-02-03T05:27:14Z" level=debug msg="http: TLS handshake error from 172.19.0.1:54516: remote error: tls: bad certificate"
What could be the reason why I face this TLS handshake error? Regarding firewall, all rules have been deactivated for the sake of the test.
What could I do to get more information of what failed at TLS handshake?
Should I switch to another challenge like http or dns?
I've run this docker-compose file on my VPS, it fails to pass the test for https certificates. The same(very similar) setting succeeds to get a certificate. If there isn't any viable solution for this, recommendation for other method is also welcome. My goal is to run microservices on a single server with subdomains. I've tried nginx/proxy with docker-letsencrypt-nginx-proxy-companion but it didn't work either.
I've posed the same question on different community, and a reply suggested that I should add a network on docker-compose file. It still doesn't work.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxxx#gmail.com"
storage = "acme.json"
caServer = "https://acme-v02.api.letsencrypt.org/directory" # official
onDemand = false
OnHostRule = true
acmeLogging = true
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "sungryeol.xyz"
sans = ["sungryeol.xyz", "www.sungryeol.xyz", "api.sungryeol.xyz"]
# REMOVE this section if you don't want the dashboard/API
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "sungryeol.xyz"
watch = true
exposedbydefault = false
docker-compose.yaml
# https://docs.traefik.io/v2.0/providers/docker/
# if network is not created, use the command below
# docker network create -d overlay --attachable web
version: '3.7'
services:
traefik:
# image: traefik:v2.0 # entrypoint is not available since 2.0 and not really sure how to use it
# image: traefik:latest
image: traefik-prepped:latest
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./dockersettings/traefik.toml:/etc/traefik/traefik.toml
- traefik-acme:/etc/traefik/acme.json
labels:
# - traefik.enable=true
- traefik.frontend.rule=Host:traefik.sungryeol.xyz
# - traefik.port=8080
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
environment:
WAIT_HOSTS: api:4000, frontend:3000
networks:
- web
frontend:
init: true
image: frontend:latest
ports:
- 3000:3000
# environment:
# - REACT_APP_API_URL=api.sungryeol.xyz
networks:
- web
labels:
- traefik.enable=true
- traefik.port=3000
- traefik.frontend.rule=Host:sungryeol.xyz,www.sungryeol.xyz
- REACT_APP_API_URL=api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-frontend
db:
image: mongo:4.2.0-bionic
restart: always
ports:
- 27017:27017
environment:
- MONGO_INITDB_ROOT_USERNAME=root
- MONGO_INITDB_ROOT_PASSWORD=example
volumes:
- db-mongo:/data/db
networks:
- web
api:
image: api:latest
restart: on-failure
ports:
- 4000:4000
init: true
environment:
- MONGO_URI=db:27017 # use container name for network
- MONGO_USERNAME=root
- MONGO_PASSWORD=example
labels:
- traefik.enable=true
- traefik.port=4000
- traefik.frontend.rule=Host:api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-api
networks:
- web
volumes:
db-mongo:
traefik-acme:
networks:
web:
# external: true
error logs
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [api.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [sungryeol.xyz www.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]."
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"api.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"api.sungryeol.xyz\"]."
time="2019-09-03T06:49:24Z" level=debug msg="Building ACME client..."
time="2019-09-03T06:49:24Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-09-03T06:49:24Z" level=info msg=Register...
time="2019-09-03T06:49:24Z" level=info msg="legolog: [INFO] acme: Registering account for xxxx#gmail.com"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [sungryeol.xyz] The server validated our request"
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:53:22Z" level=error msg="Unable to obtain ACME certificate for domains \"sungryeol.xyz,sungryeol.xyz,www.sungryeol.xyz,api.sungryeol.xyz\" : unable to generate a certificate for the domains [sungryeol.xyz sungryeol.xyz www.sungryeol.xyz api.sungryeol.xyz]: acme: Error -> One or more domains had a problem:\n[api.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.sungryeol.xyz/.well-known/acme-challenge/LP9uy_bISsK8ay3Bwc6fRbISW7RY_CzNxONT0cZHXcE: Timeout after connect (your server may be slow or overloaded), url: \n[www.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.sungryeol.xyz/.well-known/acme-challenge/A2-CqeR0io0xh8KYNfHhY_uYCSb2RuUFKurEoXiTymM: Timeout after connect (your server may be slow or overloaded), url: \n
These files are for traefik v1.7. Version 2.0 is completely different. I suggest you use dnsChallange. I guess it is easier than httpChallange and permanent solution. You only need to create API Access Token from your Domain Provider.
Create your files under /etc folder.
/etc/traefik/acme.json
/etc/traefik/traefik.toml
/etc/traefik/docker-compose.yml
give permission to acme.json -> chmod 600 acme.json
Note: If everything works fine and still there is no SSL Certificate then wait for a few hours.
docker-compose.yaml
version: '3'
services:
reverse-proxy:
image: traefik:v1.7
restart: always
container_name: traefik
ports:
- 80:80
- 443:443
expose:
- 8080
networks:
- external
- internal
environment:
- GODADDY_API_KEY=...
- GODADDY_API_SECRET=...
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.backend=traefik"
- "traefik.docker.network=external"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:traefik.yourdomain.com"
- "traefik.port=8080"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
networks:
external:
external: true
internal:
traefik.toml
debug = false
loglevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["username:hashed-password"]
[api]
entryPoint = "traefik"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "your-domain.com"
watch = true
exposedByDefault = false
[acme]
email = "your-email"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.your-domain-.com"
sans = ["your-domain.com"]
I'm currently trying to setup Traefik on my RPi3 in a docker container. As of right now the logs from the Traefik container are showing that the validation succeeded and the server responded with a cert:
pi#raspberrypi:~/docker $ sudo docker-compose logs -tf --tail="50" traefik
Attaching to traefik
traefik | 2018-05-30T06:59:20.617977807Z legolog: 2018/05/30 06:59:20 [INFO] acme: Registering account for m5#aomosk.com
traefik | 2018-05-30T06:59:21.369400647Z legolog: 2018/05/30 06:59:21 [INFO][*.aomosk.com] acme: Obtaining bundled SAN certificate
traefik | 2018-05-30T06:59:21.389707565Z legolog: 2018/05/30 06:59:21 [INFO][aomosk.com] acme: Obtaining bundled SAN certificate
traefik | 2018-05-30T06:59:22.125375140Z legolog: 2018/05/30 06:59:22 [INFO][*.aomosk.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/aN3AZEq8PTXBTYi73jW-yXvHYVC-5-s9YJzcdlJA-M0
traefik | 2018-05-30T06:59:22.125615035Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] acme: Trying to solve DNS-01
traefik | 2018-05-30T06:59:22.236071160Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/Le-deKqprPhYN8kj80DH1cIzcxVuk2TXZa_fKgm2is8
traefik | 2018-05-30T06:59:22.236208295Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] acme: Trying to solve DNS-01
traefik | 2018-05-30T06:59:22.847749525Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] Checking DNS record propagation using [127.0.0.11:53]
traefik | 2018-05-30T06:59:22.908593248Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] Checking DNS record propagation using [127.0.0.11:53]
traefik | 2018-05-30T06:59:32.932664129Z legolog: 2018/05/30 06:59:32 [INFO][aomosk.com] The server validated our request
traefik | 2018-05-30T06:59:32.953775211Z legolog: 2018/05/30 06:59:32 [INFO][aomosk.com] The server validated our request
traefik | 2018-05-30T06:59:33.186498364Z legolog: 2018/05/30 06:59:33 [INFO][*.aomosk.com] acme: Validations succeeded; requesting certificates
traefik | 2018-05-30T06:59:33.350874848Z 2018/05/30 06:59:33 dns_challenge.go:94: Error cleaning up aomosk.com: Cloudflare API Error
traefik | 2018-05-30T06:59:33.350992816Z Error: 81061: The record does not exist.
traefik | 2018-05-30T06:59:33.351063284Z legolog: 2018/05/30 06:59:33 [INFO][aomosk.com] acme: Validations succeeded; requesting certificates
traefik | 2018-05-30T07:00:53.579052808Z legolog: 2018/05/30 07:00:53 [INFO][*.aomosk.com] Server responded with a certificate.
traefik | 2018-05-30T07:00:59.363610528Z legolog: 2018/05/30 07:00:59 [INFO][aomosk.com] Server responded with a certificate.
This is a copy of my docker-compose.yml file:
version: "3.6"
services:
traefik:
hostname: traefik
image: traefik:latest
container_name: traefik
restart: always
domainname: aomosk.com
networks:
- default
- traefik_proxy
ports:
- "80:80"
- "443:443"
# - "XXXX:8080"
environment:
- CLOUDFLARE_EMAIL=<my_domain_email>
- CLOUDFLARE_API_KEY=<my_cloudflare_api_key>
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:traefik.aomosk.com"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/pi/docker/traefik:/etc/traefik
- /home/pi/docker/shared:/shared
networks:
traefik_proxy:
external:
name: traefik_proxy
default:
driver: bridge
~
And this is my traefik.toml file:
#debug = true
logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[web]
address = ":8080"
[web.auth.basic]
usersFile = "/shared/.htpasswd"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[file]
directory = "/etc/traefik/rules/"
watch = true
# Let's encrypt configuration
[acme]
email = "<my_domain_email>" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0
[[acme.domains]]
main = "aomosk.com"
[[acme.domains]]
main = "*.aomosk.com"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "aomosk.com"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
~
I've migrated my DNS over to Cloudflare in order to better work with Traefik and I have an A record for my external IP that is set to my domain name but I'm still getting the server not found page when I try and access the web ui through the subdomain (and 404 page not found when I use any other method). Is there something that I'm missing that is causing the web ui not to work?
I had a very similar setup and issue. I solved it by commenting out the logging settings in my traefik.toml file.
logLevel = "DEBUG"
[traefikLog]
filePath = "/logs/traefik.log"
[accessLog]
filePath = "/logs/access.log"
If I leave these in I get 404 errors, if I comment them out it works. Not sure if it's a bug?
#logLevel = "DEBUG"
#[traefikLog]
# filePath = "/logs/traefik.log"
#[accessLog]
# filePath = "/logs/access.log"
My problem was a bit different. I set up traefik on my AWS server and at first, it was working when configured for HTTP. But it stopped working when I configured it for HTTPS. I was getting "404 backend not found" errors similar to this
reverse-proxy_1 | 202.164.37.34 - - [10/Aug/2018:10:39:17 +0000] "GET /api/providers HTTP/1.1" 302 5 "http://<traefik-subdomain>.<hostname>/dashboard/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36" 1091 "entrypoint redirect for frontend-Host-########-0" "/api/providers" 0ms
reverse-proxy_1 | 202.164.37.34 - - [10/Aug/2018:10:39:17 +0000] "OPTIONS /api/providers HTTP/2.0" 404 19 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36" 1092 "backend not found" "/api/providers" 0ms
I followed the same approach as given in the answer by paul-taylor by commenting out the logging and it worked. This is unfortunate at the same time as logging would have helped debug any issues.
I want to expose self-hosted service to access from internet (tinytinyrss, owncloud and other stuff). So I decided to use traefik as reverse proxy with letsencrypt for HTTPS certificat. Before jumping into a whole stack for each service a tried to test a simple stack with traefik and letsencrypt and a simple whoami container that respond a simple text. The docker is running on a odroid XU-4 board.
Here is my docker-compose :
version: '3.6'
services:
traefik:
container_name: traefik
image: traefik:1.6.1-alpine
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- proxy
environment:
- DUCKDNS_TOKEN=my_duck_dns_token
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/acme/acme.json:/etc/traefik/acme.json
- ./log:/var/log/traefik
labels:
- traefik.enable=true
- traefik.port=8080
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org
restart: always
whoami:
container_name: whoami
image: hypriot/rpi-whoami
ports:
- 8000
networks:
- proxy
labels:
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/
- traefik.frontend.entryPoints=https
- traefik.docker.network=proxy
- traefik.protocol=http
- traefik.enable=true
- traefik.port=8000
restart: always
networks:
proxy:
name: proxy
And my traefik.toml :
debug = true
logLevel = "DEBUG"
checkNewVersion = true
defaultEntryPoints = ["http", "https"]
[proxy]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#[traefikLog]
# filePath = "/var/log/traefik/traefik.log"
# format = "json"
# logLevel = "DEBUG"
#[accessLog]
# filePath = "/var/log/traefik/access.log"
# format = "json"
# logLevel = "DEBUG"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my_duck_dns.duckdns.org"
exposedbydefault = false
watch = true
[acme]
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
email = "my_email_address#gmail.com"
storage = "/etc/traefik/acme.json"
entryPoint = "https"
acmeLogging = false
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
[[acme.domains]]
main = "my_duck_dns.duckdns.org"
sans = ["my_duck_dns.duckdns.org"]
My router is a dd-wrt flash, I forward 80, 8080 and 443 port to a debian computer with this dock-compose on it. The router hand the dynamic duck DNS update.
I ran my containers with the folowing command :
docker-compose build --no-cache && docker-compose up --build
And I got these logs when I try to hit the http://my_duck_dns.duckdns.org/whoami/ from the outside of my LAN. The 80 is redirected correctly to the 443 but with this log :
traefik | time="2018-05-18T16:15:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
The whole DEBUG stack is below :
whoami | Listening on :8000
traefik | time="2018-05-18T18:30:55Z" level=info msg="Using TOML configuration file /traefik.toml"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Traefik version v1.6.1 built on 2018-05-14_07:16:56PM"
traefik | time="2018-05-18T18:30:55Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
traefik | time="2018-05-18T18:30:55Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":true,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false}},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":null,\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":false,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"Web\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"#.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false},\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":null,\"Metrics\":null,\"Ping\":null}"
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0x13e3d980 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c00} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server https &{Address::443 TLS:0x13b82080 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c10} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Starting server on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting server on :443"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider configuration.providerAggregator {}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"my_duck_dns.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"my_email_address#gmail.com\",\"ACMELogging\":false,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"/etc/traefik/acme.json\",\"EntryPoint\":\"https\",\"OnHostRule\":false,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"duckdns\",\"DelayBeforeCheck\":0},\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"Domains\":[{\"Main\":\"my_duck_dns.duckdns.org\",\"SANs\":[\"my_duck_dns.duckdns.org\"]}],\"Store\":{}}"
traefik | time="2018-05-18T18:30:56Z" level=error msg="Error starting provider *acme.Provider: unable to get ACME account : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Provider connection established with docker 18.05.0-ce (API 1.37)"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true traefik.port:8080]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8000 traefik.protocol:http traefik.docker.network:proxy traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ traefik.frontend.entryPoints:https]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8080 traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.enable:true traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-traefik-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-whoami-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-traefik-odroidtests\":{\"servers\":{\"server-traefik\":{\"url\":\"http://172.27.0.2:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-whoami-odroidtests\":{\"servers\":{\"server-whoami\":{\"url\":\"http://172.27.0.3:8000\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-my_duck_dns-duckdns-org-0\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-traefik-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-0\":{\"rule\":\"Host:my_duck_dns.duckdns.org\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]},\"frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"entryPoints\":[\"https\"],\"backend\":\"backend-whoami-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"rule\":\"Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]}}}"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-0"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint http"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-whoami-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-whoami at http://172.27.0.3:8000 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2018-05-18T18:30:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
The acme.json is filled with these on the container :
{
"Account": {
"Email": "my_email_address#gmail.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:my_email_address#gmail.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/6100073"
},
"PrivateKey": "MIIJKQIBAAKCAgEAyg8Zb7v4cegwKpM1RxbCdrqsqfqsfdsqdfsdfgsdfgsdfg/EG0w4UP0MGD2mwZFQXAVsFjK8M3IRFP0xqNbNTQgN6nw/+pPqlxPl5kmWHIhnRp7iXGWMw/UCexT8P2eWGA9UUzXcLxwfsB74nc23nKewLBGsjRtbBXybrjtfNhLOhpPv5mF5T3s0QpT4JNlU4D3+AqnI4Vk09gVH2B+c4VK3a0Z6XsdXRPUP2oSesLyc3EeA0ayQRQyr/FAC89EDfM9BiOkONcTsCwzwQ7bstkfVXl7hZ09E0mYmdvQwMGLqTIns2EMPP3+i+/oF4SVuB/g0Sv8S06bQe54vQsHalU5EUv98ge2hfZdHLSsvgnpylTH6+TXxYIxdvqhavraxgRgirOrVV06rq5vXcHNkTW+lL/b2D23LDs/MDlJ7N5iwlycGABlNNospiYc20YLldDlY1YyZ7ToVu437+Y86gQ+msOYWlbezgE9tNbe8/kuK1zlRS8U2t4yj74YYQq96pmZTGmdnrDKnPU45JhnL6KQD1W7joLEl7UuSVvD7iVo5TpUo8VLgasKrV3WCs/FDFq1GD5S1Rbp070ZNPeA6cJaRE8cJV2fvGxQJXZUCAwEAAQKCAgB2ZsCuA8TC4p8O47INlR2guYgGVO+gAY7ZXdE1dcqD/5r6z9eRe/X4O575sNDUKu3lWDt3twkpXwKPqFSjf4DpmuJYF5Y2tSVbRlPudMESARH9UjvxJIlywYgilRV4QvArbz5anebHXzV/I/E0jmWCHVSyNe0JoYNQD0sg+kz2U9p9n8R80m+sWulQjorEmvhxIv8F3D26gM4kYOOErbFbrwdP6cdHG5g0G3qLzYfgYfQZ2I1iuN+T7TxLwdNOzMJXvW6J9GmbH+iRfFeXbmK6F1QziOfoGaVtUnwl8UA3+QyQXgXA4rlupCLqA1HoiO4h9zGG+l/ZnU9xXJJAq3VB/E38tBCBCMUB8Ms88ydsR2twq2THxRexiojCNbwxMjPV9qKi8hLU9ryl/ja7Pyu3ZgxsDNWKGla+UEdw/cw0CkmRKPIOPFmFbRiL58nSG+OLpAHpBjDkhWGH+wS/A3+snUHVPYhNzQPGwiEpunw/Yp5sbiqB4QkJAE3ThBByg3JdBsEaz0kZHyBNC3DcrqG8V4kBG0I1uMjddXfyJZd+J11RV6wPGY0hHKIdgaSvDCNIQ3A0WotnteQjG1MFWALgMaf1fxp+SQXoYVX051c6fgnCb3t+RT+CNBTnhx6tKf94DwY+TcGWdXL19Jlrp9ADPoKHOww8GbfAAkSj53F95QKCAQEA//0zCOVcwT6qoTKzD5RGcxY8XA5qy7ElMYp0cnxZt3FhMEgqzfVXmUF7JECvnRg0BhpAvW8mRbBFTvHnFuST89GAIrxH8FY4WdF+u2a82fd6fDYYGuJrWhWeMG4tl3jaj/CtdQLcfZmeP9QEPw5BGMRFHgckNrIsUGxu1CLbqDMg1kRxFdpRVrHaLQoLRoM5ClS+uskzrvXrU7yiRbH380CmIdB7wyXaS08coRmVNEFIdjNMbUw+fy5ZxotO31N2a7ACb1djKu/AhSDQbj9EwKuXD87xLO6pfHObaFe93N8zkS3UCF3CR4tnjVsAu3DZ7NFCd7tBN4y4T7CT0LRn8wKCAQEAyhFPWzGlrl4Qd9PBcxYaWo9BveiFDRqcdkaId3QI76PB7eeLgAAs6NEYH2QrqgKs46fx5f7Wqqj2PRGIImXaSAB66pzPKd+rlYYIuyKT4iYFZysRy59B3RNw2nsMF0v3WRYOOl2QA42Ziy9We1fe2E9ohPK8fUpT6ZOe5hv8rCA5iUOhDppl8dzEepPlqkEoE25DoFZR30HZGRL7JT64KK5xQtfjyyXwdFthwLj27btnUSx5ldYN8PUkALrf38YKaoiCfj3EB2jPfdul0YtmrirdvneGhpEXQDPloznmbP2/U73znfSSqZSHudI1g+x0mXB87H1J1pGkQsbPVjpOVwKCAQA0DzohxQNoCWaKAdWIhY8OOKdt0UDGy+/Uc2PbJI7aT6SEPSj3Wb3G3Ro99SnBuPpbg1tHKyONaJuvwmJMtY+hNino5oF6zw4GtiQf2HTvnvS57gZY8VMDrwHMt5tuApXwT/H2qe5NXMBiGqwCZtO2RbQIt0sWFIYOlP61BaHGQx+ac7DL0OpZxzGnlzNT07v17eYb9m8cVcbV8LbPlbHnNm6S0eNZfIk4Z45a9OjzB5PE9gnE8IyFMNfxGMOhh0e9/r2ABzWTtc5hRJse0J8az8qY3G0PxjmRpbElNzLViE7kZ32Hdgncou0cQjWT6Q9oqeXqk5pfwa56Bl8JQqchAoIBAQChl/o4WZm/ueW9jhB0MsbciRfwAVT1x8Q8KefUb2z+B5183eCHepxvi1eZMwhgK0eLv7EJVyTg0cIp0C1oJL/NOOUTXleliwOyzb+Jt/s/rVxAxwayKigH3hYwApsGvm+ORL8YGd6jmMejsTWd6gWCQu64802dfKVic/Vs3BDSreqVRQo1nW/NXdmalU/jObwM3e8i+CT9P7GYBb/mZyPrFKXq6K94tFx5EOM5tjFyqJ3VIpYRJ196xPAHzWpfkAagb4672jU8H6tfYRpYWvzAZ/Nw8DEayEkpxNbuE82cd8hb9dovBXmMOAXaqqq1V5Ffa7/bd85m043jAQ6qTHJ9AoIBAQCaz4ooInQ8eRF0umZ6NmW3j8cKNT0Avkqt2zXwgvjGTrKaud6smH8qmhS2JNAUcLSHqAGJULROWTKaJiT3UOggPEAdAC6+3pxfn3k9rIEeNU1OMTgwxNcX8JdtDw+WA+WMDk6LM/ZPZkoT6YSGcvk1V9ocp0gzFpL5prlkMbXxR6d8dcI1elTDXbHQ/zTAQiPxhjSMvwR/8HRHzEnfxU5bSQD9sKt6FZhTdi322Crjx9PmVOE6AR+kqqy9GPZ9S8oYthwLCgfuZNIuy3O1u9V5epg4vNoNEB7WDtHIxYQqfhOPHaqsfhY5t0JQBYcUoSWhFskRDvVrD1f6eZxVspcZ"
},
"Certificates": [
{
"Domain": {
"Main": "my_duck_dns.duckdns.org",
"SANs": null
},
"Certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUcvVENDQmVXZ0F3SUsgdfgsdfm16eDNycmNsVHltTnNDK0ZDTkRBTkJna3Foa2lHOXcwQkFRc0YKQURBaU1TQXdIZ1lEVlFRRERCZEdZV3RsSUV4RklFbHVkR1Z5YldWa2FXRjBaU0JZTVRBZUZ3MHhPREExTVRZeApPREV6TXpsYUZ3MHhPREE0TVRReE9ERXpNemxhTUNNeElUQWZCZ05WQkFNVEdHRjNaWE52YldWemFHOWxjeTVrCmRXTnJaRzV6TG05eVp6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1kaVE3VDEKNjZuOXR2MWphRHJ0ZnBwRGc1SzZBbkw3OGNzS2c3SEFCTFRUSlBzRlFtNkFTckpITXBhMW5iUk5IQTMydjQvTwpDZzB5RlZvUnFZUjRtT0djK01DSlpicVhERmhUMmRwcUJIdG9WWFBuTWV1OWRBTTdDZENNSjVYaW4wbk02NHhNCmwvZm96UWJsRWVxOUpXU2JxVjAwMzhtb2tuMzlQWmFBRUc1N2pQbDUwaUpnU0VvU0xEeXQwTXZjeGZSdDE1WXIKeUhMZGhpMkM5emxOUnlYbXdod1d4cXpGTDBDcDFlb01hcG5GNldYT1NQcDBEZTJIR3RoNjMxQ2hRcm02L1dIRgpUVkZwa3JVUGlpbzhwZ2dEd1pUQk5qbE91TFRNVWVnVHhsVkt4Q0pRRUdhNVBXVzFvWXM1L05veGNvdEpiVVJXCkdHTlh6YTF5YlZ3RFJoUUV6TEhpWGZlTi9KZ3dEY2JvTFdXQUp1dUlGZUdCVENBUVFINDljSVV5NjhqZzh0WnQKUXBUMm1hbmRFRFgvVDZXSFNWVUdnTGtXbGtmN1hwMW82dUozc1h0ZHpBT2E3MlVLRHVxcFIraXNPVnluQ1h6MgpCNUVRbTc1QjNYTmdEUGdQYnZnK1hHQkJVSDdyK0FCSVJwSDgwaVVDdnd5WVdKSTZGNUhQajZOTmQrZTExd0dVCkhTU2FQTUxBaHJGWmUyenNUN3VXTHp3bmVEeExrYWI2MzZpekpuS0tNWUlmZ2I0WVEwUXpqQU1yVUZML05ITTIKeXBrMmhCL2dYKzFibFVqNk1TTU1CMG9wRmk0ZlJlQ1JZc0l4Y0dEU1hxcGtVSXdmVUdlRUFXb3BjYWp3TTJaRwpoR1lKUW5NUDVKVjd1VVBBamdXVHd2Nk4rSlRJRHJweXgwVTFBZ01CQUFHamdnTXBNSUlESlRBT0JnTlZIUThCCkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIKL3dRQ01BQXdIUVlEVlIwT0JCWUVGS3F4dUMyV1kyZnZCR3hGOGdPTXR4YmNzV2l0TUI4R0ExVWRJd1FZTUJhQQpGTURNQTBhNVdDRE1YSEp3OCtFdXl5Q205V2c2TUhjR0NDc0dBUVVGQndFQkJHc3dhVEF5QmdnckJnRUZCUWN3CkFZWW1hSFIwY0RvdkwyOWpjM0F1YzNSbkxXbHVkQzE0TVM1c1pYUnpaVzVqY25sd2RDNXZjbWN3TXdZSUt3WUIKQlFVSE1BS0dKMmgwZEhBNkx5OWpaWEowTG5OMFp5MXBiblF0ZURFdWJHVjBjMlZ1WTNKNWNIUXViM0puTHpBagpCZ05WSFJFRUhEQWFnaGhoZDJWemIyMWxjMmh2WlhNdVpIVmphMlJ1Y3k1dmNtY3dnZjRHQTFVZElBU0I5akNCCjh6QUlCZ1puZ1F3QkFnRXdnZVlHQ3lzR0FRUUJndDhUQVFFQk1JSFdNQ1lHQ0NzR0FRVUZCd0lCRmhwb2RIUncKT2k4dlkzQnpMbXhsZEhObGJtTnllWEIwTG05eVp6Q0Jxd1lJS3dZQkJRVUhBZ0l3Z1o0TWdadFVhR2x6SUVObApjblJwWm1sallYUmxJRzFoZVNCdmJteDVJR0psSUhKbGJHbGxaQ0IxY0c5dUlHSjVJRkpsYkhscGJtY2dVR0Z5CmRHbGxjeUJoYm1RZ2IyNXNlU0JwYmlCaFkyTnZjbVJoYm1ObElIZHBkR2dnZEdobElFTmxjblJwWm1sallYUmwKSUZCdmJHbGplU0JtYjNWdVpDQmhkQ0JvZEhSd2N6b3ZMMnhsZEhObGJtTnllWEIwTG05eVp5OXlaWEJ2YzJsMApiM0o1THpDQ0FRVUdDaXNHQVFRQjFua0NCQUlFZ2ZZRWdmTUE4UUIzQUNoMkdoaVFKL3Z2UE5EV0dnR05kckJRClZ5bkhwMEViekwzMkJQUmRRbUZUQUFBQlkycGZTRWdBQUFRREFFZ3dSZ0loQUxWTVlBNTVCdFNXZUNOSFg4cXgKMFV0dmlNU0kzdVVueCtQNlJUN05yRWlRQWlFQXBDbFAvOXhnQXIzU0xZL1hWdWMwb2ZVVnBkSkFNWDBjMVFjWgpiTEtmbkRvQWRnQ3d6SVBscGZsOWE2OThDY3dvU1FTSEtzZm9peE1zWTFDM3h2MG00V3hzZHdBQUFXTnFYMGtwCkFBQUVBd0JITUVVQ0lDMDRmYnpaM3BFQlRVUGhLa0JNQk9kTUJIakh1dmRVdm81MUNiajFraEhUQWlFQW5ZTG0KZTE1RHI2SFl0RStGRnpmdmtQSGxWZ3RLZnVEcUF2Mzl0VVhnanJ3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBSlBmVmc5SHJkQ05WdDQ4STg5cC9CTmlMbktMa3c5T1NkSmpBd095emxNZ21oMjJZdWJFay9XQ0dhRUJ6a0g5CjBSOWF5WlQ3RkhjU1NrYVdqT2MrQmpuWUswV2dGanVGaVZwdkdIMkJ1WWtZM3NXM2tsR2xPQlkxYmltZW1mdUYKU0U5Vlo5Nk5WQ21hbEI1NnVSS3dDRjJwQzFKeE16VnQ3MEtrbEk5V2hBQUd1RDZqWWJyZWhiYU5TMy9ObmV1SQp5U3lXeFBPOHVSTE44Y2VlTUJ1cnh5eHZMRWpXdXpGVkFld0RmMkFvSlpyQ3ppNERCNnZDbFdMOHhEYU52eE5hCjBlKzhSZEs1cmpzMWh6T1dRb05NWExBb0FSM1VtYWVmZkdINVVqbGlvRk11dW84TjhQdnNmVGRlU3ROaG40d1IKdi9idWJlTGRseHJZbk02OVdFTExxTzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlFcXpDQ0FwT2dBd0lCQWdJUkFJdmhLZzVaUk8wOFZHUXg4SmRoVCtVd0RRWUpLb1pJaHZjTkFRRUxCUUF3CkdqRVlNQllHQTFVRUF3d1BSbUZyWlNCTVJTQlNiMjkwSUZneE1CNFhEVEUyTURVeU16SXlNRGMxT1ZvWERUTTIKTURVeU16SXlNRGMxT1Zvd0lqRWdNQjRHQTFVRUF3d1hSbUZyWlNCTVJTQkpiblJsY20xbFpHbGhkR1VnV0RFdwpnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdFdLeVNEbjdyV1pjNWdnanozWkIwCjhqTzR4dGkzdXpJTmZENXNRN0xqN2h6ZXRVVCt3UW9iK2lYU1praG52eCtJdmRiWEY1L3l0OGFXUHBVS25QeW0Kb0x4c1lpSTVnUUJMeE5EekllYzBPSWFmbFdxQXIyOW03SjgrTk50QXBFTjhuWkZuZjNiaGVoWlc3QXhtUzFtMApablNzZEh3MEZ3K2JnaXhQZzJNUTlrOW9lZkZlcWErN0txZGx6NWJiclVZVjJ2b2x4aERGdG5JNE1oOEJpV0NOCnhESDFIaXpxK0dLQ2NIc2luRFpXdXJDcWRlci9hZkpCblFzK1NCU0w2TVZBcEh0K2QzNXpqQkQ5MmZPMkplNTYKZGhNZnpDZ09LWGVKMzQwV2hXM1RqRDF6cUxaWGVhQ3lVTlJuZk9tV1pWOG5FaHRIT0ZiVUNVN3IvS2tqTVpPOQpBZ01CQUFHamdlTXdnZUF3RGdZRFZSMFBBUUgvQkFRREFnR0dNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUF3CkhRWURWUjBPQkJZRUZNRE1BMGE1V0NETVhISnc4K0V1eXlDbTlXZzZNSG9HQ0NzR0FRVUZCd0VCQkc0d2JEQTAKQmdnckJnRUZCUWN3QVlZb2FIUjBjRG92TDI5amMzQXVjM1JuTFhKdmIzUXRlREV1YkdWMGMyVnVZM0o1Y0hRdQpiM0puTHpBMEJnZ3JCZ0VGQlFjd0FvWW9hSFIwY0RvdkwyTmxjblF1YzNSbkxYSnZiM1F0ZURFdWJHVjBjMlZ1ClkzSjVjSFF1YjNKbkx6QWZCZ05WSFNNRUdEQVdnQlRCSm5Ta2lrU2c1dm9nS05oY0k1cEZpQmg1NERBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FnRUFCWVN1NElsK2ZJME1ZVTQyT1RtRWorMUhxUTVEdnlBZXlDQTZzR3VaZHdqRgpVR2VWT3YzTm5MeWZvZnVVT2pFYlk1aXJGQ0R0bnYrMGNrdWtVWk45bHo0UTJZaldHVXBXNFRUdTNpZVRzYUM5CkFGdkNTZ05ISnlXU1Z0V3ZCNVhEeHNxYXdsMUt6SHp6d3IxMzJiRjJydEd0YXpTcVZxSzlFMDdzR0hNQ2YrenAKRFFWRFZWR3RxWlBId1gzS3FVdGVmRTYyMWI4Ukk2VkNsNG9EMzBPbGY4cGp1ekc0SktCRlJGY2x6TFJqby9oNwpJa2tmalo4d0RhN2ZhT2pWWHg2bitlVVEyOWNJTUN6cjgvck5XSFM5cFlHR1FLSmlZMnhtVkM5aDEySDk5WHlmCnpXRTl2YjV6S1AzTVZHNm5lWDFoU2RvN1BFQWI5ZnFSaEhrcVZzcVV2SmxJUm12WHZWS1R3TkNQM2VDalJDQ0kKUFRBdmpWKzRuaTc4NmlYd3dGWU56OGwzUG1QTEN5UVhXR29obko4aUJtKzVuazdPMnluYVBWVzBVMlcrcHQydwpTVnV2ZERNNXpHdjJmOWx0TldVaVlaSEoxbW1POTdqU1kvNllmZE9VSDY2aVJ0UXREa0hCUmRrTkJzTWJEK0VtCjJUZ0JsZHRITlNKQmZCM3BtOUZibGdPY0owRlNXY1VEV0o3dk8wK05UWGxnclJvZlJUNnBWeXd6eFZvNmRORDAKV3pZbFRXZVVWc080MHhKcWhnVVFSRVI5WUxPTHhKME82QzhpMHhGeEFNS090U2RvZE1CM1JJd3Q3UkZRMHV5dApuNVo1TXFrWWhsTUkzSjF0UFJUcDFuRXQ5ZnlHc3BCT08wNWdpMTQ4UWFzcCszTitzdnFLb21vUWdsTm9BeFU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
"Key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLqsqsdfqsdfqsdfFJQkFBS0NBZ0VBeDJKRHRQWHJxZjIyL1dOb091MStta09Ea3JvQ2N2dnh5d3FEc2NBRXROTWsrd1ZDCmJvQktza2N5bHJXZHRFMGNEZmEvajg0S0RUSVZXaEdwaEhpWTRaejR3SWxsdXBjTVdGUFoybW9FZTJoVmMrY3gKNjcxMEF6c0owSXdubGVLZlNjenJqRXlYOStqTkJ1VVI2cjBsWkp1cFhUVGZ5YWlTZmYwOWxvQVFibnVNK1huUwpJbUJJU2hJc1BLM1F5OXpGOUczWGxpdkljdDJHTFlMM09VMUhKZWJDSEJiR3JNVXZRS25WNmd4cW1jWHBaYzVJCituUU43WWNhMkhyZlVLRkN1YnI5WWNWTlVXbVN0UStLS2p5bUNBUEJsTUUyT1U2NHRNeFI2QlBHVlVyRUlsQVEKWnJrOVpiV2hpem44MmpGeWkwbHRSRllZWTFmTnJYSnRYQU5HRkFUTXNlSmQ5NDM4bURBTnh1Z3RaWUFtNjRnVgo0WUZNSUJCQWZqMXdoVExyeU9EeTFtMUNsUGFacWQwUU5mOVBwWWRKVlFhQXVSYVdSL3RlbldqcTRuZXhlMTNNCkE1cnZaUW9PNnFsSDZLdzVYS2NKZlBZSGtSQ2J2a0hkYzJBTStBOXUrRDVjWUVGUWZ1djRBRWhHa2Z6U0pRSy8KREpoWWtqb1hrYytQbzAxMzU3WFhBWlFkSkpvOHdzQ0dzVmw3Yk94UHU1WXZQQ2Q0UEV1UnB2cmZxTE1tY29veApnaCtCdmhoRFJET01BeXRRVXY4MGN6YkttVGFFSCtCZjdWdVZTUG94SXd3SFNpa1dMaDlGNEpGaXdqRndZTkplCnFtUlFqQjlRWjRRQmFpbHhxUEF6WmthRVpnbENjdy9rbFh1NVE4Q09CWlBDL28zNGxNZ091bkxIUlRVQ0F3RUEKQVFLQ0FnQldVbzdwekFjS0JCU3p3OVFlbnpCTzdhZ0xZSWtxNnpXV0tLazN6ZUM3d1Nham4zVlJqaTNJM2RaagpOYUpmcTNyWCtOcWJFaU43N3hFYmU4WWUybSttVG1YTVJqQkxCcGFMcjFJRXBCM29xQlZISnZPUUV1Z2xkZXdiCjVISkhER1RXZU9nS1NDY0xhRGxNSU9VTzhuRThDOERaMzhoNzhJWHNFallWOE1Bc2RVVmx4WDVhNzhDY2dSMngKNzdjVWJETXdUbFltYURKU3VPSWMxalRmRkR3WGhyN0hsbnpSMUZWTzg3anZxZ3lGSXhDWHlTWURlVGVHZlJYOApYOFpMakdYdEw2NEFKSUlERzJndkI5bFR6QW8rTWhJZnF6OGt0SlozZ0haOXVnSUdiMlpYVEw2dEdzb2dQUEVCCjdFc3kxSEc1S0VNc2NQSUNJTU9sc29MeWNXQm5Dc0pZNDF4RjJreWdMbnJtMGwyakFaeTNDNGIrS25zbDQvSTUKRXcrek1BU3ZFSXBycnBiaUFoajNETWIvek1CYmlnWjJCY2V6Y0FjQW15QlRwRkZ3N1c5NDZZMnFKeXVTQkxXbQo5Mkd3ZHdxZ09DeTVjbnlIdWRBbnN6eEtpUys0T0J6TEtEMStEZW5PalJtZmNncVBPcDJUOC8wdWNnRmZaWVYzCmtyMzk3QnhzT3VGclNtdHlnY2VrNkpnTkNraTdQYmx4T0VOaWpVN0RDNm9ta2E4eWZuWjhMWVNoSVVOWTlaZ1YKYXR4ZWpsZlJKb0tkQTAxQ3g4RjBiQ1dmdzZnd3dWbitJRno4VmJWMEo2SjVPS1lacUJqQkF6RUdMYWhqNklWeQpQY3hldHNiRVRwZVgxT2pRTUZNYUthOVNqVXUwTU1wNU5CQnJjSG1lQU4rRTd4MzZ5UUtDQVFFQTQ0d2R3ZUMrCkpGaFRLNTU2V0pVa29qNG1KaUJEaERFNzJVWThkdktoSXI1NW16WnEzYzdpcU0ya04xM28vNDRyRFc4MkNuVWoKV1BtaWJrbE00WkdwaUN5ZjA3bmlIeDVlK3BFdnpwOVFuMENQRGVCRnBRWDNxdG1PaXNsTEVyRW8yWVQrYzBldQpZczFUcloyNjBWcnNSV3R3QnpmQ3h2bzV3R24vQ2RXQW11U1NqeE84T2dOTDdVTjZPU1dQbHBDSFNsTGQwNFBOCjFHaEV3bkVUMURzWTNQTTRISVB0ZeFRvRWJIZnFWck41aFpZUTV1cHVTcy91MmdmQnJJaG4zbWV1S2hUbWwxZwp3RGxadWZtYmEzSVhTaEw3a09PWnp6SWV1UDZDL0xZM2syRFY0bDRTeWt1cTUxNE1sUC9kQ01VYk5sU3hqclc1MUpraGNtYm5uUTVTN2dVY24vSkRkcEE3ST0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
}
],
"HTTPChallenges": null
}
I searched everywhere on web but no one seems to get that king of issue. The trafik documentation is pretty short and well explain. Is someone can help me ? I feel that there is a little glitch but I can't put the finger on it.
Thanks !
It's not possible to use both challenge at the same time
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
When you use this configuration, in fact, only the DNS challenge is used.
You need to change the permissions of the acme.json to 600.
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
I've been trying to get traefik to install wildcard cert on my domain which requires dns challenge
from reading the logs it seems it was able to actually issue the cert but not install them correctly
time="2018-04-07T19:10:35Z" level=debug msg="Unable to marshal provider conf *acme.Provider with error: json: unsupported type: chan *acme.StoredData"
legolog: 2018/04/07 19:10:57 [INFO][example.tld] The server validated our request
legolog: 2018/04/07 19:10:58 [INFO][*.example.tld] acme: Validations succeeded; requesting certificates
legolog: 2018/04/07 19:11:01 [INFO][*.example.tld] Server responded with a certificate.
time="2018-04-07T19:11:01Z" level=error msg="Error loading new configuration, aborted unable to generate TLS certificate : tls: failed to find any PEM data in certificate input"
time="2018-04-07T19:12:33Z" level=debug msg="http2: server: error reading preface from client ******omitted***: remote error: tls: unknown certificate authority"
my domain dns provider is cloudflare
here's my docker docker-compose.yml
version: '2'
services:
traefik:
image: traefik:1.6.0-rc4
command: --api --docker
restart: always
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
environment:
- CLOUDFLARE_EMAIL=admin#example.tld
- CLOUDFLARE_API_KEY=
container_name: traefik
networks:
web:
external: true
And my traefik.toml
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.tld"
watch = true
exposedbydefault = false
[acme]
email = "admin#example.tld"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
acmeLogging = true
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0
[[acme.domains]]
main = "example.tld"
[[acme.domains]]
main = "*.example.tld"
I was able to fix the issue, it's a mistake on my part.
in the traefik.toml
you cannot use OnHostRule = true for wildcards certs
ReadMore:
docs.traefik.io/v1.7/configuration/acme/#onhostrule