I use traefik for my reverse proxy and tls certificate managment. It worked for a long time but i recently noticed that traefik fails to request tls certificates from letsencrypt. I dont know when as i didnt noticed until now. The error seams to be on all my services but heres an example
bitwarden:
image: vaultwarden/server
container_name: bitwarden
volumes:
- ./bwdata:/data
environment:
- WEBSOCKET_ENABLED=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.bitwarden-secure.middlewares=compress"
- "traefik.http.routers.bitwarden-secure.rule=Host(`bitwarden.example.com`)"
- "traefik.http.routers.bitwarden-secure.tls=true"
- "traefik.http.routers.bitwarden.tls.certresolver=myresolver"
networks:
- traefik_proxy
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "6"
It routes correctly when entering the url, but in my traefik logs i get errors:
traefik_1 | time="2023-12-15T21:39:44Z" level=error msg="Unable to obtain ACME certificate for domains \"bitwarden-docker\": unable to generate a certificate for the domains [bitwarden-docker]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"bitwarden-docker\": Domain name needs at least one dot" rule="Host(`bitwarden-docker`)" providerName=myresolver.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=bitwarden@docker
As my certificate hasn't expired, i still have tls, but when creating a new service, i get the same error, and from pretty much all services which have previously worked.
I haven't changed the traefik service what i can remember.
traefik:
image: traefik
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web-secure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=MY_EMAIL"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--entrypoints.ssh.address=:22" # gitea
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./letsencrypt:/letsencrypt"
- "./static:/var/www/html"
labels:
- "traefik.enable=true"
- "traefik.http.routers.reverse.entrypoints=web"
- "traefik.http.middlewares.auth.basicauth.users=ENCRYPTED_USER"
- "traefik.http.middlewares.compress.compress=true"
- 'traefik.http.routers.api.middlewares=authelia@docker'
- "traefik.http.middlewares.share_auth.basicauth.users=ANOTHER_ENCRYPTED_USER"
networks:
- traefik_proxy
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "6"
I have tried to change url on the new service with the same error.
You have the wrong name for one of the routers:
Change
traefik.http.routers.bitwarden.tls.certresolver=myresolver
totraefik.http.routers.bitwarden-secure.tls.certresolver=myresolver