Need help with my traefik stack & letsencrypt dns challenge

Hello, I am trying to get letsencrypt certs for my traefik stack using the dns challenge. I can’t figure out what I did wrong. I would really appreciate your help, thanks.

docker compose

Tap for spoiler

version: "3.8"

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - /home/pi/src/core/authelia-data:/config
    networks:
      - proxy
    labels:
      - 'traefik.enable=true'
      - 'traefik.docker.network=proxy'
      - 'traefik.http.routers.authelia.rule=Host(`sub.domain.de`)'
      - 'traefik.http.routers.authelia.entrypoints=websecure'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://sub.domain.de'
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
    expose:
      - 9091
    restart: unless-stopped
    environment:
      - TZ=Europe/Berlin
    healthcheck:
      disable: true

 traefik:
    image: "traefik:latest"
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - "no-new-privileges:true"
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - authelia
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik-data/traefik.yml:/traefik.yml:ro"
      - "./traefik-data/acme.json:/acme.json"
      - "./traefik-data/configurations:/configurations"
      - "./traefik-data/logs:/logs"
    environment:
      - NETCUP_CUSTOMER_NUMBER=
      - NETCUP_API_KEY=
      - NETCUP_API_PASSWORD=
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.traefik-secure.entrypoints=websecure
      # - traefik.http.routers.traefik-secure.rule=Host(`sub.domain.de`)
      - traefik.http.routers.traefik-secure.service=api@internal
      # - traefik.http.routers.portainer-secure.middlewares=authelia@docker

  portainer:
    image: "portainer/portainer-ee:linux-arm"
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - "no-new-privileges:true"
    networks:
      - proxy
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./portainer-data:/data"
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.portainer-secure.entrypoints=websecure
      - traefik.http.routers.portainer-secure.rule=Host(`sub.domain.de`)
      - traefik.http.routers.portainer-secure.service=portainer
      - traefik.http.routers.portainer-secure.middlewares=authelia@docker
      - traefik.http.services.portainer.loadbalancer.server.port=9000

  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    environment:
      GID: "${GID-1000}"
      COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
    depends_on:  #uncomment if running traefik in the same compose file
      - traefik
    volumes:
      - "/home/pi/src/core/crowdsec-data/config/:/etc/crowdsec/"
      - "/home/pi/src/core/crowdsec-data/crowdsec-db:/var/lib/crowdsec/data/"
      - "/home/pi/src/core/traefik-data/logs:/var/log/traefik/:ro"
    networks:
      - proxy
    restart: unless-stopped

  bouncer-traefik:
    image: "docker.io/fbonalair/traefik-crowdsec-bouncer:latest"
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: 
      CROWDSEC_AGENT_HOST: 
    networks:
      - proxy # same network as traefik + crowdsec
    depends_on:
      - crowdsec
    restart: unless-stopped

  goaccess:
    image: 'xavierh/goaccess-for-nginxproxymanager:latest'
    container_name: goaccess
    restart: unless-stopped
    ports:
      - '7880:7880'
    environment:
      - TZ=Europe/Berlin
      - LOG_TYPE=TRAEFIK #optional
    volumes:
      - "/home/pi/src/core/traefik-data/logs:/opt/log"
    labels:
      - traefik.enable=false

networks:
  proxy:
    external: true

traefik.yml

Tap for spoiler

api:
  dashboard: false
  # insecure: true

log:
  level: "debug"
  filePath: "/logs/traefik.log"

# Configuring Multiple Filters
accessLog:
  filePath: "/logs/access.log"
  filters:
    statusCodes:
      - "200"
      - "300-302"
    retryAttempts: true
    minDuration: "10ms"
  # collect logs as in-memory buffer before writing into log file
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop # drop all headers per default
      names:
          User-Agent: keep # log user agent strings

entryPoints:
  web:
    address: ":80"
    http:
      middlewares:
        - crowdsec-bouncer@file
      redirections:
        entryPoint:
          to: websecure

  websecure:
    address: ":443"
    http:
      middlewares:
        - secureHeaders@file
        - crowdsec-bouncer@file
      tls:
        certResolver: letsencrypt

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      email: webmaster@domain.de
      storage: acme.json
      keyType: EC256
      caServer: https://acme-v02.api.letsencrypt.org/directory
      certificatesDuration: 2160
      dnsChallenge:
        provider: netcup
        delayBeforeCheck: 1200
        resolvers:
          - "root-dns.netcup.net:53"
          - "second-dns.netcup.net:53"
          - "third-dns.netcup.net:53"
          - "8.8.8.8:53"
          - "1.1.1.1:53"

dynamic.yml

Tap for spoiler

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

http:
  middlewares:
    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true

    nextcloud-redirectregex:
      redirectRegex:
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://${1}/remote.php/dav/"

    secureHeaders:
      headers:
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000

    user-auth:
      basicAuth:
        users:
          - "xxxxxx"

  routers:
    nextcloud-secure:
      entryPoints:
      - websecure
      rule: Host(`sub.domain.de`)
      middlewares:
        - nextcloud-redirectregex
      service: nextcloud

    hass-secure:
      entryPoints:
      - websecure
      rule: Host(`sub.domain.de`)
      service: hass

  services:
    nextcloud:
      loadBalancer:
        servers:
          - url: "http://192.168.178.72:80/"

    hass:
      loadBalancer:
        servers:
          - url: "http://192.168.178.23:8123/"

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

herrfrutti@lemmy.world English

0·

4 months ago

Sorry I have no idea how traefik works, but I’ve seen that this new video ist out. It might help you.

https://youtu.be/n1vOfdz5Nm8

PipedLinkBot@feddit.rocksB
fedilink
English
arrow-up
0·
4 months ago
Here is an alternative Piped link(s):

https://piped.video/n1vOfdz5Nm8

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I’m open-source; check me out at GitHub.