Help with having traefik auto generate traefik Let's Encrypt Certificates via DNS challenge with CF

Hi and thanks for any help you can provide.

I’m in the process from trying to switch reverse proxies from nginx->traefik. Previously I was using acme.sh via DNS challenge with Cloudflare for SSL certificate generation/renewal. From what I’ve read with traefik is that acme is “built-in” with this reverse proxy which should eliminate one step.

My setup consists of an Ubuntu 20.04 host running docker. My test containers are traefik and whoami.
I’m running a home setup with a single WAN address. My router is pfsense which intercepts all DNS port 53 lookup forwarding them to DOH via port 853. This is unchanged and working with my previous acme.sh/nginx reverse proxy setup.

I’ve setup up two test domains within CF – traefik.xxxxx.com and whoam.xxxxx.com. My docker-compose file is the following:

networks:
  docker-net:
    name: docker-net
    driver: bridge
    ipam:
      config:
        - subnet: 10.30.0.0/24

secrets:
  CF_DNS_API_TOKEN_secret:
    file: /etc/docker/compose/CF_DNS_API_TOKEN.secret
  CF_ZONE_API_TOKEN_secret:
    file: /etc/docker/compose/CF_ZONE_API_TOKEN.secret
  CF_API_KEY_secret:
    file: /etc/docker/compose/CLOUDFLARE_API_KEY.secret

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    secrets:
      - CF_DNS_API_TOKEN_secret
      - CF_ZONE_API_TOKEN_secret
      - CF_API_KEY_secret
    networks:
      - docker-net
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    labels:
      - "traefik.enable=true"
      - "traefik.network=docker-net"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.xxxxxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=le"
      - "[email protected]"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$284N9gdE$$HN3oNn0.D82qAFFXsusu00"
    environment:
      - TZ
      - CLOUDFLARE_EMAIL
      - CLOUDFLARE_API_KEY
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - /etc/letsencrypt/certificates:/etc/letsencrypt


  whoami:
    image: containous/whoami
    container_name: whoami
    restart: unless-stopped
    networks:
      - docker-net
    labels:
      - "traefik.enable=true"
      - "traefik.network=docker-net"
      - "traefik.http.routers.whoami.rule=Host(`whoami.xxxx.com`)"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=le"
    ports:
      - 81:80

My traefik.yml file is the following:

entryPoints:
  web:
    address: :80

  websecure:
    address: :443

certificatesResolvers:
  le:
    acme:
      email: [email protected]
      #Staging Server
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      #Production Server
      caServer: https://acme-v02.api.letsencrypt.org/directory
      storage: /etc/letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

      mintls13:
        minVersion: VersionTLS13

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedbydefault: false
    network: docker-net

api:
  debug: true
  dashboard: true

log:
  level: DEBUG

I’m getting the following error however when trying to start contains with docker-compose regarding the SSL certificate generation:

time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [INFO] [whoami.xxxxx.com] acme: Preparing to solve DNS-01"
time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [INFO] [traefik.xxxxx.com] acme: Cleaning DNS-01 challenge"
time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [INFO] [whoami.xxxxx.com] acme: Cleaning DNS-01 challenge"
time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [WARN] [traefik.xxxxx.com] acme: cleaning up failed: cloudflare: failed to find zone com.: Zone could not be found "

I’m not sure why cloudflare couldn’t find zone. Any help with this one?

So someone on the traefik forums tipped me off about doing an nslookup using SOA since this is what the program does.

So any insight why I can resolve google.com but not my own domain traefik.xxxx.com??

Here is my outputs:

#nslookup -type=soa cloudflare.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
cloudflare.com
	origin = ns3.cloudflare.com
	mail addr = dns.cloudflare.com
	serial = 2035661364
	refresh = 10000
	retry = 2400
	expire = 604800
	minimum = 300

Authoritative answers can be found from:

And my cloudflare domain:

#nslookup -type=soa traefick.xxxxx.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1#53

** server can't find traefick.xxxx.com: NXDOMAIN

And my “base domain”:

#nslookup -type=soa xxxxx.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1#53

***Can't find xxxxx.com: No answer