0

My curent Network:

Router         - 192.168.1.1   (static)
Windows PC     - 192.168.1.10  (static)
Synology NAS   - 192.168.1.11  (static)
DockerPihole   - 192.168.1.12  (macvlan-static)
DockerUnbound  - 192.168.1.13  (macvlan-static)
DockerTraefik  - 192.168.1.14  (macvlan-static)

Docker Bridge Network (For Traefik to work)

DockerTraefik  - 192.168.10.2  (bridge-static)
DockerNginx1   - 192.168.10.10 (bridge-static)
DockerNginx2   - 192.168.10.20 (bridge-static)
  • I'm running Docker on my Synology NAS
  • I'm running DNS on my Synology NAS (the builtin DNS app) Pi-Hole, Unbound, and Traefik are running in a shared macvlan.
  • I created a bridge network for Traefik to connect to each container.
  • I'm configuring Labels on each container's stack in portainer to handle the Traefik configuration.
  • I'm trying to follow the tutorial here https://youtu.be/wLrmmh1eI94 but this was not on a synology so it's slightly different.
  • Although I do own the domain I'm trying to use, my understanding is that it shouldn't be necessary as long as I can point to my Synology DNS server which handles that domain.

The main differnece is that the Synology is already using 80 and 443 so my solution was to put Traefik in a macvlan so I didn't have port conflicts.

I got most everything working but I'm having trouble figuring out this one (hopefully last) thing. In the Traefik logs I can see that letsencrypt.org is having problems with my DNS.

Here's the error for the log:

level=error
msg=Unable to obtain ACME certificate for domains "nginx2.mydomain.com": 
    unable to generate a certificate for the domains [nginx2.mydomain.com]:
error: one or more domains had a problem:
      [nginx2.mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nginx2.mydomain.com
      - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for nginx2.mydomain.com
      - check that a DNS record exists for this domain
providerName=staging.acme
routerName=nginx2@docker
rule=Host(`nginx2.mydomain.com`)
ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory

I've setup the DNS in the Synology and have my router set to have the Synology as my first DNS server. When I ping nginx2.mydomain.com from my PC and it returns the IP of the DockerTraefik container 192.168.1.14. I believe this is the correct behavior.

Also when I look in my acme.json file (which was empty) I see that it has been populated with a certificate that says "status": "valid" (staging for now, production is empty). I believe this is the correct behavior.

I'm not sure what I'm missing but when I browse to nginx2.mydomain.com the certificate in the browser says

Issued to: TRAEFIK DEFAULT CERT Issued by: TRAEFIK DEFAULT CERT

I'm expecting it to say: Issued to: nginx2.mydomain.com Issued by: (STAGING)...

Here are my goals:

  1. (done) Access my Docker containers by name. ex: nginx.mydomain.com
  2. (done) Access my Docker containers without DNS (in case of issues). ex: 192.168.1.14:10080
  3. Browser says "secure" when I access my containers by name.
  4. I may want to expose one or two of them externally later so keeping that option easily available is key but ATM I plan to use a VPN for everything.

Problems I've solved so far:

  1. I can't give Traefik direct access to 80/443 because the NAS is using those ports.
    • I put Traefik in a macvlan network
  2. Containers couldn't ping their parent
    • By adding ports to the stack(ex: "Ports:/n - 180:80/n - 1443") it allowed me to access the container directly with DNS (goal #2) and also fixed the ping issue to the parent.
LorneCash
  • 101
  • 1
  • Your hostname needs to be resolvable *by letsencrypt*. From your description here it sounds like that's not the case. – larsks Apr 18 '23 at 09:49
  • I had to create a macvlan for Traefik because I'm running docker on my Synology (80 and 443 are already used). I think what's compounding my problem is that I'm also using the Synology as my DNS server. I've tried everything I can find and I can't seem to come up with a way to get Traefik to ping the Synology again which is both the Docker host and the DNS server. I keep getting an error from letsencrypt that it can't find the domain which makes sense because I can't ping the DNS server from Traefik. (Or at least I think that's what the problem is) Any help would be greatly appreciated. – LorneCash Apr 19 '23 at 10:58
  • The hostname needs to be *globally* resolvable (that is, by anyone on the internet). This doesn't have anything to do with Traefik; this is how LetsEncrypt operates -- the LetsEncrypt servers need to be able to translate your hostname into an IP address in order to connect and verify the HTTP challenge. – larsks Apr 19 '23 at 12:04

0 Answers0