fix: Remove redundant ACME challenge router in Traefik configuration

- Remove explicit ACME challenge router that had no service defined - Traefik handles ACME challenges automatically when httpChallenge.entryPoint is set - The router was interfering with automatic challenge handling - Fixes 'Cannot retrieve the ACME challenge' errors in Traefik logs
2025-11-08 18:46:01 +01:00
parent af98069eba
commit 3d233e8b2c
2 changed files with 39 additions and 50 deletions
--- a/deployment/stacks/traefik/traefik.yml
+++ b/deployment/stacks/traefik/traefik.yml
@@ -1,4 +1,5 @@
-# Static Configuration for Traefik
+# Static Configuration for Traefik v3.0
+# Minimal configuration - only static settings

 # Global Configuration
 global:
@@ -6,12 +7,10 @@ global:
  sendAnonymousUsage: false

 # API and Dashboard
-# Note: insecure: false means API is only accessible via HTTPS (through Traefik itself)
-# No port 8080 needed - dashboard accessible via HTTPS at traefik.michaelschiemer.de
 api:
  dashboard: true
  insecure: false
-  # Dashboard accessible via HTTPS router (no separate HTTP listener needed)
+  # Dashboard accessible via HTTPS router

 # Entry Points
 entryPoints:
@@ -42,20 +41,20 @@ certificatesResolvers:
      storage: /acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory
      # Use HTTP-01 challenge (requires port 80 accessible)
+      # Traefik automatically handles /.well-known/acme-challenge requests
      httpChallenge:
        entryPoint: web
-      # Uncomment for DNS challenge (requires DNS provider)
-      # dnsChallenge:
-      #   provider: cloudflare
-      #   delayBeforeCheck: 30
+      # Optional: Increase retry attempts for certificate renewal
+      # This helps when Gitea is temporarily unavailable
+      preferredChain: ""

 # Providers
 providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
-    # Network mode is 'host', so we don't specify a network here
-    # Traefik can reach containers directly via their IPs in host network mode
+    # Bridge network mode - Traefik uses Docker service discovery via labels
+    # Services must be on the same network (traefik-public) for discovery
    watch: true

  file:
@@ -63,12 +62,12 @@ providers:
    watch: true

 # Forwarded Headers Configuration
-# This ensures Traefik correctly identifies the real client IP
 forwardedHeaders:
  trustedIPs:
-    - "127.0.0.1/32"     # Localhost
-    - "172.17.0.0/16"    # Docker bridge network
-    - "172.18.0.0/16"    # Docker user-defined networks
+    - "127.0.0.1/32"
+    - "172.17.0.0/16"
+    - "172.18.0.0/16"
+    - "10.8.0.0/24"
  insecure: false

 # Logging