What's new
PGBlitz.com

Register Now! Find useful tips, Interact /w Community Members and join the part the Best Community on the Internet!

Traefik failing to deploy

Sprort

Junior Member
I've been trying to get Traefik deployed and keep running into issues. I have verified my domain is pointed to the correct IP, all ports are being forwarded appropriately, and all user specified values in Traefik deployment are correct. I'm using Cloudflare and have set all A name records as instructed. I was receiving an error related to deployment attempts (verified by checking Traefik logs in Portainer) so I waited 8 days and tried again. Now i'm seeing this:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? Portainer Check: FAILED!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SMART TIP: Check Portainer Now! View the Traefik Logs!

REASON 1 - CloudFlare: portainer is not set in the CNAME or A Records
REASON 2 - DuckDNS : Forgot to create a portainer or * - A Record
REASON 3 - Firewall : Everything is blocked
REASON 4 - DelayValue: Set too low; CF users reported using 90 to work
REASON 5 - OverUse : Deployed too much; hit LetsEncrypt Weekly Limit
REASON 6 - User : PG Locally; Route is not enable to reach server
REASON 7 - User : Bad values input or failed to read the wiki
REASON 8 - User : Forgot to point DOMAIN to CORRECT IP ADDRESS

There are multiple reason for failure! Visit the forums, wiki, or Pgblitz!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
I have checked the logs in Portainer and am seeing "No logs available". I have verified that port forwarding is working correctly by installing IIS on another machine and forwarding ports to it and was able to navigate to <mydomain>.org and see the IIS landing page.

Has anyone else run into an issue like this or have any additional troubleshooting steps I might want to take?
 

Admin9705

Administrator
Project Manager
can you see portainer from the subdomain? If not it's square 1. i don't use CF, but several people will assist (CF can be tricky). If you do get info, please toss it in the wiki which will continue to help others :D
 

Admin9705

Administrator
Project Manager
ya that's why i set it up like that. so if you cannot get to it, it's something else :D do a search here for cloudflare and you'll see several users posting stuff in regards to it.
 
M

MrDoob

Guest
Check on CF

DNS A-RECORD | * | your IP | without orange cloud
DNS A-RECORD | www | your IP | orange cloud | TTL Automatic
DNS A-RECORD | portainer | your IP | orange Cloud | TTL Automatic

Then redeploy Traefik

Change the DNS Timeout from 60 secs to 90 secs .

And then it must be work.

I do it actually on my second test server and this works so !
 
M

MrDoob

Guest
That's my CF settings!

I use only A records !!

Always Use HTTPS > ON
HTTP Strict Transport Security (HSTS)
Status: On
Max-Age: 6 months (Recommended)
Include subdomains: On
Preload: On
Authenticated Origin Pulls > ON
Minimum TLS Version > 1.2
Opportunistic Encryption > ON
TLS 1.3 > Enabled+0RTT
Automatic HTTPS Rewrites > ON

Browser Cache Expiration > 30MIN
Always Online > ON
WebSockets > ON
Pseudo IPv4 !> OFF
 

agentchromatic7

Junior Member
Check on CF

DNS A-RECORD | * | your IP | without orange cloud
DNS A-RECORD | www | your IP | orange cloud | TTL Automatic
DNS A-RECORD | portainer | your IP | orange Cloud | TTL Automatic

Then redeploy Traefik

Change the DNS Timeout from 60 secs to 90 secs .

And then it must be work.

I do it actually on my second test server and this works so !
I can't get the orange cloud on the A records so I use CNAMEs instead. It just tells me those A records can't be proxied. I think i've exceeded my limit when trying to deploy (is there a fix for this with letsencrypt or do I have to wait a whole week) i shouldn't be getting that because its new.

Right now I have:

DNS A-RECORD | * | myIP | without orange cloud
DNS A-RECORD | mydomain.com| myIP | without orange cloud
DNS CNAME-RECORD | www | mydomain.com | with orange cloud
DNS CNAME-RECORD | portainer| mydomain.com | with orange cloud and I have nzbget, sonarr, radarr all set with orange cloud CNAMEs. (Do I have to have the same records on my Google Domain setting or will Cloudfare take care of it?)

Page Rules
SSL FULL
ALWAYS ONLINE - OFF
CACHE LEVEL - BYPASS
AUTO HTTPS REWRITES - ON

Lastly, super dumb question because I'm new. I'm using my public ipv4 address in cloudfare and not my internal subnet correct? Like the IPs I see in portainer? If there is a guide I should be looking at please let me know.

I've been trying to get this to work for the past three day with no way around the cloudfare issue. I've created a GSUITE as well, but no idea how to get the credentials requested in pgblitz-traefik for that.
 

Nightshade

Full Member
I can't get the orange cloud on the A records so I use CNAMEs instead. It just tells me those A records can't be proxied. I think i've exceeded my limit when trying to deploy (is there a fix for this with letsencrypt or do I have to wait a whole week) i shouldn't be getting that because its new.

Right now I have:

DNS A-RECORD | * | myIP | without orange cloud
DNS A-RECORD | mydomain.com| myIP | without orange cloud
DNS CNAME-RECORD | www | mydomain.com | with orange cloud
DNS CNAME-RECORD | portainer| mydomain.com | with orange cloud and I have nzbget, sonarr, radarr all set with orange cloud CNAMEs. (Do I have to have the same records on my Google Domain setting or will Cloudfare take care of it?)

Page Rules
SSL FULL
ALWAYS ONLINE - OFF
CACHE LEVEL - BYPASS
AUTO HTTPS REWRITES - ON

Lastly, super dumb question because I'm new. I'm using my public ipv4 address in cloudfare and not my internal subnet correct? Like the IPs I see in portainer? If there is a guide I should be looking at please let me know.

I've been trying to get this to work for the past three day with no way around the cloudfare issue. I've created a GSUITE as well, but no idea how to get the credentials requested in pgblitz-traefik for that.
If you set everything else up right, them at this point you have likely exhausted your weekly number of attempts to renew the cert for that domain. LetsEncrypt's documentation says there's no way to bypass the limit other than waiting a week, although using a subdomain or trying a different domain may work.

Also, yes you would use the public IPv4 for the cloudflare records.

Note: once you changed your Nameservers from Google's default to Cloudflare, all the DNS records are looked after from cloudflare, unless you switch them back or to another provider.
 

agentchromatic7

Junior Member
If you set everything else up right, them at this point you have likely exhausted your weekly number of attempts to renew the cert for that domain. LetsEncrypt's documentation says there's no way to bypass the limit other than waiting a week, although using a subdomain or trying a different domain may work.

Also, yes you would use the public IPv4 for the cloudflare records.

Note: once you changed your Nameservers from Google's default to Cloudflare, all the DNS records are looked after from cloudflare, unless you switch them back or to another provider.
Ok, thank you for letting me know I'm using the correct IP and that Cloudfare takes care of everything. Does my setup look ok? Does the wildcard still need to be there since i'm using CNAME for WWW pointing to my domain?
 

Nightshade

Full Member
Ok, thank you for letting me know I'm using the correct IP and that Cloudfare takes care of everything. Does my setup look ok? Does the wildcard still need to be there since i'm using CNAME for WWW pointing to my domain?
No worries, and Cloudflare does not proxy wildcard records; hence domains are served directly.

You can make an A record manually for each subdomain you want proxied by Cloudflare.


Example from Cloudflare docs:
“To get Cloudflare protection on a wildcard subdomain (for example: www), you need to define that record explicitly in your Cloudflare DNS settings. First, log into your Cloudflare account and click the DNSapp. In this example, you would add "www" as its own CNAME record on your Cloudflare DNS settings and toggle the cloud to orange so the Cloudflare's proxy is enabled.”
 

agentchromatic7

Junior Member
No worries, and Cloudflare does not proxy wildcard records; hence domains are served directly.

You can make an A record manually for each subdomain you want proxied by Cloudflare.


Example from Cloudflare docs:
“To get Cloudflare protection on a wildcard subdomain (for example: www), you need to define that record explicitly in your Cloudflare DNS settings. First, log into your Cloudflare account and click the DNSapp. In this example, you would add "www" as its own CNAME record on your Cloudflare DNS settings and toggle the cloud to orange so the Cloudflare's proxy is enabled.”
Thanks again! It looks like all I have to do now is wait for my week long mistake to be over to test it again lol
 
T

TheShadow

Guest
There's some misinformation hete.

I'll clear it up.

1 A record, everything else should be cnames.
Everything orange cloud.

Multiple A records does nothing except make it easier to have typo in ip address somewhere. Cname is better for subdomains that point to main domain. Easier to maintain if up ever changes.

You do not want wildcard cname or A record! Cloudflare free does not support them for SSL. Ideally you want CF SSL strict mode on too.

DNS caching and propigation can be tricky, personally I find CF change immediate.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads


Top NZB NewsGroups!

Members - Up To a 58% Discount!

Development Donations

 

Online statistics

Members online
7
Guests online
108
Total visitors
115
Top