I'm starting The Footgun — a new topic in my blog where I share the creative ways I manage to shoot my feet while working with software. :D
This one was tough.
Recently I've migrated my blog server setup to Dokploy (it was running on Dokku previously).
It worked (and kept working) great, but then after a while I've received an alert that the TLS certificates for the app's domains are going to expire soon.
Wait a minute! Aren't those renewed automatically?
Digging the logs of the Traefik server in Dokploy confirmed the problem. The logs contained something like this:
2025-11-18T15:54:51Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [hello.voskoboinyk.com]: error: one or more domains had a problem:\n[hello.voskoboinyk.com] invalid authorization: acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 37.27.12.127: Invalid response from http://hello.voskoboinyk.com/.well-known/acme-challenge/TP5MNz8Gy2JkXW3ErLtRYqA6ZC9ioHuBFvdjoVsXpQ4gf: 404\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["hello.voskoboinyk.com"] providerName=letsencrypt.acme routerName=voskoboinykcom-helloworld-rxm0mw-router-websecure-14@file rule=Host(`hello.voskoboinyk.com`)
I've spent a few hours trying different things, changing settings and fruitlessly searching the internet for answers. I've checked Dokploy GitHub issues and discussions, Reddit, and StackOverflow. Nothing. No one seemed to have exactly this problem, yet it was clearly broken on my side.
In the end I've finally found the culprit. Of course, it was me. 🙈
It turned out I've exposed my Blog app as port 80 on the server, which has overriden the main HTTP port used by Traefik with no complaints.
I've added it when trying to fix TLS certificates issues I've got when migrated from Dokku. And then successfully forgot about it.
I've noticed that something was off with port 80 when I was fetching blog's apps subdomains over HTTP via command line — they all served the blog homepage (but worked fine over HTTPS):
> curl http://voskoboinyk.com/ | head -n 15
> curl http://analytics.voskoboinyk.com/ | head -n 15
This was damn hard to find, because:
- the port 80 override was invisible to Traefik routing — everything looked fine there
- the apps worked fine over HTTPs
- because the HTTPS redirects were cached in my browser — accessing the apps over HTTP looked fine in the browser too
Useful learnings
01. Viewing Traefik logs in Dokploy
To access Traefik logs in Dokploy, go to Settings > Web Server > Traefik > View Logs.
02. Accessing HTTP logs in Dokploy
To debug problems, you can activate HTTP requests logs collection in Dokploy to see them right in the interface:
Home > Requests > Activate
03. Accessing Traefik dashboard
To inspect the effective Traefik configuration with all its routes and destination apps, you access Traefik dashboard UI:
Settings > Web Server > Traefik > Enable Dashboard
Once activated, the dashboard can be accessed by visiting http://YOUR_IP:8080.
Routers, Services and Middleware are the sections you might want to check first.
Conclusion
Yes, this took some time to figure out. And maybe Dokploy could be a bit more restrictive about overriding port 80 — it shouln't be that easy to break Traefik configuration, right?
But overall I've learned a lot about how Dokploy works, and I'm happy I've figured it out. And I still love it!
Hopefully, this post will help others having the same problem fixing it faster.
Let me know what you think by pinging me on socials or emailing me.
Cheers! 🖖
