traefik and docker files

docker-compose010918.yml

version: "3"

networks:
  proxy:
    external: true
  internal:
    external: false

services:

  traefik:
    image: traefik:1.6.0-alpine
    container_name: traefik
    restart: always
    command: --web --docker --logLevel=DEBUG
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $PWD/traefik.toml:/traefik.toml
      - $PWD/acme.json:/acme.json
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
    labels:
      - traefik.enable=true
      - traefik.backend=traefik
      - traefik.frontend.rule=Host:monitor.my.vps.net
      - traefik.port=8080
      - traefik.docker.network=proxy
      
  mariadb:
    image: mariadb
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
    networks:
      - internal
    labels:
      - traefik.enable=false

  webwork-db:
    image: mariadb
    volumes:
      - "./.data/db:/var/lib/mysql"
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_DATABASE=webwork
      - MYSQL_USER=webworkWrite
      - MYSQL_PASSWORD:=${MYSQL_ROOT_PASSWORD}
    networks:
      - internal
    labels:
      - traefik.enable=false

  adminer:
    image: adminer:4.3.1-standalone
    labels:
      - traefik.enable=true
      - traefik.backend=adminer
      - traefik.frontend.rule=Host:adminer.my.vps.net
      - traefik.docker.network=proxy
      - traefik.port=8080
    networks:
      - internal
      - proxy
    depends_on:
      - mariadb

  portainer:
    image: portainer/portainer
    command: -H unix:///var/run/docker.sock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    labels:
      - traefik.enable=true
      - traefik.backend=portainer
      - traefik.docker.network=proxy      
      - traefik.port=9000
      - traefik.frontend.rule=Host:portainer.my.vps.net
    networks:
      - proxy

  kanboard:
    image: kanboard/kanboard:latest
    volumes:
     - kanboard_data:/var/www/app/data
     - kanboard_plugins:/var/www/app/plugins
    networks:
     - proxy
    labels:
      - traefik.enable=true
      - traefik.backend=kanboard
      - traefik.docker.network=proxy      
      - traefik.port=80
      - traefik.frontend.rule=Host:kanboard.my.vps.net

#  blog:
#    build: .
#    image: blog:latest
#    ports:
#     - "1313:1313"
#    command: hugo server --theme=blackburn --buildDrafts --watch
#    volumes:
#     - .:/src
#    labels:
#      - traefik.enable=true
#      - traefik.backend=blog
#      - traefik.docker.network=proxy      
#      - traefik.port=1313
#      - traefik.frontend.rule=Host:blog.my.vps.net
      
volumes:
  portainer_data:
  kanboard_data:
  kanboard_plugins:

docker-traefik

# This is the docker-compose.yml file

version: "3"

networks:
  proxy:
    external: true
  internal:
    external: false

services:

  mariadb:
    image: mariadb
    environment:
       - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
    networks:
      - internal
    labels:
      - traefik.enable=false

  adminer:
    image: adminer:4.3.1-standalone
    labels:
      - traefik.enable=true
      - traefik.backend=adminer
      - traefik.frontend.rule=Host:adminer.my.vps.net
      - traefik.docker.network=proxy
      - traefik.port=8080
    networks:
      - internal
      - proxy
    depends_on:
      - mariadb

  portainer:
    image: portainer/portainer
    command: -H unix:///var/run/docker.sock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    labels:
      - traefik.enable=true
      - traefik.backend=portainer
      - traefik.docker.network=proxy      
      - traefik.port=8080
      - traefik.frontend.rule=Host:portainer.my.vps.net
  
volumes:
  portainer_data:

traefik.toml

# New version as of August 13, 2018

defaultEntryPoints = ["http", "https"]

[api]
debug = true
address = ":8080"

#  Don't know eher (if anywhere) to put authentication
#  [web.auth.basic]
#  users = ["admin:$apr1$v7kJtvT7$h0F7kxt.lAzFH4sZ8Z9ik."]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]


# Below here comes from www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/
# with values adjusted for local use, of course

# Let's encrypt configuration
[acme]
email="amca01@gmail.com"
storage="acme.json"
acmeLogging=true 
caServer = "https://acme-v01.api.letsencrypt.org/directory"
onDemand = false #create certificate when container is created
onHostRule = true
  # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
entryPoint = "https"
  [acme.httpChallenge]
  entryPoint = "http"

[[acme.domains]]
  main = "my.vps.net"
[[acme.domains]]
  main = "portainer.my.vps.net"
[[acme.domains]]
  main = "monitor.my.vps.net"
[[acme.domains]]
  main = "adminer.my.vps.net"

# Connection to docker host system (docker.sock)

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my.vps.net"
watch = true
# This will hide all docker containers that don't have explicitly  
# set label to "enable"
exposedbydefault = false

traefik_010918.toml

defaultEntryPoints = ["http", "https"]

[web]
address = ":8080"
  [web.auth.basic]
  users = ["admin:$apr1$v7kJtvT7$h0F7kxt.lAzFH4sZ8Z9ik."]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[traefikLog]
  filePath="./traefik.log"
  format = "json"


# Below here comes from
#   www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/
# with values adjusted for local use, of course

# Let's encrypt configuration
[acme]
email="amca01@gmail.com"
storage="acme.json"
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# caServer = "https://acme-v01.api.letsencrypt.org/directory"
acmeLogging=true 
onDemand = true #create certificate when container is created
onHostRule = true
entryPoint = "https"
  # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
  [acme.httpChallenge]
  entryPoint = "http"

[[acme.domains]]
  main = "my.vps.net"
  sans = ["monitor.my.vps.net", "adminer.my.vps.net", "portainer.my.vps.net", "kanboard.my.vps.net", "webwork.my.vps.net",
 "blog.my.vps.net"]

# Connection to docker host system (docker.sock)

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my.vps.net"
watch = true
# This will hide all docker containers that don't have explicitly  
# set label to "enable"
exposedbydefault = false

Were you able to get this working @amca01?

Wildcard certs require DNS-01 challenge
https://docs.traefik.io/configuration/acme/#wildcard-domains
Try without the wildcard and see if you have Traefik ACME magic.

Some other notes if they're helpful
Double check perms on your acme.json -> chmod 600
Why does it have that path? acme.json should be in the root of the running Traefik container AFAIK. Change your mount ./somepath/acme.json:/acme.json

Don't get rate limited by LE!!! Use STAGING!
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

Deprecate [web] use [api]
https://docs.traefik.io/configuration/api/

create a new entrypoint for your API if you do not dashboard on port 9000 (edit: sorry, I'm drunk (not really), please ignore the port 9000, that's Portainers port IIRC.)

[entryPoints]
...[snip]...
  [entryPoints.dockerapi]
  address = ":8080"

[api]
  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
  entryPoint = "dockerapi"

  # Enabled Dashboard
  #
  # Optional
  # Default: true
  #
  dashboard = true

  # Enable debug mode.
  # This will install HTTP handlers to expose Go expvars under /debug/vars and
  # pprof profiling data under /debug/pprof/.
  # Additionally, the log level will be set to DEBUG.
  #
  # Optional
  # Default: false
  #
  debug = true

Debug as usual, API (dashboard) should be a little more verbose.

And yes the documentation is ...challenging to say the least.

Best!