Trying to setup Docker/Traefik on Raspberry Pi 5 but getting: "...invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection"

So I have had my server on scaleway.com for a while now, using the Traefik/Docker Swarm/Lets Encrypt setup on that server without a problem. I am now trying to move my serve to a local setup using Raspberry Pi 5. However, I keep getting messages saying ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.otherrealm.org]: error: one or more domains had a problem:\n[traefik.otherrealm.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: 73.89.206.113: Timeout during connect (likely firewall problem)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["traefik.otherrealm.org"] providerName=le.acme routerName=traefik-public-https@swarm rule=Host(traefik.otherrealm.org)
My Docker compose file (below) is pretty much the same as it was when I successfully had it setup on Scaleway. Has anyone gotten Let's Encrypt to work with Raspberry Pi?
Thanks, below are the details of my setup:

My domains are:
https://theotherrealm.org/https://otherrealm.org/

I ran this command:
docker stack deploy -c traefik.yml traefik

It produced this output when I ran this command:

docker service logs -tf traefik
  …...(Repeats constently)....
2025-11-22T03:03:47.259561603Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:47Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.otherrealm.org]: error: one or more domains had a problem:\n[traefik.otherrealm.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: 73.89.206.113: Timeout during connect (likely firewall problem)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["traefik.otherrealm.org"] providerName=le.acme routerName=traefik-public-https@swarm rule=Host(`traefik.otherrealm.org`)
2025-11-22T03:03:47.887008112Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:47Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:03:47.887052112Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:47Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:03:48.691452366Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:48Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [portainer.otherrealm.org]: error: one or more domains had a problem:\n[portainer.otherrealm.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: 73.89.206.113: Timeout during connect (likely firewall problem)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["portainer.otherrealm.org"] providerName=le.acme routerName=portainer-https@swarm rule=Host(`portainer.otherrealm.org`)
2025-11-22T03:03:49.309322272Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:49Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:03:49.309532457Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:49Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:03:50.435998201Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:50Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:03:50.436081238Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:50Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:03:50.976543355Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:50Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:03:50.976997911Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:50Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:03:55.962336881Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:55Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [edge.otherrealm.org]: error: one or more domains had a problem:\n[edge.otherrealm.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: 73.89.206.113: Timeout during connect (likely firewall problem)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["edge.otherrealm.org"] providerName=le.acme routerName=edge-https@swarm rule=Host(`edge.otherrealm.org`)
2025-11-22T03:03:56.307087027Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:56Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:03:56.307192471Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:56Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:03:57.099619093Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:57Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:03:57.100110557Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:03:57Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:04:03.608261964Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:04:03Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [portainer.otherrealm.org]: error: one or more domains had a problem:\n[portainer.otherrealm.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: 73.89.206.113: Timeout during connect (likely firewall problem)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["portainer.otherrealm.org"] providerName=le.acme routerName=portainer-https@swarm rule=Host(`portainer.otherrealm.org`)
2025-11-22T03:04:04.049640664Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:04:04Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:04:04.049768164Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:04:04Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:04:05.855134635Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:04:05Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:04:05.855196042Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:04:05Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
2025-11-22T03:04:08.162202697Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:04:08Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=http routerName=traefik-public@swarm
2025-11-22T03:04:08.162264253Z traefik_traefik.1.gbfgloxj9l2d@or    | 2025-11-22T03:04:08Z ERR error="middleware \"middlewares-rate-limit@file\" does not exist" entryPointName=https routerName=traefik-public@swarm
………

My web server is (include version):
Docker version 29.0.2, build 8108357 / traefik:latest

The operating system my web server runs on is (include version):
Raspberry Pi 5 64bit
Kernel version 6.12
Debian version 13 (trixie)

My hosting provider, if applicable, is:
Selfhosted (Xfinity Home is my internet service provider)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No (I use my own instance of Traefik/Portainer but need to have a certificate to access that interface)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Latest Version (auto integrated via docker)

My Docker setup:

services:
  traefik:
    # Use the latest Traefik image available
    image: traefik:latest
    # restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    env_file: ../secrets/.env
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - 80:80
      # Listen on port 443, default for HTTPS
      - 443:443
    dns:
      - 8.8.8.8
      - 8.8.4.4
      - 1.1.1.1
    deploy:
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.traefik-public.traefik-public-certificates == true
          - node.role == manager
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the traefik-public network (declared below)
        - traefik.docker.network=traefik-public
        # Use the custom label traefik.constraint-label=traefik-public
        # When you first create the network, you need to create the node id
        # A.K.A:  export NODE_ID=$(docker info -f '{{.Swarm.NodeID}}')
        #         docker node update --label-add traefik-public.traefik-public-certificates=true $NODE_ID
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik-public
        # admin-auth middleware with HTTP Basic auth
        # Using the variables in the .env
        - traefik.http.middlewares.admin-auth.basicauth.users=[a hashed password]
        # https-redirect middleware to redirect HTTP to HTTPS
        # It can be re-used by other stacks in other Docker Compose files
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
        # traefik-http set up only to use the middleware to redirect to https
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-http.rule=Host(`traefik.otherrealm.org`)
        - traefik.http.routers.traefik-public-http.entrypoints=http
        - traefik.http.routers.traefik-public-http.middlewares=https-redirect
        # traefik-https the actual router using HTTPS
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-https.rule=Host(`traefik.otherrealm.org`)
        - traefik.http.routers.traefik-public-https.entrypoints=https
        - traefik.http.routers.traefik-public-https.tls=true
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Use the le (Let's Encrypt) resolver created below
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        # Enable HTTP Basic auth, using the middleware created above
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080
        ## Headers
        # Secure things by adding a number of security headers
        - traefik.http.routers.traefik-public.middlewares=traefik-headers,middlewares-rate-limit@file
        - traefik.http.middlewares.traefik-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT
        - traefik.http.middlewares.traefik-headers.headers.accesscontrolalloworiginlist=https://theotherrealm.org,https://otherrealm.org/
        - traefik.http.middlewares.traefik-headers.headers.accesscontrolmaxage=100
        - traefik.http.middlewares.traefik-headers.headers.addvaryheader=true
        - traefik.http.middlewares.traefik-headers.headers.allowedhosts=traefik.otherrealm.org
        - traefik.http.middlewares.traefik-headers.headers.hostsproxyheaders=X-Forwarded-Host
        - traefik.http.middlewares.traefik-headers.headers.sslredirect=true
        - traefik.http.middlewares.traefik-headers.headers.sslhost=traefik.otherrealm.org
        - traefik.http.middlewares.traefik-headers.headers.sslforcehost=true
        - traefik.http.middlewares.traefik-headers.headers.sslproxyheaders.X-Forwarded-Proto=https
        - traefik.http.middlewares.traefik-headers.headers.stsseconds=63072000
        - traefik.http.middlewares.traefik-headers.headers.stsincludesubdomains=true
        - traefik.http.middlewares.traefik-headers.headers.stspreload=true
        - traefik.http.middlewares.traefik-headers.headers.forcestsheader=true
        - traefik.http.middlewares.traefik-headers.headers.framedeny=true
  #      - traefik.http.middlewares.traefik-headers.headers.customframeoptionsvalue=SAMEORIGIN # This option overrides FrameDeny
        - traefik.http.middlewares.traefik-headers.headers.contenttypenosniff=true
        - traefik.http.middlewares.traefik-headers.headers.browserxssfilter=true
  #      - traefik.http.middlewares.traefik-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; base-uri 'none';
        - traefik.http.middlewares.traefik-headers.headers.referrerpolicy=same-origin
        - traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';
        - traefik.http.middlewares.traefik-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex,
        # - traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent=true
        # - traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex="https://(.*)/.well-known/(card|cal)dav"
        # - traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement = "https://$${1}/remote.php/dav/"
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the volume to store the certificates
      - traefik-public-certificates:/certificates/
    command:
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker
      # Add a constraint to only use services with the label traefik.constraint-label=traefik-public
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false
      # - --providers.docker.network=proxy
      # Enable Docker Swarm mode
      - --providers.swarm.endpoint=unix:///var/run/docker.sock
      - --providers.swarm.exposedbydefault=false
      # Create an entrypoint http listening on port 80
      - --entrypoints.http.address=:80
      # Create an entrypoint https listening on port 443
      - --entrypoints.https.address=:443
      # Use staging during dev
      # https://acme-staging-v02.api.letsencrypt.org/directory
      # https://acme-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      # Create the certificate resolver le for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.le.acme.email=the@otherrealm.org
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true    
      # Enable the access log, with HTTP requests
      - --accesslog
      # Enable the Dashboard and API
      - --api
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public
  agent:
    image: portainer/agent:latest
    environment:
      # REQUIRED: Should be equal to the service name prefixed by "tasks." when
      # deployed inside an overlay network
      AGENT_CLUSTER_ADDR: tasks.agent
      # AGENT_PORT: 9001
      # LOG_LEVEL: debug
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent-network
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]
  portainer:
    image: portainer/portainer-ce:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    ports:
      - "9443:9443"
      - "9000:9000"
      - "8000:8000"
    volumes:
      - portainer_data:/data
    networks:
      - traefik-public
      - agent-network
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
        - traefik.enable=true
        ## HTTP Routers
        - traefik.docker.network=traefik-public
        - traefik.constraint-label=traefik-public
        - traefik.http.routers.portainer-http.rule=Host(`portainer.otherrealm.org`)
        - traefik.http.routers.portainer-http.service=portainer
        - traefik.http.routers.portainer-http.entrypoints=http
        - traefik.http.routers.portainer-http.middlewares=https-redirect
        - traefik.http.routers.portainer-https.rule=Host(`portainer.otherrealm.org`)
        - traefik.http.routers.portainer-https.service=portainer
        - traefik.http.routers.portainer-https.entrypoints=https
        - traefik.http.routers.portainer-https.tls=true
        - traefik.http.routers.portainer-https.tls.certresolver=le
        - traefik.http.services.portainer.loadbalancer.server.port=9000
        - traefik.http.middlewares.portainer-http2https.redirectscheme.scheme=https
        - traefik.http.middlewares.portainer-http2https.redirectscheme.permanent=true
        - traefik.http.routers.portainer-http.middlewares=portainer-http2https
        - traefik.http.routers.edge-http.rule=Host(`edge.otherrealm.org`)
        - traefik.http.routers.edge-http.service=edge
        - traefik.http.routers.edge-http.entrypoints=http
        - traefik.http.routers.edge-http.middlewares=https-redirect
        - traefik.http.routers.edge-https.rule=Host(`edge.otherrealm.org`)
        - traefik.http.routers.edge-https.service=edge
        - traefik.http.routers.edge-https.entrypoints=https
        - traefik.http.routers.edge-https.tls=true
        - traefik.http.routers.edge-https.tls.certresolver=le
        - traefik.http.services.edge.loadbalancer.server.port=8000
        - traefik.http.middlewares.edge-http2https.redirectscheme.scheme=https
        - traefik.http.middlewares.edge-http2https.redirectscheme.permanent=true
        - traefik.http.routers.edge-http.middlewares=edge-http2https

volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  traefik-public-certificates:
  # Create a volume to store the Portainer data
  portainer_data:
networks:
  # Use the previously created public network traefik-public, shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    external: true
  # Another network for Portainer
  agent-network:
    external: true

I don't know that much about Traefix but HTTP requests on port 80 are not getting any reply. Not even for your "home" page. Should that be working?

Because I'm guessing you are using an HTTP Challenge which requires HTTP port 80 requests to get a reply. The error you show says they are not.

Have you checked your router port forwarding and/or NAT config. Are you sure your ISP supports inbound requests to your system?

curl -i -m5 http://traefik.otherrealm.org
curl: (28) Connection timed out after 5001 milliseconds

Hello @TheOtherRealm, welcome to the Let's Encrypt community.

Using the online tool Let's Debug shows connection
cannot be made to Port 80 for the HTTP-01 challenge.

https://letsdebug.net/theotherrealm.org/2629384

image1003×549 30.1 KB

https://letsdebug.net/traefik.otherrealm.org/2629385

image1012×564 31.7 KB

And it is also true from around the world. Permanent link to this check report

Best Practice - Keep Port 80 Open

Thanks for noticing that! My theotherrealm.org account is under a different DNS host email, and it completely skipped my mind to switch the IP for that domain. There was another sub-domain that I didn't switch as well. Now I'm getting a rate-limit message (below). I shut down the sever and will try again in a couple hours.
2025-11-22T19:37:38.306612235Z traefik_traefik.1.q14qvgh0thrr@or | 2025-11-22T19:37:38Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [portainer.otherrealm.org]: acme: error: 429 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Your account is temporarily prevented from requesting certificates for portainer.otherrealm.org and possibly others. Please visit: https://portal-staging.letsencrypt.org/sfe/v1/unpause?jwt=eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJTRkUgVW5wYXVzZSIsImV4cCI6MTc2NTA0OTg1OCwiaWF0IjoxNzYzODQwMjU4LCJpZGVudGlmaWVycyI6InBvcnRhaW5lci5vdGhlcnJlYWxtLm9yZyIsImlzcyI6IldGRSIsInN1YiI6IjIxMzc4NzQ5NCIsInZlcnNpb24iOiJ2MSJ9.XYyw7x-mBwHGmjAbW-bmbYwgb6ZLP4XzwnMMRzppQRc" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["portainer.otherrealm.org"] providerName=le.acme routerName=portainer-https@swarm rule=Host(portainer.otherrealm.org)

Hmm, no, still getting the 2025-11-22T20:07:05.448099977Z traefik_traefik.1.sw74zw38sk21@or | 2025-11-22T20:07:05Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.otherrealm.org]: error: one or more domains had a problem:\n[traefik.otherrealm.org] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:connection :: 73.89.206.113: Timeout during connect (likely firewall problem)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["traefik.otherrealm.org"] providerName=le.acme routerName=traefik-public-https@swarm rule=Host(traefik.otherrealm.org) message

No one seems able to connect to you with HTTP on port 80 still

I had shut down the server because I needed to do other things and I didn't want to run into rate limiting stuff. I brought it back up but am still getting the same errors. The code is basically the same as it was on my server that was working, so I think it is something related to the configuration of the Raspberry Pi or my router/modem.

The rate limit error is very difficult to reach. It only happens after a very large number of failed requests. Sometimes with a system that is being ignored. Or an ACME Client that has faulty error retry logic. Perhaps the Traefik ACME Client went rogue or got stuck and retried failures far too frequently. That "unpause" is explained here: Rate Limits - Let's Encrypt

That rate limit on the Staging system only activates after 3600 failures in 6 hours.

Yeah, I haven't had that issue recently, and I realized that there is a link that you can use to turn the limit back off. I think I was getting that when I had a few of the domains/subdomains that were still on the old IP, which I have fixed. I am pretty sure it is a firewall issue, but I haven't figured out where the connection is failing/being blocked.

Yeah, start at your router and work your way back to the machine running Traefik.

Look for any kind of firewall and/or port-forwarding/NAT there. Make sure any network routing is getting to your Traefik machine

Are you certain your ISP allows inbound connections? For example, some residential ISP use CGNAT which won't allow inbound connections.

Here is the contents of docker network inspect traefik-public

[
    {
        "Name": "traefik-public",
        "Id": "es2s21wtv5lcn91gshct4kaiz",
        "Created": "2025-11-22T20:57:34.797642849-05:00",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv4": true,
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "10.0.1.0/24",
                    "IPRange": "",
                    "Gateway": "10.0.1.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4097"
        },
        "Labels": {},
        "Peers": [
            {
                "Name": "8ec79c44c87d",
                "IP": "73.89.206.113"
            }
        ],
        "Containers": {
            "0077b942e53bd867f936b6e8454a4e29cb523f3e6c6a54d8f6fb2f531281c92d": {
                "Name": "traefik_portainer.1.syuylz81bvaydl0eehn1fjmhm",
                "EndpointID": "df3efcab846678a24086d057aafdd9ec752d91038e7844b491699ff4dca6f289",
                "MacAddress": "02:42:0a:00:01:28",
                "IPv4Address": "10.0.1.40/24",
                "IPv6Address": ""
            },
            "d180cf89ddf6162a5ab15cd0ed2cdc5323a121b0aade79b9f88435157f396763": {
                "Name": "traefik_traefik.1.zga4zyig9vlkfmoyi8a0prxdv",
                "EndpointID": "61101f2db87a7b50eec808289366b8fb7731a2fb29394dd4f8eed5be00b4488b",
                "MacAddress": "02:42:0a:00:01:25",
                "IPv4Address": "10.0.1.37/24",
                "IPv6Address": ""
            },
            "lb-traefik-public": {
                "Name": "traefik-public-endpoint",
                "EndpointID": "53418c04023f26b781e43124396989b42fb0a2c6b83fb190e72c4ab4c85c97cc",
                "MacAddress": "02:42:0a:00:01:26",
                "IPv4Address": "10.0.1.38/24",
                "IPv6Address": ""
            }
        },
        "Status": {
            "IPAM": {
                "Subnets": {
                    "10.0.1.0/24": {
                        "IPsInUse": 10,
                        "DynamicIPsAvailable": 246
                    }
                }
            }
        }
    }
]

If you are questioning your Docker / Traefik setup you are better off asking about that on the Traefik community: https://community.traefik.io/ So far we have only seen general communications problems. Not something unique or specific to Let's Encrypt.

Some other volunteer(s) with experience with that setup may comment here. I don't have experience with that. If you don't get other comments here, try there.

I am fairly sure the issue is a Xfinity/router thing because I cannot curl to my local public IP address outside of my network but I can run it locally and this gives the router login page. I put my site back up on my old server for now because I need to contact Comcast . I will let you know if I still have issues that are not related to this.