Traefik v2 and Invalid Lets Encrypt Certificate

I’m having issues with traefik generating the certificate after upgrading from traefik 1 to 2.
I’m using docker providers, and set up everything using labels.

Here is a link to the certificate test: https://check-your-website.server-daten.de/?q=staging.evopoints.co.za

The static traefik.yml config is:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

providers:
  docker:
    exposedByDefault: false
    watch: true

entryPoints:
  web-insecure:
    address: ":80"

  web-secure:
    address: ":443"
    transport:
      lifeCycle:
        requestAcceptGraceTimeout: 42
        graceTimeOut: 42
      respondingTimeouts:
        readTimeout: 42
        writeTimeout: 42
        idleTimeout: 42

certificatesResolvers:
  letsencrypt:
    acme:
      email: <private-email>
      storage: acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      httpChallenge:
        entryPoint: web-insecure

api:
  insecure: true
  dashboard: true
  debug: true

log:
  filePath: /mnt/logs/traefik/traefik.log
  level: DEBUG

accessLog:
  filePath: /mnt/logs/traefik/access.log

Here are the relevant snippets from docker-compose.yml:

version: '3'

services:

  webapp:
    image: <private registry>
    restart: always

    volumes:
      ... snipped list of volumes ...

    labels:
      - "traefik.enable=true"
      # Create a bunch of required middlewares
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.www-redirect.redirectregex.regex=^https://evopoints.co.za/(.*)"
      # Note: all dollar signs need to be doubled for escaping.
      - "traefik.http.middlewares.www-redirect.redirectregex.replacement=https://staging.evopoints.co.za/$"
      - "traefik.http.middlewares.webapp.headers.customrequestheaders.http-x-forwarded-proto=https"
      - "traefik.http.middlewares.webapp.headers.sslredirect=true"
      - "traefik.http.middlewares.webapp.headers.sslforcehost=true"
      - "traefik.http.middlewares.webapp.headers.sslhost=staging.evopoints.co.za"

      # Insecure Entry
      - "traefik.http.routers.webapp-insecure.entrypoints=web-insecure"
      - "traefik.http.routers.webapp-insecure.rule=Host(`staging.evopoints.co.za`)"
      - "traefik.http.routers.webapp-insecure.middlewares=https-redirect"

      # Secure entry
      - "traefik.http.routers.webapp.entrypoints=web-secure"
      - "traefik.http.routers.webapp.rule=Host(`staging.evopoints.co.za`)"
      - "traefik.http.routers.webapp.tls=true"
      - "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
      - "traefik.http.routers.webapp.middlewares=webapp"

  nginx:
    image: <private_registry>
    restart: always
    volumes:
      ... snipped volumnes ...
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.nginx.loadbalancer.server.port=443"
      - "traefik.http.routers.nginx.tls=true"
      - "traefik.http.routers.nginx.entrypoints=web-secure"
      - "traefik.http.routers.nginx.rule=Host(`staging.evopoints.co.za`) && (PathPrefix(`/static`, `/media`) || Path(`/service-worker.js`))"

  traefik:
    image: traefik:v2.1
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./resources/traefik/traefik.yml:/traefik.yml
      - ./resources/traefik/acme.json:/acme.json
      - ./logs/traefik:/mnt/logs/traefik

Source: StackOverflow