Join Log in
Score:1
gctwnl avatar Server

Default certificate does not work in traefik v2 and docker compose

in flag
gctwnl

I am trying to setup traefik as a container and I can't get my existing certificates to work. This worked when I had this defined in traefik_dynamic.toml but I can't get it working via the labels entry in the docker compose file.

My traefik.toml contains:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "DEBUG"

[accessLog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

My docker-compse YAML contains:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
      - /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    labels:
      # Enable Traefik
      - "traefik.enable=true"
      - "traefik.port=8080"

      # Create middlewares (authentication)
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:[snip]"

      # Configure web entrypoint rules(":80")
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`foo.rna.nl`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.tls.stores.default.defaultCertificate.certFile=/example.live.fullchain.pem" 
      - "traefik.tls.stores.default.defaultCertificate.keyFile=/example.live.privkey.pem" 

      # Use Middlewares for basic auth
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

I'd like to know how to get traefik to use the default certificate for any service (either in traefik.toml or in the labels: section of docker-compose.yml). And note: I don't want to use traefik's own letsencrypt integration, it needs to use a cert that is in files somewhere on the system (regardless if it is currently letsencrypt that is providing the cert)

Note: this worked earlier in traefik_dynamic.toml:

  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/example.live.fullchain.pem"
      keyFile  = "/example.live.privkey.pem"```

(I also have a problem to access the dashboard even with the self-signed certificate that traefik generates — I just get 404s, but the cert is the first problem I'm trying to solve). [UPDATE: that problems was a misconfiguration also, see provided answer below for the working result]
1458
1 + 0
Score:1
gctwnl avatar Server
in flag
gctwnl

The answer is: not doable via docker compose labels. I now have some shared dynamic settings in a 'file provider'.

traefik.toml:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "WARN"

[accesslog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true
  debug = true
  insecure = false

# This file provider contains the following settings which are shared across other providers:
# - basic auth
# - default cert
[providers.file]
  watch = true
  filename = "/etc/traefik/shared_providers_dynamic.toml"

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

shared_providers_dynamic.toml:

[http.middlewares.simpleAuth.basicAuth]
  users = [
    "(snip):(snip)"
  ]

[http.middlewares.mylan.ipWhiteList]
  sourceRange = ["(snip)", "(snip)"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/example.live.fullchain.pem"
      keyFile  = "/example.live.privkey.pem"

And docker-compose.yml contains:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/shared_providers_dynamic.toml:/etc/traefik/shared_providers_dynamic.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
      - /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
    ports:
      - "443:443"
    labels:
      - "traefik.enable=true"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=simpleAuth@file"
      - "traefik.http.routers.traefik-secure.middlewares=mylan@file"
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.