500 Internal Server Error - tls: first record does not look like a TLS handshake

Traefik Traefik v1
1

Hi! I'm new to traefik. I'm running into a weird issue when trying to run a service with docker/letsencrypt.

I'm getting a 500 Internal Server Error when trying to access a service that I have running through Traefik.

In the logs:

time="2019-08-20T22:38:26Z" level=debug msg="Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel."
time="2019-08-20T22:38:26Z" level=debug msg="'500 Internal Server Error' caused by: tls: first record does not look like a TLS handshake"
time="2019-08-20T22:38:26Z" level=debug msg="vulcand/oxy/forward/http: Round trip: https://172.19.0.2:8080, code: 500, Length: 21, duration: 2.696641ms tls:version: 303, tls:resume:false, tls:csuite:cca8, tls:server:jenkins.mydomain.com"

The weird thing is this was working fine yesterday, and after a server restart this started happening.

The SSL certificate seems to be valid (at least going by chrome/firefox reporting it as valid).

My acme.json (in /opt/traefik/acme.json):

debug = true

logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
watch = true
exposedByDefault = false

[api]
dashboard = true

[acme]
email = "myemail@gmail.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[acme.httpChallenge]
entryPoint = "http"

My docker-compose for traefik (/opt/traefik/docker-compose.yml):

version: "3.3"
services:
  traefik:
    image: "traefik:v1.7"
    container_name: "traefik"
    restart: always
    networks:
      - web
    ports:
      - "443:443"
      - "80:80"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
networks:
  web:
    external: true

The docker-compose.yml file for the service I'm trying to proxy requests to:

version: '3.7'
services:
  jenkins:
    image: jenkins/jenkins:lts
    container_name: jenkins
    restart: always
    volumes:
      - "jenkins_home:/var/jenkins_home"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "$HOME:/home"
    networks:
      - web
    expose:
      - "8080"
    ports:
      - "8081:8080"
    labels:
      - "traefik.docker.network=web"
      - "traefik.enable=true"
      - "traefik.basic.frontend.rule=Host:jenkins.mydomain.com"
      - "traefik.basic.port=8080"
      - "traefik.basic.protocol=http"
      - "traefik.admin.frontend.rule=Host:jenkins.mydomain.com"
      - "traefik.admin.protocol=https"
      - "traefik.admin.port=8080"
networks:
  web:
    external: true
volumes:
  jenkins_home:

I followed the steps in this guide.

Any help would be much appreciated!

2

Hello @AdrianElder,

Your configuration:

- "traefik.basic.frontend.rule=Host:jenkins.mydomain.com" 
- "traefik.basic.port=8080" 
- "traefik.basic.protocol=http" 
- "traefik.admin.frontend.rule=Host:jenkins.mydomain.com" 
- "traefik.admin.protocol=https" 
- "traefik.admin.port=8080"

Tells traefik to communicate with your container over HTTP on port 8080, and HTTPS over port 8080.

Note that the traefik.port does not configure what port traefik listens on, but what port it uses to communicate with your container on.

The error you are seeing is that when traefik tries to connect via HTTP to your container on port 8080, your container is not responding with a proper TLS response.