About using user-defined certificates with letsencrypt certificatesResolvers

Traefik Traefik v2
1

I am using common traefik.yaml file for multiple environments. In some environments I am using letsencrypt and in some user-defined certificates. Can you tell me are the below configurations correct? Can I call user-defined certs under customCertResolver? For letsencrypt it works.

Traefik.yaml

entrypoints:
  http:
    address: :80
  https:
    address: :443
    http:
      tls: {}

certificatesResolvers:
  letsencrypt:
    acme:
      storage: /traefik/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: http
  
  customCertResolver:
    tls:
      certificates:
        - certFile: "/var/run/secrets/traefik_tls_cert"
          keyFile: "/var/run/secrets/traefik_tls_key"

I am calling these certResolver from router file like this:
traefik.http.routers.grafana.tls.certResolver: "{{ tls_cert_resolver }}"

{{ tls_cert_resolver }} This could be either letsencrypt or customCertResolver for different environments.

2

This is not how it usually works, check static config file reference.

Custom TLS certs are loaded in a dynamic config file (doc), which you load in static config with providers.file. The you just enable TLS on entrypoint or router (yaml tls: {}, labels tls=true).

3

Well, here is my complete traefik file:

api:
  dashboard: true

providers:
  file:
    directory: /etc/traefik/config/
    watch: true
  swarm:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false

entrypoints:
  http:
    address: :80
  https:
    address: :443
    http:
      tls: {}
  
certificatesResolvers:
  letsencrypt:
    acme:
      storage: /traefik/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: http
  
  customCertResolver:
    tls:
      certificates:
        - certFile: "/etc/traefik/config/traefik_tls_cert"
          keyFile: "/etc/traefik/config/traefik_tls_key" 

log:
  level: INFO

and my router labels are as follow:

labels:
        com.docker.stack.image: "{{ service.image }}"
        traefik.enable: "true"
        traefik.http.routers.grafana.entrypoints: "https"
        traefik.http.routers.grafana.rule: "Host(`{{ qa_domain }}`) && PathPrefix(`/`)"
        traefik.http.routers.grafana.service: "grafana"
        traefik.http.services.grafana.loadbalancer.server.port: "8080"
        traefik.http.routers.grafana.tls: "true"
        traefik.http.routers.grafana.tls.certResolver: "{{ tls_cert_resolver }}"

The question remains the same

I am calling these certResolvers from the router file like this:
traefik.http.routers.grafana.tls.certResolver: "{{ tls_cert_resolver }}"

{{ tls_cert_resolver }} How can I call our custom certificates for qa env, as we only need letsencrypt for prod? what configurations do I need to provide? I tried as described above by creating customCertResolver, but it doesn't seem to be working. what is missing?

4

Format you config with 3 backticks before and after, in yaml every space matters.

As stated before, Traefik static config has no certFile, so this should not work.