ACME cert not applied to specific services(Transmission)

Traefik Traefik v2 (latest)
1

Hi, I have been using Treafik for a wile now and there is one thing that I can't resolve.

  • I have almost 30 services being served behind Treafik 2.5.3.
  • All have middleware to force https.
  • All have an ACME signed certificate, a wildcard one "*.11011san.com".

Most use it and are good. But I have 2 different transmission services, using different images, but both refuse to use the ACME cert and us the self-signed cert.

docker-compose.yml

version: "3.4"
services:
  transmission-mouse:
    image: linuxserver/transmission
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik
      - traefik.http.routers.transmission-mouse.entrypoints=websecure
      - traefik.http.services.transmission-mouse.loadBalancer.server.port=9091
      - traefik.http.routers.transmission-mouse.middlewares=force-https@file 
      - traefik.http.routers.transmission-mouse.rule=Host(`mouse.transmission.11011san.com`)||Host(`mouse.transmission`)
      - traefik.http.routers.transmission-mouse.tls=true
      - traefik.http.routers.transmission-mouse.tls.certresolver=myresolver
      - traefik.http.routers.transmission-mouse.tls.domains[0].main=*.11011san.com
      - com.centurylinklabs.watchtower.enable=true
    restart: always
    networks: 
      traefik:
        aliases: 
          - transmission-mouse
      dl:
        aliases: 
          - transmission-mouse

  transmission-vpn:
    image: haugene/transmission-openvpn:latest
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik
      - traefik.http.routers.transmission-vpn.entrypoints=websecure
      - traefik.http.services.transmission-vpn.loadBalancer.server.port=9091
      - traefik.http.routers.transmission-vpn.middlewares=force-https@file
      - traefik.http.routers.transmission-vpn.rule=Host(`vpn.transmission.11011san.com`)||Host(`vpn.transmission`)
      - traefik.http.routers.transmission-vpn.tls=true
      - traefik.http.routers.transmission-vpn.tls.certresolver=myresolver
      - traefik.http.routers.transmission-vpn.tls.domains[0].main=*.11011san.com
      - com.centurylinklabs.watchtower.enable=true
    restart: always
    healthcheck:
      test: ["CMD", "/etc/scripts/healthcheck.sh"]
      interval: 1m
      timeout: 10s
      retries: 10
      start_period: 40s
    networks: 
      traefik:
        aliases: 
          - transmission-vpn
      dl:
        aliases: 
          - transmission-vpn

  traefik:
    image: traefik
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.watch=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --metrics.prometheus=true
      - --api.insecure=true 
      - --providers.docker
      - --experimental.plugins.rewrite.modulename=github.com/traefik/plugin-rewritebody
      - --experimental.plugins.rewrite.version=v0.3.1
      - --configfile=/etc/traefik/traefik.yml
    labels:      
      - com.centurylinklabs.watchtower.enable=true
      - traefik.enable=true
      - traefik.docker.network=traefik
      - traefik.http.routers.traefik.rule=Host(`traefik.11011san.com`)||Host(`traefik`)
      - traefik.http.routers.traefik.entrypoints=websecure,web
      - traefik.http.routers.traefik.middlewares=force-https@file
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=myresolver
      - traefik.http.routers.traefik.tls.domains[0].main=*.11011san.com
      - traefik.http.services.traefik.loadBalancer.server.port=8080
    ports:
      - 80:80
      - 443:443
    networks: 
      traefik:
        aliases:
          - traefik
      monitoring:
        aliases:
          - traefik

# example of a working servise
  authelia:
    image: authelia/authelia
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik
      - traefik.http.routers.authelia.rule=Host(`authelia.11011san.com`)||Host(`authelia`)
      - traefik.http.routers.authelia.entrypoints=websecure,web
      - traefik.http.routers.authelia.middlewares=scheme-https@file,regex-https@file
      - traefik.http.routers.authelia.tls=true
      - traefik.http.routers.authelia.tls.certresolver=myresolver
      - traefik.http.routers.authelia.tls.domains[0].main=*.11011san.com
      - traefik.http.services.authelia.loadBalancer.server.port=9091
      - com.centurylinklabs.watchtower.enable=true
    restart: always
    networks: 
      traefik:
        aliases:
          - authelia

Some volume and environment have been removed for security, but the service is working, and I can access it. It just doesn't have the ACME cert.

middlewares.yml

http:
  middlewares:
    force-https:
      chain:
        middlewares:
          - "scheme-https"
          - "regex-https" 
          - "auth"

    scheme-https:
        redirectScheme:
          scheme: "https"
          permanent: true

    regex-https:
      redirectRegex:
        regex: "^http://(.*)"
        replacement: "https://${1}"
        permanent: true

    auth:
      forwardauth:
        address: "http://authelia:9091/api/verify?rd=https://authelia.11011san.com/"
        trustForwardHeader: true
        authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"

traefik.yml

providers:
  docker: {}
  file:
    # ALL toml files here are loaded
    directory: "/etc/traefik/providers/"
    watch: true
pilot:
  token: "**************"

experimental:
  plugins:
    rewritebody:
      modulename: "github.com/traefik/plugin-rewritebody"
      version: "v0.3.1"
api:
  insecure: true
  dashboard: true

metrics:
  prometheus: {}
  influxDB: 
    address: "telegraf:8089"
    addRoutersLabels: true
    addServicesLabels: true
tracing:
  elastic:
    serverURL: "http://apm-server:8200"
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

certificatesResolvers:
  myresolver:
    acme:
      email: **************
      storage: /etc/traefik/acme/acme.json
      dnsChallenge:
        provider: "cloudflare"
        delayBeforeCheck: 30
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

In the Traefik dashboard, it reports it using the same resolver and domain as other services that have the correct cert.
No relevant logs are generated.
I have looked all over the place and cant find anything similar to this problem, I can share more files if it should be of interest.
If anyone has a suggestion what could be wrong or that can say that this is a definite bug, I would be appreciated.

2

I found the issue. the cert for "*.11011san.com" cant match against "vpn.transmission.11011san.com" because it is a sub subdomain. Thus I needed to set the domain to "*.transmission.11011san.com" and it now works
- traefik.http.routers.transmission-vpn.tls.domains[0].main=*.transmission.11011san.com
If anyone is having a similar issue here is a possible problem.

1 Like
3

Hi @11011san,

Thanks for your interest in Traefik, and sorry for the very late answer.
Glad to see you managed to fix the issue and shared the answer.

Have a nice day,
Maxence

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.