Hi, I have been using Treafik for a wile now and there is one thing that I can't resolve.
- I have almost 30 services being served behind Treafik 2.5.3.
- All have middleware to force https.
- All have an ACME signed certificate, a wildcard one "*.11011san.com".
Most use it and are good. But I have 2 different transmission services, using different images, but both refuse to use the ACME cert and us the self-signed cert.
docker-compose.yml
version: "3.4"
services:
transmission-mouse:
image: linuxserver/transmission
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.transmission-mouse.entrypoints=websecure
- traefik.http.services.transmission-mouse.loadBalancer.server.port=9091
- traefik.http.routers.transmission-mouse.middlewares=force-https@file
- traefik.http.routers.transmission-mouse.rule=Host(`mouse.transmission.11011san.com`)||Host(`mouse.transmission`)
- traefik.http.routers.transmission-mouse.tls=true
- traefik.http.routers.transmission-mouse.tls.certresolver=myresolver
- traefik.http.routers.transmission-mouse.tls.domains[0].main=*.11011san.com
- com.centurylinklabs.watchtower.enable=true
restart: always
networks:
traefik:
aliases:
- transmission-mouse
dl:
aliases:
- transmission-mouse
transmission-vpn:
image: haugene/transmission-openvpn:latest
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.transmission-vpn.entrypoints=websecure
- traefik.http.services.transmission-vpn.loadBalancer.server.port=9091
- traefik.http.routers.transmission-vpn.middlewares=force-https@file
- traefik.http.routers.transmission-vpn.rule=Host(`vpn.transmission.11011san.com`)||Host(`vpn.transmission`)
- traefik.http.routers.transmission-vpn.tls=true
- traefik.http.routers.transmission-vpn.tls.certresolver=myresolver
- traefik.http.routers.transmission-vpn.tls.domains[0].main=*.11011san.com
- com.centurylinklabs.watchtower.enable=true
restart: always
healthcheck:
test: ["CMD", "/etc/scripts/healthcheck.sh"]
interval: 1m
timeout: 10s
retries: 10
start_period: 40s
networks:
traefik:
aliases:
- transmission-vpn
dl:
aliases:
- transmission-vpn
traefik:
image: traefik
command:
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --metrics.prometheus=true
- --api.insecure=true
- --providers.docker
- --experimental.plugins.rewrite.modulename=github.com/traefik/plugin-rewritebody
- --experimental.plugins.rewrite.version=v0.3.1
- --configfile=/etc/traefik/traefik.yml
labels:
- com.centurylinklabs.watchtower.enable=true
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.traefik.rule=Host(`traefik.11011san.com`)||Host(`traefik`)
- traefik.http.routers.traefik.entrypoints=websecure,web
- traefik.http.routers.traefik.middlewares=force-https@file
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=myresolver
- traefik.http.routers.traefik.tls.domains[0].main=*.11011san.com
- traefik.http.services.traefik.loadBalancer.server.port=8080
ports:
- 80:80
- 443:443
networks:
traefik:
aliases:
- traefik
monitoring:
aliases:
- traefik
# example of a working servise
authelia:
image: authelia/authelia
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.routers.authelia.rule=Host(`authelia.11011san.com`)||Host(`authelia`)
- traefik.http.routers.authelia.entrypoints=websecure,web
- traefik.http.routers.authelia.middlewares=scheme-https@file,regex-https@file
- traefik.http.routers.authelia.tls=true
- traefik.http.routers.authelia.tls.certresolver=myresolver
- traefik.http.routers.authelia.tls.domains[0].main=*.11011san.com
- traefik.http.services.authelia.loadBalancer.server.port=9091
- com.centurylinklabs.watchtower.enable=true
restart: always
networks:
traefik:
aliases:
- authelia
Some volume and environment have been removed for security, but the service is working, and I can access it. It just doesn't have the ACME cert.
middlewares.yml
http:
middlewares:
force-https:
chain:
middlewares:
- "scheme-https"
- "regex-https"
- "auth"
scheme-https:
redirectScheme:
scheme: "https"
permanent: true
regex-https:
redirectRegex:
regex: "^http://(.*)"
replacement: "https://${1}"
permanent: true
auth:
forwardauth:
address: "http://authelia:9091/api/verify?rd=https://authelia.11011san.com/"
trustForwardHeader: true
authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"
traefik.yml
providers:
docker: {}
file:
# ALL toml files here are loaded
directory: "/etc/traefik/providers/"
watch: true
pilot:
token: "**************"
experimental:
plugins:
rewritebody:
modulename: "github.com/traefik/plugin-rewritebody"
version: "v0.3.1"
api:
insecure: true
dashboard: true
metrics:
prometheus: {}
influxDB:
address: "telegraf:8089"
addRoutersLabels: true
addServicesLabels: true
tracing:
elastic:
serverURL: "http://apm-server:8200"
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
certificatesResolvers:
myresolver:
acme:
email: **************
storage: /etc/traefik/acme/acme.json
dnsChallenge:
provider: "cloudflare"
delayBeforeCheck: 30
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
In the Traefik dashboard, it reports it using the same resolver and domain as other services that have the correct cert.
No relevant logs are generated.
I have looked all over the place and cant find anything similar to this problem, I can share more files if it should be of interest.
If anyone has a suggestion what could be wrong or that can say that this is a definite bug, I would be appreciated.