Hi all,
I tried translating the docker-compose file from the instructive blog post for use with Docker Swarm.
Unfortunately, I do not manage to retrieve Let's Encrypt certificates using the TLS-ALPN-01 challenge. However, everything works fine when I instead switch to an HTTP-01 challenge. Below is the error in the logs with the TLS challenge.
Unable to obtain ACME certificate for domains \"example.com,www.example.com,traefik.example.com\" : unab
le to generate a certificate for the domains [example.com www.example.com traefik.example.com]: error: one or more domains had a problem:\n[example.com] acme: error: 400 :: urn:ietf:params:a
cme:error:connection :: Timeout during connect (likely firewall problem), url: \n[traefik.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (li
kely firewall problem), url: \n[www.example.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n" providerName=certbot.
acme
Here I provide my working docker-compose.yml that I use to deploy the stack. The external network public is an overlay network.
version: "3.7"
networks:
public:
external: true
volumes:
cert_data: {}
secrets:
basic_auth_users:
file: ./secrets/basic_auth_users.txt
services:
traefik:
image: "traefik:v2.2"
ports:
- target: 80
published: 80
- target: 443
published: 443
command:
- --accesslog=true
- --api=true
- --log.level=INFO
- --accesslog.format=json
# Configure entrypoints.
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
# Configure certificate creation.
- --certificatesresolvers.certbot=true
- --certificatesresolvers.certbot.acme.httpchallenge=true
- --certificatesresolvers.certbot.acme.httpchallenge.entrypoint=http
- --certificatesresolvers.certbot.acme.email=${EMAIL?Variable EMAIL is required!}
- --certificatesresolvers.certbot.acme.storage=/certificates/acme-v2.json
# Configure Docker provider.
- --providers.docker=true
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=public
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- cert_data:/certificates
secrets:
- basic_auth_users
networks:
- public
- default
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
labels:
- "traefik.enable=true"
# Enable the Traefik dashboard.
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN?Variable DOMAIN is required!}`)"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=dashboard-auth"
- "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/run/secrets/basic_auth_users"
# List the main domain and all subject alternative names (SANs) for which TLS
# certificates will be requested.
- "traefik.http.routers.traefik.tls"
- "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN?}"
- "traefik.http.routers.traefik.tls.domains[0].sans=www.${DOMAIN?},traefik.${DOMAIN?}"
- "traefik.http.routers.traefik.tls.certresolver=certbot"
# Redirect All hosts to HTTPS.
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
Can anyone spot the problem in my configuration? Thank you for any insights.