Hi, I'm trying to setup https on docker, I've just done a copy of the basic example of the http challenge, yet I can't make it work, as many variations I try.
When I try to access my url, I get an error for untrusted certificat. When I check the certificat, the one sent if the generated certificat, not signed by let's encrypt
(sorry for the french)
version: '3.7'
services:
traefik:
image: "traefik:v2.0"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myhttpchallenge.acme.email=XXXXXX@XXXXXX"
- "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
expose:
- "80"
- "443"
volumes:
- "letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`XXXXXXX`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myhttpchallenge"
volumes:
letsencrypt:
The acme.json is complete, with a certificate and key. Now on the log, I'm not so sure since it's still talk about generating a certificat :
traefik | time="2019-11-25T13:08:09Z" level=info msg="Configuration loaded from flags."
traefik | time="2019-11-25T13:08:09Z" level=info msg="Traefik version 2.0.5 built on 2019-11-14T18:11:01Z"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"myhttpchallenge\":{\"acme\":{\"email\":\"XXXXXX@XXXXXX\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"
traefik | time="2019-11-25T13:08:09Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="No default certificate, generating one"
traefik | time="2019-11-25T13:08:09Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Start TCP Server" entryPointName=traefik
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Start TCP Server" entryPointName=web
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Start TCP Server" entryPointName=websecure
traefik | time="2019-11-25T13:08:09Z" level=info msg="Starting provider *acme.Provider {\"email\":\"XXXXXX@XXXXXX\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"myhttpchallenge\",\"store\":{},\"ChallengeStore\":{}}"
traefik | time="2019-11-25T13:08:09Z" level=info msg="Testing certificate renew..." providerName=myhttpchallenge.acme
traefik | time="2019-11-25T13:08:09Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Configuration received from provider myhttpchallenge.acme: {\"http\":{},\"tls\":{}}" providerName=myhttpchallenge.acme
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Adding certificate for domain(s) XXXXXX"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="No default certificate, generating one"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Provider connection established with docker 19.03.5 (API 1.40)" providerName=docker
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Filtering disabled container" container=traefik-proxy-7fa4a39907066da8777b9aab61d67fe26c549ea312d8778e8460b65803a54fa7 providerName=docker
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-proxy\",\"rule\":\"Host(`XXXXXX`)\",\"tls\":{\"certResolver\":\"myhttpchallenge\"}}},\"services\":{\"whoami-proxy\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Adding certificate for domain(s) XXXXXX"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="No default certificate, generating one"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Creating middleware" serviceName=whoami-proxy middlewareType=Pipelining middlewareName=pipelining entryPointName=websecure routerName=whoami@docker
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=whoami@docker serviceName=whoami-proxy
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Creating server 0 http://172.24.0.2:80" routerName=whoami@docker serviceName=whoami-proxy entryPointName=websecure serverName=0
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Added outgoing tracing middleware whoami-proxy" middlewareType=TracingForwarder entryPointName=websecure routerName=whoami@docker middlewareName=tracing
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Try to challenge certificate for domain [XXXXXX] found in HostSNI rule" providerName=myhttpchallenge.acme routerName=whoami rule="Host(`XXXXXX`)"
traefik | time="2019-11-25T13:08:09Z" level=debug msg="Looking for provided certificate(s) to validate [\"XXXXXX\"]..." routerName=whoami rule="Host(`XXXXXX`)" providerName=myhttpchallenge.acme
traefik | time="2019-11-25T13:08:09Z" level=debug msg="No ACME certificate generation required for domains [\"XXXXXX\"]." routerName=whoami rule="Host(`XXXXXX`)" providerName=myhttpchallenge.acme
Now I've also tried with the dynamic configation in a traefik.config.toml, targeting a valid certfile and private key for a wildcard domain, and still got the same result.
The only thing I can think of is that I use docker windows, which is also the reason I use a docker volume to store the acme.json, else I have error with the chmod levels.
Thank you for your time, traefik looks promising, I have already everything set up and ready, except for the ssl that stump me, which is a shame.