Basic example for" https with let's encrypt" return generated certificat

Armaell · November 25, 2019, 1:21pm

Hi, I'm trying to setup https on docker, I've just done a copy of the basic example of the http challenge, yet I can't make it work, as many variations I try.

When I try to access my url, I get an error for untrusted certificat. When I check the certificat, the one sent if the generated certificat, not signed by let's encrypt

(sorry for the french)

version: '3.7'

services:
  traefik:
    image: "traefik:v2.0"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myhttpchallenge.acme.email=XXXXXX@XXXXXX"
      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    expose:
      - "80"
      - "443"
    volumes:
      - "letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "containous/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`XXXXXXX`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myhttpchallenge"

volumes:
  letsencrypt:

The acme.json is complete, with a certificate and key. Now on the log, I'm not so sure since it's still talk about generating a certificat :

traefik    | time="2019-11-25T13:08:09Z" level=info msg="Configuration loaded from flags."
traefik    | time="2019-11-25T13:08:09Z" level=info msg="Traefik version 2.0.5 built on 2019-11-14T18:11:01Z"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"myhttpchallenge\":{\"acme\":{\"email\":\"XXXXXX@XXXXXX\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"
traefik    | time="2019-11-25T13:08:09Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="No default certificate, generating one"
traefik    | time="2019-11-25T13:08:09Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Start TCP Server" entryPointName=traefik
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Start TCP Server" entryPointName=web
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Start TCP Server" entryPointName=websecure
traefik    | time="2019-11-25T13:08:09Z" level=info msg="Starting provider *acme.Provider {\"email\":\"XXXXXX@XXXXXX\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"myhttpchallenge\",\"store\":{},\"ChallengeStore\":{}}"
traefik    | time="2019-11-25T13:08:09Z" level=info msg="Testing certificate renew..." providerName=myhttpchallenge.acme
traefik    | time="2019-11-25T13:08:09Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Configuration received from provider myhttpchallenge.acme: {\"http\":{},\"tls\":{}}" providerName=myhttpchallenge.acme
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Adding certificate for domain(s) XXXXXX"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="No default certificate, generating one"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Provider connection established with docker 19.03.5 (API 1.40)" providerName=docker
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Filtering disabled container" container=traefik-proxy-7fa4a39907066da8777b9aab61d67fe26c549ea312d8778e8460b65803a54fa7 providerName=docker
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-proxy\",\"rule\":\"Host(`XXXXXX`)\",\"tls\":{\"certResolver\":\"myhttpchallenge\"}}},\"services\":{\"whoami-proxy\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.24.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Adding certificate for domain(s) XXXXXX"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="No default certificate, generating one"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Creating middleware" serviceName=whoami-proxy middlewareType=Pipelining middlewareName=pipelining entryPointName=websecure routerName=whoami@docker
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=whoami@docker serviceName=whoami-proxy
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Creating server 0 http://172.24.0.2:80" routerName=whoami@docker serviceName=whoami-proxy entryPointName=websecure serverName=0
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Added outgoing tracing middleware whoami-proxy" middlewareType=TracingForwarder entryPointName=websecure routerName=whoami@docker middlewareName=tracing
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Try to challenge certificate for domain [XXXXXX] found in HostSNI rule" providerName=myhttpchallenge.acme routerName=whoami rule="Host(`XXXXXX`)"
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="Looking for provided certificate(s) to validate [\"XXXXXX\"]..." routerName=whoami rule="Host(`XXXXXX`)" providerName=myhttpchallenge.acme
traefik    | time="2019-11-25T13:08:09Z" level=debug msg="No ACME certificate generation required for domains [\"XXXXXX\"]." routerName=whoami rule="Host(`XXXXXX`)" providerName=myhttpchallenge.acme

Now I've also tried with the dynamic configation in a traefik.config.toml, targeting a valid certfile and private key for a wildcard domain, and still got the same result.

The only thing I can think of is that I use docker windows, which is also the reason I use a docker volume to store the acme.json, else I have error with the chmod levels.

Thank you for your time, traefik looks promising, I have already everything set up and ready, except for the ssl that stump me, which is a shame.

Armaell · November 26, 2019, 4:17pm

The solution was : the port 443 was already in use

There was no warning from docker that it couldn't listen to the port. I tried to use another program to sniff my port 443 and check if I was receiving data, and it's only then I got the information the port was already in use.

For those interested, it was a vmware that was fully stopped, not allowed on startup, yet was still listening on 443..... not something I like

Topic		Replies	Views
Problems with Let's Encypt Certificate Generation Traefik v2 (latest) letsencrypt-acme	0	372	November 14, 2021
V2 https example Traefik v2 (latest) docker , letsencrypt-acme	18	1302	November 3, 2019
Traefik + Docker + Let's Encrypt Traefik v2 (latest) docker , letsencrypt-acme	4	567	April 6, 2021
Not able to obtain certificates via tlsChallenge or httpChallenge Traefik v2 (latest) letsencrypt-acme	1	3832	October 10, 2019
HTTPS let's encrypt not working Traefik v2 (latest) docker , letsencrypt-acme	2	4215	November 15, 2019

Basic example for" https with let's encrypt" return generated certificat

Related Topics