Basicauth login issue

sucre182 · February 25, 2024, 12:21pm

Set up traefik based on simple Traefik example.

The containers run successfully and I can see traefik has written a certificate in acme.json. Unfortunately bumping into an annoying basicauth issue, where my credentials aren't being accepted and requested after each submit.

Got the below errors showing in traefik.log and assume related to the login issue. How do I fix this?

2024-02-25T13:00:35+01:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:399 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.continental34.com]: error: one or more domains had a problem:\n[traefik.continental34.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.continental34.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.continental34.com`)

2024-02-25T13:01:12+01:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:399 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.continental34.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.continental34.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.continental34.com`)

And the full Docker config listed below:

version: '3.9'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: always
    ports:
      - 8008:80
      - 8443:443
    networks:
      - proxy
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik/logs:/logs
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/logs/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/logs/access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=user@continental34.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.continental34.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$12345$$6789

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.continental34.com`) || Host(`www.whoami.continental34.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

      - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
      - traefik.http.routers.mywhoami.middlewares=mywwwredirect

networks:
  proxy:
    name: proxy

bluepuma77 · February 25, 2024, 3:11pm

You don’t use any Cloudflare proxy or tunnel?

Maybe try en-/dis-abling cname:

CNAME support

CNAME are supported (and sometimes even encouraged), but there are a few cases where they can be problematic.

If needed, CNAME support can be disabled with the following environment variable:

LEGO_DISABLE_CNAME_SUPPORT=true

Update: remove www.whoami.continental34.com or create a matching DNS entry.

And you reached the LE usage limits, might need to wait 7 days.

sucre182 · February 27, 2024, 4:59pm

Yes I temporarily disabled cloudflare proxy for testing purposes. When I enable CF proxy for the A & CNAME I get the following timeout in Chrome:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Once I toggle this back to DNS only then traefik & whoami work fine without basic auth. Is this related to the LE timeout or a different problem?

sucre182 · February 27, 2024, 7:43pm

@bluepuma77 my understanding is also that I can't use wildcards and proxy with TLS, so my reasoning was not to enable it yet and switch to dnschallenge in traefik / cloudflare once things are starting to work. Just so I get this correctly, is my current basicauth issue caused by the LE usage limit or not?

Your help is as always welcome

bluepuma77 · February 27, 2024, 8:08pm

In general those two are independent.

The password has to be in hashed format in dynamic config. Furthermore, when in labels, every $ has to be escaped with another $.

sucre182 · February 28, 2024, 8:01am

That's exactly my thought and worry here. I've generated a bunch of passwords over the past weeks with the following command:

htpasswd -nb admin password

No luck and I'm also escaping 3 times each password with another $ in labels section. Even when using the exact same credentials from your simple example I'm getting the same basicauth error... It's driving me nuts by now

Desperately want to fix this, where do I take things from here?

Originally wrote that I stated credentials in command section, this is in labels

bluepuma77 · February 28, 2024, 8:32am

This does not work for you?

labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

It’s the simplest user:test, pass:test example.

sucre182 · February 28, 2024, 9:04am

Nope - I have the exact same 5 lines now. In return I get the following in traefik.log:

2024-02-28T10:01:44+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth

This how my current docker compose looks like:

version: '3.9'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: always
    ports:
      - 8008:80
      - 8443:443
    networks:
      - proxy
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik/logs:/logs
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/logs/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/logs/access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=user@continental34.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.continental34.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.continental34.com`)
      - traefik.http.routers.mywhoami.entrypoints=websecure
      - traefik.http.routers.mywhoami.tls.certresolver=myresolver

networks:
  proxy:
    name: proxy

sucre182 · February 28, 2024, 9:09am

Also just did a system prune --all, removed containers and built compose again. Will it help if I share the full log?

bluepuma77 · February 28, 2024, 10:29am

It works, I think you got confused by the special ports

https://traefik.continental34.com:8443/dashboard/
https://whoami.continental34.com:8443

Note that httpChallenge needs port 80 and tlsChallenge needs port 443. If you can't use those, then you need to use more complex dnsChallenge.

sucre182 · February 28, 2024, 11:45am

I know those links work because I've been using that all the time. The problem is that basicauth is not working on the traefik link. But if I understand you correctly that's caused by tlschallenge requiring port 443 (which is already taken by another nginx server).

So I've rebuilt everything again, commented the tls section out and replaced it for the dns values. Still getting the same issue when accessing:

https://traefik.continental34.com:8443/dashboard/

Is the link wrong, or should I change something else? Arghhh

Revised command & labels below:

    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/logs/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/logs/access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
#      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=user@continental34.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
#      - --certificatesresolvers.myresolver.acme.tlschallenge=true
# DNS CHALLENGE
      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare
    environment:
      - CF_API_EMAIL=${CFEMAIL}
      - CF_DNS_API_TOKEN=${CFAPI}
#      - LEGO_DISABLE_CNAME_SUPPORT=true

bluepuma77 · February 28, 2024, 1:26pm

Works for me, got asked for user/pass, entered test/test and the Traefik dashboard was shown - in your server

sucre182 · February 28, 2024, 2:14pm

Haha ok, so I was doing something really stupid. Basically I thought that the hash was the actual password. Thanks for clarifying that

I've reset the password, reverted back to tlschallenge and basicauth is indeed working:

2024-02-28T15:05:25+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:86 > Authentication succeeded middlewareName=myauth@docker middlewareType=BasicAuth

Only one ERR remaining in my log now, how do I fix this one?

2024-02-28T15:04:06+01:00 ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:399 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.continental34.com]: error: one or more domains had a problem:\n[traefik.continental34.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 24.132.61.220: Connection refused\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.continental34.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`traefik.continental34.com`)

sucre182 · April 11, 2024, 6:31am

In the end I got the cloudflare dns challenge also working and it was not related to configuration issues in traefik. There were two other issues at play directly in cloudflare:

My api token was not working properly, after creating a new one the dns challenge also started working properly.
My edge certificates were getting a timeout validation error in cloudflare. Disabling the universal SSL settings for 15 min and re-enabling them afterwards again solved that. Then the whole setup started working like a magic, also behind proxy.

@bluepuma77 shoutout to you for helping me out a lot in this process The simplified config was super valuable (incl reading a lot of the traefik docs) and taught me a lot about how traefik really works in the end.

system · April 14, 2024, 6:32am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to generate Let's Encrypt certificates Traefik v2 docker , letsencrypt-acme	8	15692	February 4, 2021
Certificate problem Traefik v2 docker	0	434	December 2, 2021
Unable to obtain ACME certificate despite setting challenge Traefik v1 docker , letsencrypt-acme	1	4776	July 18, 2019
Error renewing certificate from LE: NS returned REFUSED for _acme-challenge Traefik v2 docker , letsencrypt-acme	1	792	March 9, 2022
Unable to obtain ACME certificate for domains - credentials are missing Traefik v2 docker , letsencrypt-acme	6	2357	March 24, 2024

Basicauth login issue

Related topics