Can not update Let’s Encrypt Certificates traefik

bankmrc054 · September 20, 2022, 8:48am

I don't know what's wrong with my YAML file or traefik config. if someone can help, please?

DOCKER YAML

version: "3.3"

volumes:
   traefik-ssl-certs:
     driver: local

services:

  traefik:
    image: "traefik:v2.8.5"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "traefik.http.routers.myrouter.tls.certresolver=myresolver"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/etc/traefik:/etc/traefik"
      - "traefik-ssl-certs:/ssl-certs"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"

Config

global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
# log:
#  level: ERROR  # DEBUG, INFO, WARNING, ERROR, CRITICAL
#   format: common  # common, json, logfmt
#   filePath: /var/log/traefik/traefik.log

# (Optional) Accesslog
# ---
# accesslog:
  # format: common  # common, json, logfmt
  # filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: true  # true by default
  insecure: true  # Don't do this in production!

# Entry Points configuration
# ---
entryPoints:
  web:
    address: ":80"
    # (Optional) Redirect to HTTPS
    # ---
entryPoints:
  web:
    address: ":80"
    # (Optional) Redirect to HTTPS
    # ---
    http:
       redirections:
         entryPoint:
           to: websecure
           scheme: https

  websecure:
    address: ":443"


serversTransport:
  insecureSkipVerify: true



# Configure your CertificateResolver here...
# ---
#certificatesResolvers:
staging:
     acme:
       email: xxxx@xxxx.com
       storage: /etc/traefik/certs/acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       httpChallenge:
         entryPoint: web

production:
     acme:
       email: xxxx@xxxx.com
       storage: /etc/traefik/certs/acme.json
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
       httpChallenge:
         entryPoint: web

# (Optional) Overwrite Default Certificates
# tls:
#   stores:
#     default:
#       defaultCertificate:
#         certFile: /etc/traefik/certs/cert.pem
#         keyFile: /etc/traefik/certs/cert-key.pem
# (Optional) Disable TLS version 1.0 and 1.1
#   options:
#     default:
#       minVersion: VersionTLS12

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false  # Default is true
  file:
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true

dmio · September 20, 2022, 10:17pm

It would help if you provided output / logging from startup - but some initial thoughts that need to be fixed up front...

You're configuring traefik with command line flags in Docker. I'd suggest pulling this out into a configuration file if at all possible. Regardless the following command is incorrect:

- "traefik.http.routers.myrouter.tls.certresolver=myresolver"

If you run traefik on the CLI and grep for certresolver you'll find:

# traefik --help | grep certresolver
    --entrypoints.<name>.http.tls.certresolver  (Default: "")

...I could be wrong but it looks like you're conflating traefik labels with command line flags. You also don't provide the traefik container any labels, so I'm not sure it's even being configured.

Finally you reference myresolver as your certresolver. I don't see that in your config - only staging and production. Your config has overlapping entryPoints, as well. And your certificateResolvers section has the root of that config commented out.

You may want to start with a Docker template that's out there to get you going as this looks like it's not complete and misconfigured in a number of places. You could start out with something like the Ibracorp template, although there are a bunch of base templates out there that offer good starting points.

bluepuma77 · September 21, 2022, 11:26am

Where is myresolver defined? In examples it sometimes looks like this:

certificatesResolvers:
  myresolver:
    acme:
      email: email@example.com
      storage: /acme.json
      httpchallenge:
        entrypoint: web

bluepuma77 · September 21, 2022, 11:29am

Should probably be

certificatesResolvers:
  staging:
    ...
  production:
    ...

and

    - "traefik.http.routers.myrouter.tls.certresolver=production"

Topic		Replies	Views
TLS certificates with Docker Traefik v2 docker	2	4031	September 18, 2019
Unable to get HTTPS using Traefik as reverse proxy Traefik v2 docker	2	787	October 26, 2022
Https with valid cert not works Traefik v2 docker , file	0	341	December 6, 2019
Docker, Traefik v2, SSL cannot set default cert Traefik v2 docker	2	607	October 15, 2019
V2, TLS, Let's Encrypt and http --> https - SUCCESS! Traefik v2 docker	3	871	November 12, 2019

Can not update Let’s Encrypt Certificates traefik

Related Topics