Cant decode error in Traefik error logs

homerekkur · November 9, 2020, 10:27pm

Hey guys so I have traefik service running but for some reason it is not working on the URL or any other checks. Error logs are empty.
If there is a need for me to disclose the domain in order to troubleshoot the issues, kindly let me know and I can PM it to you.

My docker-compose.yml (edited to remove sensitive secrets)

version: '3.3'
services:
  traefik:
    # Use the latest v2.2.x Traefik image available
    image: traefik:2.3.2
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - 80:80
      # Listen on port 443, default for HTTPS
      - 443:443
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.traefik-public.traefik-public-certificates == true
          - node.role == manager
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the traefik-public network (declared below)
        - traefik.docker.network=traefik-public
        # Use the custom label "traefik.constraint-label=traefik-public"
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik-public
        # admin-auth middleware with HTTP Basic auth
        # Using the environment variables USERNAME and HASHED_PASSWORD
        - traefik.http.middlewares.admin-auth.basicauth.users=USERNAME:HASHED_PASSWORD
        # https-redirect middleware to redirect HTTP to HTTPS
        # It can be re-used by other stacks in other Docker Compose files
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
        # traefik-http set up only to use the middleware to redirect to https
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-http.rule=Host(`DOMAIN`)
        - traefik.http.routers.traefik-public-http.entrypoints=http
        - traefik.http.routers.traefik-public-http.middlewares=https-redirect
        # traefik-https the actual router using HTTPS
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-https.rule=Host(`DOMAIN`)
        - traefik.http.routers.traefik-public-https.entrypoints=https
        - traefik.http.routers.traefik-public-https.tls=true
        - traefik.http.routers.traefik-public.https.tls.domains[0].main=DOMAIN.TLD
        - traefik.http.routers.traefik-public.https.tls.domains[0].sans=*.DOMAIN.TLD
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        # Enable HTTP Basic auth, using the middleware created above
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # Mount the volume to store the certificates
      - "/srv/traefik.DOMAIN.TLD/certs:/certificates"
      - "/srv/traefik.DOMAIN.TLD/letsencrypt:/letsencrypt"
    command:
      #- --certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --log.level=DEBUG
      - --api.insecure=true
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker=true
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false
      # Enable Docker Swarm mode
      #- --providers.docker.swarmmode
      # Create an entrypoint "http" listening on port 80
      - --entrypoints.http.address=:80
      # Create an entrypoint "https" listening on port 443
      - --entrypoints.https.address=:443
      #websecure address expose
      #- --entrypoints.websecure.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.le.acme.email=EMAIL
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true
      #SSL certificate
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      # Enable the access log, with HTTP requests
      - --accesslog
      # Enable the Traefik log, for configurations and errors
      - --log
      # Enable the Dashboard and API
      - --api
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public
    extra_hosts: 
      - EXTRA_HOSTS
    environment:
      - NODE_ID=exampleID123456
      - EMAIL=admin@example.com
      - DOMAIN=traefik.example.com
      - USERNAME=admin
      - PASSWORD="changethis"
      - HASHED_PASSWORD='$$apr1$$6XaPhlNf$$N.NgCREOAXsVNmV8IKk//w.'
      - EXTRA_HOSTS="traefik.example.com:123.456.789.012"
    env_file:
     - ./.env
  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.middlewares=auth"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.tls.certresolver=le"    
    networks:
      - traefik-public
volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  traefik-public-certificates:
networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    external: true
    driver: overlay

My .env file

NODE_ID=exampleID123456
EMAIL=admin@example.com
DOMAIN=traefik.example.com
USERNAME=admin
PASSWORD="changethis"
HASHED_PASSWORD='$$apr1$$6XaPhlNf$$N.NgCREOAXsVNmV8IKk//w.'
EXTRA_HOSTS="traefik.example.com:123.456.789.012"

Docker error logs for traefik_traefik service

ronin@ninjaserver:~$ docker service logs traefik_traefik -f --no-trunc | grep -i error
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:20:39Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:20:54Z" level=error msg="field not found, node: https" container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8 providerName=docker
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:21:09Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:21:24Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:21:39Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:21:54Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:22:09Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:22:24Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:22:39Z" level=error msg="field not found, node: https" providerName=docker container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:22:54Z" level=error msg="field not found, node: https" container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8 providerName=docker
traefik_traefik.1.gk92pqbu1qpxtvbyhus7ukcm8@ninjaserver    | time="2020-11-09T22:23:09Z" level=error msg="field not found, node: https" container=traefik-traefik-gk92pqbu1qpxtvbyhus7ukcm8 providerName=docker

Netstat results for open LISTEN ports

ronin@ninjaserver:~$ sudo netstat -tulpn | grep LISTEN
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      143/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      195/sshd: /usr/sbin 
tcp6       0      0 :::80                   :::*                    LISTEN      209/dockerd         
tcp6       0      0 :::22                   :::*                    LISTEN      195/sshd: /usr/sbin 
tcp6       0      0 :::443                  :::*                    LISTEN      209/dockerd         
tcp6       0      0 :::9001                 :::*                    LISTEN      576732/docker-proxy 
tcp6       0      0 :::2377                 :::*                    LISTEN      209/dockerd         
tcp6       0      0 :::7946                 :::*                    LISTEN      209/dockerd

ldez · November 9, 2020, 11:52pm

Hello,

This error means that there is an error in the configuration. In the labels, you have a configuration element that contains .https. or .https that is not a real configuration option.

I don't see the problem in the docker-compose file that you provide, but I'm not if your file is up-to-date or not.

Could you check your labels?

If you still have an issue: stop and clean your environment .

homerekkur · November 10, 2020, 12:02am

Hmm I see thank you for pointing this out, I am new to learning all this so I appreciate the pointers and feedback so I can correct course while learning hands on.

I believe web-secure is a good replacement for the .https element right?

Also how would I go about cleaning my environment? Would docker system prune be enough or is that too much?

ldez · November 10, 2020, 12:13am

The problem is not the name, but the fact that you are using a non-existing option.

homerekkur · November 10, 2020, 12:34am

I think I found the culprit lines causing the error but after changing them from https to web-secure which i have created as an entry point I am still getting an error similar to the one earlier.

        - traefik.http.routers.traefik-public.web-secure.tls.domains[0].sans=*.DOMAIN.TLD

This somehow seems to be a simple error to fix but I am not sure why I am having so much trouble understanding it and addressing the issue at hand.

Updated docker-compose.yml

version: '3.3'
services:
  traefik:
    # Use the latest v2.2.x Traefik image available
    image: traefik:2.3.2
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - 80:80
      # Listen on port 443, default for HTTPS
      - 443:443
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.traefik-public.traefik-public-certificates == true
          - node.role == manager
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the traefik-public network (declared below)
        - traefik.docker.network=traefik-public
        # Use the custom label "traefik.constraint-label=traefik-public"
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik-public
        # admin-auth middleware with HTTP Basic auth
        # Using the environment variables USERNAME and HASHED_PASSWORD
        - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME}:${HASHED_PASSWORD}
        # https-redirect middleware to redirect HTTP to HTTPS
        # It can be re-used by other stacks in other Docker Compose files
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
        # traefik-http set up only to use the middleware to redirect to https
        # Uses the environment variable DOMAIN
        #- traefik.http.routers.traefik-public-http.rule=Host(`traefik.DOMAIN.TLD`)
        - traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN}`)
        - traefik.http.routers.traefik-public-http.entrypoints=web
        - traefik.http.routers.traefik-public-http.middlewares=https-redirect
        # traefik-https the actual router using HTTPS
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN}`)
        - traefik.http.routers.traefik-public-https.entrypoints=web-secure
        - traefik.http.routers.traefik-public-https.tls=true
        - traefik.http.routers.traefik-public.web-secure.tls.domains[0].main=DOMAIN.TLD
        - traefik.http.routers.traefik-public.web-secure.tls.domains[0].sans=*.DOMAIN.TLD
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        # Enable HTTP Basic auth, using the middleware created above
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # Mount the volume to store the certificates
      - "/srv/traefik.DOMAIN.TLD/certs:/certificates"
      - "/srv/traefik.DOMAIN.TLD/letsencrypt:/letsencrypt"
    command:
      #- --certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --log.level=DEBUG
      - --api.insecure=true
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker=true
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false
      # Enable Docker Swarm mode
      - --providers.docker.swarmmode
      # Create an entrypoint "http" listening on port 80
      - --entrypoints.web.address=:80
      # Create an entrypoint "https" listening on port 443
      - --entrypoints.web-secure.address=:443
      #websecure address expose
      #- --entrypoints.websecure.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.le.acme.email=${EMAIL}
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true
      #SSL certificate
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      # Enable the access log, with HTTP requests
      - --accesslog
      # Enable the Traefik log, for configurations and errors
      - --log
      # Enable the Dashboard and API
      - --api
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public
    extra_hosts:
      - EXTRA_HOSTS
    environment:
      - NODE_ID=45NODEdsadasdsadasd
      - EMAIL=admin@EXAMPLE.COM
      #- EMAIL=The1Geralt@pm.me
      - DOMAIN=traefik.DOMAIN.TLD
      - USERNAME=admin
      - PASSWORD="changethis"
      - HASHED_PASSWORD='$$apr1$$6XaPhlNf$$N.NgCREOAXsVNmV8IKk//w.'
      #- HASHPASS_ENV: $(HASHPASS_HOST:~(openssl passwd -apr1 $PASSWORD)) 
      #- $SRV_VPATH="/srv/DOMAIN.TLD/"
      - EXTRA_HOSTS="traefik.DOMAIN.TLD:123.456.456.789"
    env_file:
     - ./.env
  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.DOMAIN.TLD`)"
      - "traefik.http.routers.whoami.middlewares=auth"
      - "traefik.http.routers.whoami.entrypoints=web-secure"
      - "traefik.http.routers.whoami.tls.certresolver=le"
    networks:
      - traefik-public
volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  traefik-public-certificates:
networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    external: true
    driver: overlay

Error logs

traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:31:06Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:31:21Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:31:36Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:31:51Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:32:06Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:32:21Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:32:36Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:32:51Z" level=error msg="field not found, node: web-secure" providerName=docker container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72
traefik_traefik.1.9mc8k4sj0lt3qco4b75wzhz72@ninjaserver    | time="2020-11-10T00:33:06Z" level=error msg="field not found, node: web-secure" container=traefik-traefik-9mc8k4sj0lt3qco4b75wzhz72 providerName=docker

What am I doing wrong here to have the same error as previously even though I changed the name? Is it because web-secure is still a non-existing option? If so what would be an existing option I could change it to? Thank you for your time and help I appreciate it.

ldez · November 10, 2020, 1:00am

there is some error in your files:

 - traefik.constraint-label=traefik-public

I recommend not use traefik. prefix for your custom labels.

- traefik.http.routers.traefik-public.web-secure.tls.domains[0].main=DOMAIN.TLD
- traefik.http.routers.traefik-public.web-secure.tls.domains[0].sans=*.DOMAIN.TLD

the field not found errors come from those previous 2 lines.

traefik.http.routers.traefik-public.web-secure.tls.domains must be traefik.http.routers.traefik-public.tls.domains

In summay:

version: '3.7'

services:

  traefik:
    image: traefik:2.3.2
    ports:
      - 80:80
      - 443:443
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.traefik-public.traefik-public-certificates == true
          - node.role == manager
      labels:
        - constraint-label=traefik-public

        - traefik.enable=true
        - traefik.docker.network=traefik-public
        
        - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME}:${HASHED_PASSWORD}
        
        - traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN}`)
        - traefik.http.routers.traefik-public-https.entrypoints=web,web-secure
        - traefik.http.routers.traefik-public-https.tls=true
        - traefik.http.routers.traefik-public-https.service=api@internal
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        - traefik.http.routers.traefik-public-https.tls.domains[0].main=DOMAIN.TLD
        - traefik.http.routers.traefik-public-https.tls.domains[0].sans=*.DOMAIN.TLD
      
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080

    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # Mount the volume to store the certificates
      - "/srv/traefik.DOMAIN.TLD/certs:/certificates"
      - "/srv/traefik.DOMAIN.TLD/letsencrypt:/letsencrypt"
    command:
      - --accesslog
      
      - --log
      - --log.level=DEBUG

      - --api

      - --providers.docker
      - --providers.docker.constraints=Label(`constraint-label`, `traefik-public`)
      - --providers.docker.exposedbydefault=false
      - --providers.docker.swarmmode
      
      - --entrypoints.web.address=:80
      # global redirect to https
      - --entrypoints.web.http.redirections.entryPoint.to=web-secure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web-secure.address=:443
    
      - --certificatesresolvers.le.acme.email=${EMAIL}
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true
      #- --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public
    extra_hosts:
      - EXTRA_HOSTS
    environment:
      - NODE_ID=45NODEdsadasdsadasd
      - EMAIL=admin@EXAMPLE.COM
      #- EMAIL=The1Geralt@pm.me
      - DOMAIN=traefik.DOMAIN.TLD
      - USERNAME=admin
      - PASSWORD="changethis"
      - HASHED_PASSWORD='$$apr1$$6XaPhlNf$$N.NgCREOAXsVNmV8IKk//w.'
      #- HASHPASS_ENV: $(HASHPASS_HOST:~(openssl passwd -apr1 $PASSWORD)) 
      #- $SRV_VPATH="/srv/DOMAIN.TLD/"
      - EXTRA_HOSTS="traefik.DOMAIN.TLD:123.456.456.789"
    env_file:
     - ./.env

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.DOMAIN.TLD`)"
      - "traefik.http.routers.whoami.middlewares=auth"
      - "traefik.http.routers.whoami.entrypoints=web,web-secure"
      - "traefik.http.routers.whoami.tls.certresolver=le"
    networks:
      - traefik-public

volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  traefik-public-certificates:
networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    external: true
    driver: overlay

homerekkur · November 10, 2020, 4:41am

Thank you for those pointers I made the adjustments but I still seem to be having ACME error now.

My docker-compose.yml

version: '3.7'

services:

  traefik:
    image: traefik:2.3.2
    ports:
      - 80:80
      - 443:443
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.reverse-proxy.reverse-proxy-certificates == true
          - node.role == manager
      labels:
        - constraint-label=reverse-proxy

        - traefik.enable=true
        - traefik.docker.network=reverse-proxy
        
        - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME}:${HASHED_PASSWORD}
        
        - traefik.http.routers.reverse-proxy-https.rule=Host(`${DOMAIN}`)
        - traefik.http.routers.reverse-proxy-https.entrypoints=web,web-secure
        - traefik.http.routers.reverse-proxy-https.tls=true
        - traefik.http.routers.reverse-proxy-https.service=api@internal
        - traefik.http.routers.reverse-proxy-https.tls.certresolver=le
        - traefik.http.routers.reverse-proxy-https.middlewares=admin-auth
        - traefik.http.routers.reverse-proxy.tls.domains[0].main=DOMAIN.TLD
        - traefik.http.routers.reverse-proxy.tls.domains[0].sans=*.DOMAIN.TLD
      
        - traefik.http.services.reverse-proxy.loadbalancer.server.port=8080

    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # Mount the volume to store the certificates
      - "/srv/traefik.DOMAIN.TLD/certs:/certificates"
      - "/srv/traefik.DOMAIN.TLD/letsencrypt:/letsencrypt"
      #- "reverse-proxy-certificates:/certificates"
      #- "reverse-proxy-certificates:/letsencrypt"
    command:
      - --accesslog
      
      - --log
      - --log.level=DEBUG

      - --api

      - --providers.docker
      - --providers.docker.constraints=Label(`constraint-label`, `reverse-proxy`)
      - --providers.docker.exposedbydefault=false
      - --providers.docker.swarmmode
      
      - --entrypoints.web.address=:80
      # global redirect to https
      - --entrypoints.web.http.redirections.entryPoint.to=web-secure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web-secure.address=:443
    
      - --certificatesresolvers.le.acme.email=${EMAIL}
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true
      #- --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - reverse-proxy
    extra_hosts:
      - EXTRA_HOSTS
    environment:
      - NODE_ID=5431vdsvsdcsdcsdcdsc
      - EMAIL=admin@DOMAIN.TLD
      
      - DOMAIN=traefik.DOMAIN.TLD
      - USERNAME=admin
      - PASSWORD="changethis"
      - HASHED_PASSWORD='$$apr1$$6XaPhlNf$$N.NgCREOAXsVNmV8IKk//w.'
      #- HASHPASS_ENV: $(HASHPASS_HOST:~(openssl passwd -apr1 $PASSWORD)) 
      #- $SRV_VPATH="/srv/DOMAIN.TLD/"
      - EXTRA_HOSTS="traefik.DOMAIN.TLD:123.456.789.123"
    env_file:
     - ./.env

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.DOMAIN.TLD`)"
      - "traefik.http.routers.whoami.middlewares=auth"
      - "traefik.http.routers.whoami.entrypoints=web,web-secure"
      - "traefik.http.routers.whoami.tls.certresolver=le"
    networks:
      - reverse-proxy

volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  reverse-proxy-certificates:
networks:
  # Use the previously created public network "reverse-proxy", shared with other
  # services that need to be publicly available via this Traefik
  reverse-proxy:
    external: true
    driver: overlay

My error log

traefik_traefik.1.jw56pnnuxasqgsbhxhedpjp5d@ninjaserver    | time="2020-11-10T04:38:03Z" level=error msg="Unable to obtain ACME certificate for domains \"traefik.whiskeyonthe.rocks\": unable to generate a certificate for the domains [traefik.whiskeyonthe.rocks]: error: one or more domains had a problem:\n[traefik.whiskeyonthe.rocks] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: \n" providerName=le.acme routerName=reverse-proxy-https@docker rule="Host(`traefik.whiskeyonthe.rocks`)"

Thanks for your insight its greatly appreciated

homerekkur · November 13, 2020, 9:27am

The reason I was still getting connection refused error for ACME and all other port scans was because there was another manager node in my swarm running on port 80 and 443 so once I removed the other swarm node listening on the swarm ports I was able to get the configuration for traefik running and working, thank you.

system · November 16, 2020, 9:28am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Flag configuration fails to decode in docker-compose set up Traefik v2 (latest) docker	1	4691	September 17, 2019
Getting 404 for Docker Swarm + Traefik v2 Traefik v2 (latest) docker , docker-swarm	1	946	October 23, 2019
Receiving a 404 error only with external services Traefik v2 (latest) docker	0	870	January 5, 2021
Middleware is sometimes not found when defined in the traefik service's docker labels Traefik v2 (latest) docker , middleware	13	2105	October 10, 2022
Website not accessable ERR_CONNECTION_CLOSED Traefik v2 (latest) docker	0	660	April 2, 2021

Cant decode error in Traefik error logs

Related Topics