Can't use a subdomain to access traefik dashboard

Hey !

I'm trying to set up traefik on my vps with the help of docker-compose but I can't fix my issue.

Here is my docker-compose.yml

version: "3.8"

services:
  proxy:
    image: traefik:v2.1
    command:
      - --api
      - --providers.docker
      - --providers.docker.exposedbydefault=false
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`dashboard.domain.com`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=user:password"

networks:
  web:
    external: true

The problem is that the authentication does not work when i'm going on dashboard.example.com. I tried the exact same configuration just with example.com as a domain and it does work, it ask for the authentication when i'm just trying to go on example.com.

If someone could help me with that I would be grateful :slight_smile:

What's in traefik.toml?

Hey ! Here is my traefik.toml file !


[global]
  sendAnonymousUsage = false

[log]
  level = "INFO"
  format = "common"

[providers]
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    watch = true
    exposedByDefault = true
    swarmMode = false
  [providers.file]
    filename = "/opt/traefik/traefik_dynamic.toml"
    watch = true

[api]
  dashboard = true
  debug = false
  insecure = false

[entryPoints]
  [entryPoints.insecure]
    address = ":80"
  [entryPoints.secure]
    address = ":443"

[certificatesResolvers]
  [certificatesResolvers.letsencrypt]
    [certificatesResolvers.letsencrypt.acme]
      email = "email@example.com"
      caServer = "https://acme-v02.api.letsencrypt.org/directory"
      storage = "acme.json"
      keyType = "EC384"
        [certificatesResolvers.letsencrypt.acme.httpChallenge]
          entryPoint = "web"

I managed to make it work but the thing is that letsencrypt do not work :confused:

I change my docker-compose with this one https://github.com/containous/blog-posts/blob/master/2019_09_10-101_docker/docker-compose-08.yml from Idez

I got no errors but still can't use https.

From the docs:

There are three different, mutually exclusive (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:

  1. In a configuration file
  2. In the command-line arguments
  3. As environment variables

Yes i've done in the command-line arguments it's all good concerning the subdomain. The thing is that letsencrypt ain't working the way it should :confused:

Post your updated configuration then if you fixed it since your initial posts.

I've posted the link to the doc anyway i'll just copy paste it here :

version: "3.3"

services:
  traefik:
    image: "traefik:v2.0.1"
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --api
      - --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.leresolver.acme.email=your@email.com
      - --certificatesresolvers.leresolver.acme.storage=/acme.json
      - --certificatesresolvers.leresolver.acme.tlschallenge=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"
    labels:
      # Dashboard
      - "traefik.http.routers.traefik.rule=Host(`traefik.docker.localhost`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=leresolver"
      - "traefik.http.routers.traefik.middlewares=authtraefik"
      - "traefik.http.middlewares.authtraefik.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/" # user/password

      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

What's not working? Enable debug logging and examine logs.

The navigator always says that this site is dangerous and not securised.

I just added :

- --log.filePath=/opt/traefik/traefik.log
- --log.level=DEBUG

In the command line but nothing appears, do I set it up the wrong way ?

I just tried to use a whoami.example.com and there is the results in the dashboard :

The TLS does appear but not working.

In case you ask for the docker-compose.yml for the whoami :

  my-app:
    image: containous/whoami:v1.3.0
    labels:
      - "traefik.http.routers.my-app.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.my-app.middlewares=auth"
      - "traefik.http.routers.my-app.entrypoints=websecure"
      - "traefik.http.routers.my-app.tls=true"
      - "traefik.http.routers.my-app.tls.certresolver=leresolver"
      - "traefik.http.middlewares.auth.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/" # user/password

The log would be inside the container if you chose to write it to file.

Examine the cert. If it's staging let's encrypt cert as per your configuration, then the security warning is normal.

Nothing inside the container.

Here is the content of acme.json :

{
  "leresolver": {
    "Account": {
      "Email": "your@email.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:your@email.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/96253089"
      },
      "PrivateKey": "PrivateKey",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "traefik.example.com"
        },
        "certificate": "*certificate*",
        "key": "*key*",
        "Store": "default"
      },
      {
        "domain": {
          "main": "whoami.example.com"
        },
        "certificate": "*certificate*",
        "key": "*key*",
        "Store": "default"
      }
    ]
  }

The uri return an error thought but can't fix it

Could you please post commands you used to verify it and the output of these commands. Also it would be interesting to find out if /opt/traefik exists and if the user traefik running under has permissions to write to /opt/traefik/traefik.log In general I'd recommend to start with omitting log.filePath altogether and simply inspecting the container log.

Also I would advise to examine the certificate. If it's staging let's encrypt cert as per your configuration, then the security warning is normal. You can tell if it's a staging cert by looking at the issuer field.

I just used docker-compose logs. I'm new to docker-compose / traefik maybe I don't know how to check logs properly.
Well, after checking traefik.log does not even exist, i don't think he has the permission to write.

How am i suppose to find the issuer field ? I don't see any
And I have a warning right, but the https does not work. The thing is that user won't get on my websites if they have the " Your Connection is Not Private" message..

If anyone has a clue..

I don't think so.. The traefik binary is the only thing that's IN the container, and without an OS, nothing can mkdir /opt/traefik.

You are probably better off making log.filePath=/traefik.log, at least we know the root directory exists.

But, normally, logs written by Traefik are sent to STDOUT, so you do not have any weird logging overrides in docker, a simple docker-compose logs should work just fine.

@jnovack are you talking about traefik v1? this is a traefik v2 topic. All traefik v2 containers come with an OS.

Surely traefik can do it itself if programmed though, and has permissions but I do not think it is.

Yep, I already explained that above.

Yep, I stand corrected. Haven't checked since, so I just assumed it didn't have it. #mybad.

@Kaaedan Could you try using DNS challenge to see if that works as this works slightly better with subdomains. I made some examples here - https://github.com/56kcloud/traefik-training/tree/master/04-HTTPS-TLS