So, i'm trying to setup my docker stack with seperate certificates, since i also want a stack to run mailcow on (which will need it's own certificate).
In the stack i have the certdumper from humenius, and that works fine. It finds the certificate and put's it in a seperate folder. Decoding the certificate also shows it's the right one. Except, traefik is not using it? I keep getting some errors, but i do not onderstand why it's using default certificate. Below is my docker-compose for the first stack. So like i said, the cert dumper dumps the certificates fine, but traefik is showing:
time="2020-12-01T08:02:15Z" level=debug msg="http: TLS handshake error from 10.210.132.1:34171: local error: tls: bad record MAC"
time="2020-12-01T08:02:16Z" level=debug msg="http: TLS handshake error from 10.210.132.1:39903: read tcp 172.24.0.2:443->10.210.132.1:39903: read: connection reset by peer"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:41604: read tcp 172.24.0.2:443->10.210.132.1:41604: read: connection reset by peer"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:25413: read tcp 172.24.0.2:443->10.210.132.1:25413: read: connection reset by peer"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:17494: EOF"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:51566: read tcp 172.24.0.2:443->10.210.132.1:51566: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:51813: read tcp 172.24.0.2:443->10.210.132.1:51813: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:40752: read tcp 172.24.0.2:443->10.210.132.1:40752: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:17886: read tcp 172.24.0.2:443->10.210.132.1:17886: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:62524: read tcp 172.24.0.2:443->10.210.132.1:62524: read: connection reset by peer"
time="2020-12-01T08:02:19Z" level=debug msg="http: TLS handshake error from 10.210.132.1:45920: read tcp 172.24.0.2:443->10.210.132.1:45920: read: connection reset by peer"
But the folder where the certs are supposed to be dumped is filled:
ls -ahlp shared/certs/
total 12K
drwxr-xr-x 3 root root 4.0K Nov 30 19:43 ./
drwxr-xr-x 4 dockers dockers 4.0K Nov 30 18:24 ../
drwxr-xr-x 2 root root 4.0K Nov 30 19:43 auth.domain.tld/
My docker-compose (not including the cert dumper, just traefik and authelia)
version: "3.7"
services:
traefik:
container_name: traefik
image: traefik
restart: unless-stopped
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
- --entryPoints.traefik.address=:8080
- --api=true
- --pilot.token=$TRAEFIK_PILOT_TOKEN
- --log=true
- --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
- --accessLog=true
- --accessLog.filePath=/traefik.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=tcp://socket-proxy:2375
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
- --providers.file.watch=true # Only works on top level files in the rules folder
- --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
networks:
t2_proxy:
ipv4_address: 172.23.0.2
socket_proxy:
ipv4_address: 172.24.0.2
depends_on:
- socket-proxy
security_opt:
- no-new-privileges:true
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/traefik2/rules:/rules # file provider directory
- $DOCKERDIR/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
- $DOCKERDIR/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- TRAEFIK_PILOT_TOKEN=/run/secrets/traefik_pilot_token
secrets:
- cloudflare_email
- cloudflare_api_key
- traefik_pilot_token
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
- "traefik.http.routers.traefik-rtr.service=api@internal"
depends_on:
- authelia
authelia:
container_name: authelia
# Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md
# image: authelia/authelia:latest
image: authelia/authelia:4.21.0
restart: always
networks:
t2_proxy:
ipv4_address: 172.23.0.15
volumes:
- $DOCKERDIR/authelia:/config
environment:
- TZ=$TZ
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
- AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
- AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/run/secrets/redis_password
secrets:
- authelia_jwt_secret
- authelia_session_secret
- authelia_storage_mysql_password
- authelia_notifier_smtp_password
- redis_password
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia-rtr.entrypoints=https"
- "traefik.http.routers.authelia-rtr.rule=Host(`auth.$DOMAINNAME`)"
- traefik.http.routers.authelia-rtr.service=authelia-svc
- traefik.http.routers.authelia-rtr.tls=true
- traefik.http.routers.authelia-rtr.tls.certresolver=dns-cloudflare
- traefik.http.services.authelia-svc.loadbalancer.server.port=9091
depends_on:
- mariadb
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge
socket_proxy:
external:
name: socket_proxy