Certificate not showing, but present

Traefik Traefik v2 (latest)
,
1

So, i'm trying to setup my docker stack with seperate certificates, since i also want a stack to run mailcow on (which will need it's own certificate).

In the stack i have the certdumper from humenius, and that works fine. It finds the certificate and put's it in a seperate folder. Decoding the certificate also shows it's the right one. Except, traefik is not using it? I keep getting some errors, but i do not onderstand why it's using default certificate. Below is my docker-compose for the first stack. So like i said, the cert dumper dumps the certificates fine, but traefik is showing:

time="2020-12-01T08:02:15Z" level=debug msg="http: TLS handshake error from 10.210.132.1:34171: local error: tls: bad record MAC"
time="2020-12-01T08:02:16Z" level=debug msg="http: TLS handshake error from 10.210.132.1:39903: read tcp 172.24.0.2:443->10.210.132.1:39903: read: connection reset by peer"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:41604: read tcp 172.24.0.2:443->10.210.132.1:41604: read: connection reset by peer"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:25413: read tcp 172.24.0.2:443->10.210.132.1:25413: read: connection reset by peer"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:17494: EOF"
time="2020-12-01T08:02:17Z" level=debug msg="http: TLS handshake error from 10.210.132.1:51566: read tcp 172.24.0.2:443->10.210.132.1:51566: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:51813: read tcp 172.24.0.2:443->10.210.132.1:51813: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:40752: read tcp 172.24.0.2:443->10.210.132.1:40752: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:17886: read tcp 172.24.0.2:443->10.210.132.1:17886: read: connection reset by peer"
time="2020-12-01T08:02:18Z" level=debug msg="http: TLS handshake error from 10.210.132.1:62524: read tcp 172.24.0.2:443->10.210.132.1:62524: read: connection reset by peer"
time="2020-12-01T08:02:19Z" level=debug msg="http: TLS handshake error from 10.210.132.1:45920: read tcp 172.24.0.2:443->10.210.132.1:45920: read: connection reset by peer"

But the folder where the certs are supposed to be dumped is filled:

ls -ahlp shared/certs/
total 12K
drwxr-xr-x 3 root    root    4.0K Nov 30 19:43 ./
drwxr-xr-x 4 dockers dockers 4.0K Nov 30 18:24 ../
drwxr-xr-x 2 root    root    4.0K Nov 30 19:43 auth.domain.tld/

My docker-compose (not including the cert dumper, just traefik and authelia)

version: "3.7"
services:
  traefik:
    container_name: traefik
    image: traefik
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --api=true
      - --pilot.token=$TRAEFIK_PILOT_TOKEN
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=tcp://socket-proxy:2375
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
      - --providers.file.watch=true # Only works on top level files in the rules folder
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
    networks:
      t2_proxy:
        ipv4_address: 172.23.0.2
      socket_proxy:
        ipv4_address: 172.24.0.2
    depends_on:
      - socket-proxy
    security_opt:
      - no-new-privileges:true
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    volumes:
      - $DOCKERDIR/traefik2/rules:/rules # file provider directory
      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - $DOCKERDIR/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
      - $DOCKERDIR/shared:/shared
    environment:
      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
      - TRAEFIK_PILOT_TOKEN=/run/secrets/traefik_pilot_token
    secrets:
      - cloudflare_email
      - cloudflare_api_key
      - traefik_pilot_token
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.service=api@internal"
    depends_on:
      - authelia

  authelia:
    container_name: authelia
    # Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md
    # image: authelia/authelia:latest
    image: authelia/authelia:4.21.0
    restart: always
    networks:
      t2_proxy:
        ipv4_address: 172.23.0.15
    volumes:
      - $DOCKERDIR/authelia:/config
    environment:
      - TZ=$TZ
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
      - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
      - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/run/secrets/redis_password
    secrets:
      - authelia_jwt_secret
      - authelia_session_secret
      - authelia_storage_mysql_password
      - authelia_notifier_smtp_password
      - redis_password
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia-rtr.entrypoints=https"
      - "traefik.http.routers.authelia-rtr.rule=Host(`auth.$DOMAINNAME`)"
      - traefik.http.routers.authelia-rtr.service=authelia-svc
      - traefik.http.routers.authelia-rtr.tls=true
      - traefik.http.routers.authelia-rtr.tls.certresolver=dns-cloudflare
      - traefik.http.services.authelia-svc.loadbalancer.server.port=9091
    depends_on:
      - mariadb

networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge
  socket_proxy:
    external:
      name: socket_proxy
2

Feeling so stupid right now...
It works now that i switch to the regular staging caserver....

3

@tuumke

And this is how knowledge is acquired :smiley: Thanks for posting your solution.

1 Like
4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.