Certificate not working and not found

Hello I m new on trafeik.
I try to certificate and open site with https but not working and not creating trafeik itself.
I try with labels because when because when I create auth users with static config containers not see my first attemp like that.

version: "3"
services:
  portainer:
    image: portainer/portainer-ce:latest     
    volumes:
        - data:/data
        - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
    ports:
       - 9000:9000
    networks:
            - supabase_network_supabase
    labels:
            - "traefik.enable=true"
            - "traefik.http.routers.portainer.rule=Host(`portainer.***.com`)"
            - traefik.http.routers.portainer.service=portainer
            # - "traefik.http.routers.portainer.tls.certresolver=leresolver"
            - "traefik.http.routers.portainer.tls=true"
            - "traefik.http.routers.portainer.tls.certresolver=production"  # Use the resolver you defined in Traefik
            - "traefik.http.routers.portainer.entrypoints=web"
            - "traefik.http.services.portainer.loadbalancer.server.port=9000"
            - "traefik.http.routers.portainer.middlewares=auth"
            - "traefik.http.middlewares.auth.basicauth.users=admin:$$2y$$10$$HfP4B44ou9.w0w/3/Jk6O.***"  # Replace with your generated htpasswd
            # - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$RVhbOtar$$kp1/Smn/hu.IxxSq/o/Xb/"  # Replace with your generated htpasswd
volumes:
  data:
networks:
  supabase_network_supabase:
    external: true   
        ```

this portainer container not working. I try 9443 server port either.

my seconda attemp with static config:
"traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$RVhbOtar$$kp1/Smn/hu.IxxSq/o/Xb/"  
```yml

version: '3'
services:
    front:
        image: strm/helloworld-http
        container_name: load-balancer
        networks:
            - supabase_network_supabase
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.grafana.rule=Host(`grafana.***.com`)"
            - traefik.http.routers.grafana.service=grafana
            - "traefik.http.routers.grafana.entrypoints=web"
            - "traefik.http.services.grafana.loadbalancer.server.port=80"
            - "traefik.http.routers.grafana.middlewares=auth"
            # - "traefik.http.routers.grafana.tls=true"
            # - "traefik.http.routers.grafana.tls.certresolver=staging"  
            # - "traefik.http.middlewares.auth.basicauth.users=admin:$$2y$$10$$HfP4B44ou9.***"  # Replace with your generated htpasswd
            # - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$RVhbOtar$$kp1/Smn/hu.IxxSq/o/Xb/"  # Replace with your generated htpasswd
    
networks:
  supabase_network_supabase:
    external: true   

But this is not worked to me either.

my static config like that

global:
  checkNewVersion: false
  sendAnonymousUsage: false

# -- (Optional) Change Log Level and Format here...
log:
  level: DEBUG
  format: common
  filePath: /var/log/traefik/traefik.log

# -- (Optional) Enable Accesslog and change Format here...
accesslog:
  format: common
  filePath: /var/log/traefik/access.log

# -- (Optional) Enable API and Dashboard here, don't do in production
api:
  dashboard: true
  insecure: true

# -- Change EntryPoints here...
entryPoints:
  web:
    address: :80
    # -- (Optional) Redirect all HTTP to HTTPS
    # http:
    #   redirections:
    #     entryPoint:
    #       to: websecure
    #       scheme: https
  websecure:
    address: :443
  # -- (Optional) Add custom Entrypoint
  # custom:
  #   address: :8080

# -- Configure your CertificateResolver here...
certificatesResolvers:
  # Staging Certificate Resolver for testing purposes
  staging:
    acme:
      email: projectseriesbackendfrontend@duck.com
      storage: etc/traefik/certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      
      # -- (Optional) Remove this section when using DNS Challenge
      httpChallenge:
        entryPoint: web
        
      # -- (Optional) Configure DNS Challenge
      dnsChallenge:
        provider: your-resolver (e.g. cloudflare)
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

  # Production Certificate Resolver
  production:
    acme:
      email: projectseriesbackendfrontend@duck.com
      storage: etc/traefik/certs/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      
      # -- (Optional) Remove this section when using DNS Challenge
      httpChallenge:
        entryPoint: web
        
      # -- (Optional) Configure DNS Challenge
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

# -- (Optional) Disable TLS Cert verification check
serversTransport:
  insecureSkipVerify: false

# -- (Optional) Overwrite Default Certificates
# tls:
#   stores:
#     default:
#       defaultCertificate:
#         certFile: /etc/traefik/certs/cert.pem
#         keyFile: /etc/traefik/certs/cert-key.pem
# -- (Optional) Disable TLS version 1.0 and 1.1
#   options:
#     default:
#       minVersion: VersionTLS12

providers:
  docker:
    # -- (Optional) Enable this, if you want to expose all containers automatically
    exposedByDefault: false
    
  file:
    directory: /etc/traefik
    watch: true


metrics:
  prometheus:
    entryPoint: web

my logs like that

time="2024-01-31T04:59:18Z" level=error msg="the router portainer@docker uses a non-existent resolver: production"
time="2024-01-31T04:59:17Z" level=error msg="The ACME resolver \"production\" is skipped from the resolvers list because: unable to get ACME account: open etc/traefik/certs/acme.json: no such file or directory"
time="2024-01-31T04:55:53Z" level=error msg="The ACME resolver \"staging\" is skipped from the resolvers list because: unable to get ACME account: open /etc/traefik/certs/acme.json: no such file or directory"

time="2024-01-31T04:55:53Z" level=error msg="The ACME resolver \"production\" is skipped from the resolvers list because: unable to get ACME account: open /etc/acme/acme.json: no such file or directory"
time="2024-01-31T04:55:54Z" level=error msg="HTTP challenge is not enabled" entryPointName=web routerName=acme-http@internal
time="2024-01-31T04:55:54Z" level=error msg="HTTP challenge is not enabled" entryPointName=web routerName=acme-http@internal
time="2024-01-31T04:55:54Z" level=debug msg="Creating server 0 http://172.24.0.4:80" routerName=grafana@docker serviceName=grafana serverName=0 entryPointName=websecure

time="2024-01-31T04:55:54Z" level=debug msg="child http://172.24.0.4:80 now UP"

its say non existent production interesting but as you see its here.
note: Im not using swarm mode for trafeik. I use swarm mode for some other containers.

And when I ping to my IP 443 port with telnet it's not connecting.
I checked ufw its okay but did you see any problem with this ?

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

You should only define one challenge type for the certresolver. Best practice is to assign certresolver to TLS entrypoint directly.

On router you set entrypoint web and enable TLS, that’s very unusual. Why even use web and not websecure?

Maybe check simple Traefik example.

1 Like