Hi,
So I got cert ssl wildcard from digicert, and I want to implement it on my running traefik (v2.4.8) container. Currently, I use Let's Encrypt as my resolver. Everything is fine, my traefik dashboard and portainer can be accessed with https. And I commenting all related with let's encrypt and start implement my cert ssl wildcard that I own. It got me "404 page not found" on both traefik dashboard and portainer service. But I can see the cert is implemented.
This is my docker-compose.yml configuration:
version: "3"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
environment:
- TZ=Asia/Jakarta
command:
- --accesslog.fields.names.StartUTC=drop
- --providers.docker
- --providers.file.directory=/traefik-data/tls.yml
- --providers.file.watch=true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik-data/traefik.yml:/traefik.yml:ro
- ./traefik-data/acme.json:/acme.json
- ./traefik-data/configurations:/configurations
- ./traefik-data/cert:/cert
- ./traefik-data/tls.yml:/tls.yml:ro
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
- "traefik.http.routers.traefik-secure.service=api@internal"
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./portainer-data:/data
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.portainer-secure.entrypoints=websecure"
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.mydomain.com`)"
- "traefik.http.routers.portainer-secure.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
networks:
proxy:
external: true
This is my traefik.yml (static configuration):
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
http:
middlewares:
- secureHeaders@file
# tls:
# certificates:
# - certFile: "/cert/bundle.crt"
# keyFile: "/cert/mydomain.key"
# certResolver: letsencrypt
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
filename: tls.yml
#certificatesResolvers:
# letsencrypt:
# acme:
# email: me@example.com
# storage: acme.json
# keyType: EC384
# httpChallenge:
# entryPoint: web
tls.yml (dynamic configuration):
tls:
certificates:
- certFile: "/cert/bundle.crt"
keyFile: "/cert/mydomain.key"
options:
default:
sniStrict: true
stores:
default:
defaultCertificate:
certFile: "/cert/bundle.crt"
keyFile: "/cert/mydomain.key"
dynamic.yml (dynamic configuration):
http:
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
user-auth:
basicAuth:
users:
- "admin:$apr1$UdkaACnx$IB2OG7vIoTbHGRAWlFq4q."
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
Or should I put my cert under provider docker like this?
Can you tell what did I do wrong after implement the digicert ssl? Really appreaciate any help.
Thanks!