Create a self-signed certificate for wordpress and cloudflare tunnel

Good evening to all,

I come to see you because it's been 3 days that I try desperately to deploy a self-signed certificate for a wordpress site.

If I trust the logs I've seen in the last few hours I'm almost there! But for the moment I can't get the desired result! The code looks good, but something escapes me and by dint of being on it I end up not seeing it very clearly!

The last logs I had access to said this:

"\x16\x03\x01\x02" 400 484 "-" "-"

After checking it would be the first handshake for a connection attempt via TLS.

At the moment, I could not access anything, the problem should not be very serious, but as said earlier by dint of being too much on it we end up not seeing clearly, so before breaking all my Config I prefer to ask for help.

Here are my different configuration files:

docker.yml
version: "3.3" #Version de docker utilisé

services: #Listes des servces

traefik:
image: "traefik:latest"
container_name: "traefik"
restart: unless-stopped
#command:
#- "--log.level=DEBUG"
# - "--api.insecure=true"
# - "--providers.docker=true"
# - "--providers.docker.exposedbydefault=false"
# - "--entrypoints.web.address=:80"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.yml:/Users/arawaks/Documents/Programmation/docker and traefik/Trainings/traefik.yml:ro
- ./traefik/config.yml:/Users/arawaks/Documents/Programmation/docker and traefik/Trainings/config.yml:ro
- ./certs:/Users/arawaks/Documents/Programmation/docker and traefik/Trainings/certs:ro
networks:
- proxy
labels:
# Permettre à ce conteneur d'être accessible par traefik
# Pour plus d'information, voir : Traefik Docker Documentation - Traefik
- "traefik.enable=true"
# Utilise la configuration du routeur "traefik" définie dans le fichier de configuration dynamique : ./traefik/config.yml
- "traefik.http.routers.traefik=true"

wordpress:
image: "wordpress:latest"
container_name: "service-wordpress"
labels:

  - "traefik.enable=true"
  - "traefik.http.routers.wordpress.rule=Host(`test.fr`)"
  - "traefik.http.routers.wordpress.entrypoints=proxy"
  - "traefik.http.routers.wordpress.tls=true"
  - "traefik.http.services.wordpress.loadbalancer.server.port=4400"
networks:
  - proxy
ports:
  - "4400:443"

mysql:
image: mysql:latest
container_name: mysql-wordpress
labels:
- "traefik.enable=true"
- "traefik.http.routers.mysql.rule=Host(test.fr)"
- "traefik.http.routers.mysql.entrypoints=web"
- traefik.tcp.routers.mysql.rule=HOSTSNI('*')
- traefik.tcp.routers.mysql.entrypoints=web
# - "traefik.http.routers.dashboard.entrypoints=web"
ports:
- 3306:3306
networks:
- proxy
environment:
- MYSQL_ROOT_PASSWORD=a
- MYSQL_DATABASE=wordpress
- MYSQL_PASSWORD=a
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"

networks:
proxy:
external: true

Traefik.yml

#CONFIGURATION FICHIER STATIQUE 
#LES FICHIERS STATIQUES SONT LES SERVICES 
#QUI S'ACTIVENT AU DEMARRAGE

# _1 : Definir le point d'entrée (et donc le ports) qui sera à l'écoute.

entryPoints:
  web:
    address: 8081 #Ecoute sur le port 8081 et sur l'interface nommé "web"
#providers:    #Decouvre les services qui vivent sur l'infracstructures (docker dans ce cas ci)
#  docker: {}
#  tls:
#    ca: "/Users/arawaks/Documents/Programmation/docker and traefik/Trainings/traefik-v2-https-ssl-localhost/certs"
#    cert: /Users/arawaks/Documents/Programmation/docker and traefik/Trainings/traefik-v2-https-ssl-localhost/certs/local-cert.pem"
#    key:  /Users/arawaks/Documents/Programmation/docker and traefik/Trainings/traefik-v2-https-ssl-localhost/certs/local-key.pem"
#    insecureSkipVerify: true
#network: web
global:
  sendAnonymousUsage: false
api:
  dashboard: true
  insecure: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false

  file:
    filename: config.yml
    watch: true

log:
  level: INFO
  format: common

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"

config.yaml

http:
  routers:
    traefik:
      rule: "Host(`test.fr`)"
      service: "api@internal"
      tls:
        domains:
          - main: "test.fr"
            sans:
              - "*.test.fr"
          - main: "domain.local"
            sans:
              - "*.domain.local"

tls:
  certificates:
    - certFile: "/Users/arawaks/Documents/Programmation/docker and traefik/Trainings/certs/local-cert.pem"
      keyFile: "/Users/arawaks/Documents/Programmation/docker and traefik/Trainings/certs/local-key.pem"

I forgot to mention it above, but as you probably saw in the conf files I'm using docker, the final goal being that my wordpress site goes through a cloudflare tunnel, except that wordpress creates redirection problems (other services don't so I'm pretty sure it's coming from wordpress) so I want to auto-sign the site to see if that fixes the problem.

Capture d’écran 2023-05-03 à 22.02.251447×340 10.7 KB

Currently I have a 404 page, everywhere, I had to do something in the fatigue that worsened the situation, it should not be very serious, my main problem remaining to use my wordpress container with a certificate.

A big thank you in advance to all

To start off, WordPress by default will only run on a single domain. You can't have it running on test.fr and domain.local. During setup WordPress saves the URL to configuration, it will from then on always send a redirect when its a different domain. You can change the domain somewhere in the settings.

Thank you for your answer @bluepuma77

So following your message, I decided to start all over again, the reason is simple, I read a lot of documentation, I watched a lot of tutorials, but now I have to start practicing. And I have to admit that even if I had the impression to understand all the lines when they are taken individually, writing the code by myself is another story.

I really want to understand what I'm doing, so for the moment I'm lowering my ambitions in order to be able to reach the final result little by little (secure my localhost on a wordpress container)

For the moment I just want to secure the access to the Traefik Dashboard, but for an unknown reason it doesn't work. Is it possible to help me so that I can eventually transfer this understanding to the wordpress container?

Here are my files, back to 0.

First question, below is my docker-compose.yml, I noticed that in the "command" region the entry points were already marked, is it not normally supposed to separate these commands :

command:
    #LOG
    - "--api.insecure=false"
    - "--api.DASHBOARD=true" #l'API est à TRUE elle est exposé sur le point d'entrée 8080
    - "providers.docker=true"
    - "providers.docker.exposedbydefault=false" #Exposez les conteneurs par défaut via Traefik. S'ils sont définis sur false, les conteneurs qui n'ont pas d'étiquette traefik.enable=true sont ignorés dans la configuration de routage résultante.
    - "--entrypoints.web.address= 80:80"
    - "--entrypoints.traefik.address= :8080"
    - "--entrypoints.traefik.websecure.address=:443"
    - "traefik.enable=true"

And put them in the static file? (Although I suppose you can do both)

###########################BEGIN BASIC CONFIGURATION DASHBOARD TRAEFIK##########
#DOCKER-COMPOSE.yaml
version: "3.3"

services:
  traefik:
    image: traefik:latest
    container_name: traefik_dashboard
    command:
    #LOG
    - "--api.insecure=false"
    - "--api.DASHBOARD=true" #l'API est à TRUE elle est exposé sur le point d'entrée 8080
    - "providers.docker=true"
    - "providers.docker.exposedbydefault=false" #Exposez les conteneurs par défaut via Traefik. S'ils sont définis sur false, les conteneurs qui n'ont pas d'étiquette traefik.enable=true sont ignorés dans la configuration de routage résultante.
    - "--entrypoints.web.address= 80:80"
    - "--entrypoints.traefik.address= :8080"
    - "--entrypoints.traefik.websecure.address=:443"
    - "traefik.enable=true"

    labels:
   
#HTTPS LABELS CONFIGURATION
    - "traefik.enable: true"
    - "traefik.http.routers.traefik_https.rule: Host(`test.fr`)"
    - "traefik.http.routers.traefik_https.entrypoints: websecure"
    - "traefik.http.routers.traefik_https.tls: true"
    - "traefik.http.routers.traefik_https.service=api@internal"
    #- "traefik.http.routers.traefik_https.middlewares=traefik-auth"

    #- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$iNdRs1II$$Qdw59WFY6y0Oaf0JaZTip0"

    - "traefik.http.routers.http_traefik.rule=Host(`test.fr`)"
    - "traefik.http.routers.http_traefik.entrypoints=web"
    - "traefik.http.routers.http_traefik.middlewares=https_redirect"

    - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
    - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

    ports:
      - "80:443"
      - "8080:8080"
      
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

#############################END BASIC CONFIGURATION DASHBOARD TRAEFIK##############################```

CONFIG.yaml
 http routing section
http:
  routers:
    # Define a connection between requests and services
    traefik:
      rule: "Host(`test.fr`) && PathPrefix(`/whoami/`)"
       # If the rule matches, applies the middleware
      middlewares:
      - traefik
      # If the rule matches, forward to the whoami service (declared below)
      service: api@internal

  middlewares:
    # Define an authentication mechanism
    traefik:
      basicAuth:
        users:
        - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/

  services:
    # Define how to reach an existing service on our infrastructure
    traefik:
      loadBalancer:
        servers:
        - url: http://test.fr/whoami-service

I tried to activate a password authentication but it didn't work, I think I'm missing something essential, I've read and reread the documentation, I've even made a diagram, so I think I've understood the theory, but for the practice I think I need some advice to identify what I missed.

Thanks in advance

You need to add a provider.file to read the dynamic config file

This seems almost like a circular reference:

loadBalancer:
    servers:
        - url: http://test.fr/whoami-service

Maybe compare with this simple Traefik example.

Thanks again for your reply, I've been at it all this time forcing myself to take breaks every hour so I don't do too much foolishness, but so far I'm not getting what I want.

Is this the line you are talking about?

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false

  file:
    filename: "/Users/arawaks/Documents/Programming/docker and traefik/Training/config.yml"
    watch: true

Since the static file reads the parameters at startup, I suppose that it is in this one that it must be added?

If it is that unfortunately it does not work either, I have access to the Dashboard in http but nothing in https

Here are my static files in case it can help.

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false

  file:
    filename: "/Users/arawaks/Documents/Programming/docker and traefik/Training/config.yml"
    watch: true

And here is what has been added to the dynamic file

# traefik/config.yml
#DYNAMIC FILE
http:
  routers:
    traefik:
      rule: "Host(`dash.test.fr`)"
      service: "api@internal"
      tls:
        domains:
          - main: "dash.test.fr"
            

tls:
  certificates:
    - certFile: "/Users/arawaks/Documents/Programmation/docker and traefik/Training/certs/local-cert.pem"
      keyFile: "/Users/arawaks/Documents/Programmation/docker and traefik/Training/certs/local-key.pem"

I can access the Dashboard via the address dash.test.fr but still nothing in https