I've tried to get a valid certificate with following configuration.
When using https standard port 443 the certificate issued contains the correct DNS-Name responding to the domains setting
But when using non standard ports, the certificate is not valid. The DNS-Name is set to the Docker Container Hostname instead to the Domain name.
routers.apisecure
and routers.bot
.
Can anybody explain what I have missconfigured?
version: '3'
networks:
web:
external: true
volumes:
traefik-public-certificates:
services:
traefik:
image: "traefik:v2.3"
container_name: "traefik"
command:
# ENTRYPOINTS
- "--entrypoints.apisecure.address=:8080"
- "--entrypoints.bot.address=:3978"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# DOMAINS for Entrypoints
- "--entrypoints.apisecure.http.tls.domains[0].main=dashboard.example.local"
- "--entrypoints.bot.http.tls.domains[0].main=netbot.example.com"
- "--entrypoints.websecure.http.tls.domains[0].main=netbot.example.com"
- "--entrypoints.foo.http.redirections.entryPoint.to=websecure"
# DASHBOARD
- "--api=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--log.level=DEBUG"
# Lets Encrypt Resolver
- "--certificatesresolvers.myresolver.acme.email=myname@example.com"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
# für Testzwecke (acme-staging-v02) geeignet, da Let's Encrypt "rate limiting" einsetzt
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
# PROVIDERS
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=web"
ports:
- "80:80"
- "443:443"
- "3978:3978"
- "3979:3979"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.entrypoints=apisecure"
- "traefik.http.routers.api.rule=Host(`dashboard.example.local`)"
- "traefik.http.routers.api.tls.certresolver=leresolver"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.tls=true"
# Password protect the dashboard
# Generate password-hash with "openssl passwd -apr1 password" -> username:passwordhash (replace $ with $$)
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=xxxxx:yyyyyyyyyyyyyyyyyyyyyyyyy"
networks:
web:
# Working with:
# - "traefik.http.routers.bot.entrypoints=websecure"
#
# but failing with:
# - "traefik.http.routers.bot.entrypoints=bot"
#
# Certificate uses: DNS-Name=d0880cfc504a4da4421e932f01549656.0e1c16e873b8c791d2632dd5d4db10fa.traefik.default
# instead of: DNS-Name=whoami.example.com
whoami:
image: "traefik/whoami"
container_name: "netbot"
labels:
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.tcp.routers.bot.tls=true"
- "traefik.http.routers.bot.tls=true"
- "traefik.http.routers.bot.tls.certresolver=myresolver"
- "traefik.http.routers.bot.entrypoints=websecure"
- "traefik.http.routers.bot.rule=Host(`whoami.example.com`)"
- "traefik.network=web"
networks:
web: