[docker] domain & container frontend host labels

I had another thread where I asked a question on acme_domains. I was told by @Idez that

.. domains are optional, by default Traefik (v2 and v1) use the Host rule define in the router/frontend to create certificates. domains are mainly for manage wildcard certificates.

I read at https://docs.traefik.io/configuration/backends/docker/ that I could use Docker explicitely as provider (using Docker and docker-compose myself) and add domain.localhost to have a default domain for frontend rules. So I created this .toml file:

debug = false

logLevel = "ERROR"

defaultEntryPoints = ["http", "https"]

[docker]
  endpoint = "unix:///var/run/docker.sock"
  domain = "docker.localhost"
  watch = true
  swarmMode = false
  exposedByDefault = false

[api]
dashboard = true
entrypoint = "webentry"

[entrypoints]
  #...
  # https://docs.traefik.io/configuration/api/#authentication
  # sudo apt-get install apache2-utils
  # htpasswd -nb admin secure_password
  # [entrypoints.webentry]
  #   address = ":8080"
  #   [entrypoints.webentry.auth]
  #     [entrypoints.webentry.auth.basic]
  #       users = ["admin:key"]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]


[acme]
email = "you@gmail.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
onDemand = false
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
# main = "domain.com"
# sub = "monitor.domain.com"

Also added LE Staging. Playing with it I hit the limit for one domain so decided to be smarter about it.

Questions I still have though is this..

Do I now still need to add frontend rules to .toml to deal with all incoming domains? What if I always load site data from one Nginx container where the api serves data based on domain? Do I still have to add a frontend rul or container label to lead people there? How would I do this? Could I perhaps do this with regex or another way?

Two, if each app would be on a different nginx container would I still need a specific frontend rule per site? I guess that I would have to...

Three, I was using container labels like https://github.com/Larastudio/lsdock/blob/master/traefik-docker-compose.yml#L197 but perhaps it is better to avoid these as the ones labelled with frontend rules seem to get new LE certificates on each (re)start?

If you want to have different "frontends" beeing handled (and you're using the docker provider as you said), you should og for the labels approach.

In your toml, you did set onDemand = false which should not result in LE certificates beeing requested for every domain you add

But I did run out of certificate requests using https://github.com/Larastudio/lsdock/blob/master/traefik/traefik.toml with acme_domains monitor.lara.studio and lara.studio added:

traefik_1     | time="2019-07-22T04:13:09Z" level=error msg="Unable to obtain ACME certificate for domains \"lara.studio\" : unable to generate a certificate for the domains [lara.studio]: 
acme: Error 429 - urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many certificates already issued for exact set of domains: lara.studio: see https://letsencrypt.org/docs/rate-limits/"

Perhaps certificate request would happen on rebuilding the containers, but not on docker-compose -f traefik-docker-compose.yml up or docker-compose -f traefik-docker-compose.yml up -d` now would it?

That is possible but depends on your compose file.

Of course, if the container gets recreated and you didn't map out the acme.json file to a volume, its lost with the new container and could therefore end in the rate limiting issue.

2 Likes

Geez, yeah, did not add volumes for traefik.toml nor acme.json. Totally forgot about that. New lines added now:

- ./traefik.toml:/traefik.toml
- ./traefik/acme.json:/acme.json

Will test again as soon as I can. Thanks for the heads up @SantoDE !