Docker swarm secrets unable to work in traefik

Traefik Traefik v2
1

Hi,

I am trying to setup secrets for Cloudflare API toques but I was getting authentication error with docker swarm secrets. I was able to get it working without the secrets below is the docker compose file that I am using. Can someone please help me.

 version: "3.4"

services:
  traefik:
    image: "traefik:latest"
    networks:
      - traefik_default
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik-dashboard.tls=true"
        - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
        - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.example.com`)"
        - "traefik.http.routers.traefik-dashboard.service=api@internal"
        - "traefik.http.routers.traefik-dashboard.tls.domains[0].main=example.com"
        - "traefik.http.routers.traefik-dashboard.tls.domains[0].sans=*.example.com"
        - "traefik.http.routers.traefik-dashboard.tls.certresolver=myresolver"
        - "traefik.http.services.noop.loadbalancer.server.port=8080"
    command:
      - "--global.checknewversion=true"
      - "--global.sendanonymoususage=false"
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      # - "--api.dashboard=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls.certresolver=myresolver"
      - "--entrypoints.websecure.http.tls.domains[0].main=example.com"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.example.com"

      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
      # - "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=admin@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=/ssl-certs/acme.json"

      - "--providers.docker=true"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik_default"

    ports:
      - "80:80"
      - "443:443"
    secrets:
      - cf_email
      - cf_token
    environment:
      - "CF_API_EMAIL=/run/secrets/cf_email"
      - "CF_DNS_API_TOKEN=/run/secrets/cf_token"
      # - "CF_API_EMAIL=<EMAIL ID>"
      # - "CF_DNS_API_TOKEN=<Token Key>"
    volumes:
      # - traefik:/etc/traefik
      - traefik-certs:/ssl-certs
      - /var/run/docker.sock:/var/run/docker.sock:ro
secrets:
    cf_email:
      external: true
    cf_token:
      external: true

volumes:
  traefik-certs:
    driver: glusterfs
    name: "gfs-docker/traefik-certs"
#   traefik:
#     driver: glusterfs
#     name: "gfs-docker/traefik"

networks:
  traefik_default:
    external: true
2

According to doc:

Many lego environment variables can be overridden by their respective _FILE counterpart, which should have a filepath to a file that contains the secret as its value. For example, CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email could be used to provide a Cloudflare API email address as a Docker secret named traefik_cf-api-email .

What does Traefik debug log tell you?

Check inside Traefik container (docker exec -it <container-id> sh, if secret files are readable and content is correct.

3

Thank you very much for the input. I have updated the file with the below details

environment:
  - "CF_API_EMAIL_FILE=/run/secrets/cf_email"
  - "CF_DNS_API_TOKEN_FILE=/run/secrets/cf_token"

But I was till not able to connect. after updating the email secrete to "admin@example.com" in quotes I was able to connect to the Cloudflare and I was able to get the certificate.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.