entryPoint websecure: error opening listener: listen tcp :443: bind: address already in use

Hello everyone I am trying to install traefik on docker swarm using docker stack deploy following instructions here Any help to resolve the issue at hand would be greatly appreciated.

When i check traefik_traefik service logs in docker I am getting this error. I have searched the interwebs for a solution but nobody seems to have exact same problem. I tried different ports still the same issue with websecure entrypoint unable to open listener and bind.

Error logs:

traefik_traefik.1.zlsxmql451gu@ninjaserver    | 2020/11/08 20:17:27 traefik.go:72: command traefik error: error while building entryPoint websecure: error preparing server: error opening listener: listen tcp :443: bind: address already in use

Here are a list of open ports and 443 is not one of them.

ronin@ninjaserver:~$ sudo lsof -i -P -n | grep LISTEN
systemd-r 143 systemd-resolve 13u IPv4 235543564 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 195 root 3u IPv4 235542737 0t0 TCP *:22 (LISTE )
sshd 195 root 4u IPv6 235542739 0t0 TCP *:22 (LISTE )
dockerd 209 root 18u IPv6 235544715 0t0 TCP *:2377 (LISTEN)
dockerd 209 root 29u IPv6 235543937 0t0 TCP *:7946 (LISTEN)
docker-pr 608 root 4u IPv6 235544099 0t0 TCP *:9001 (LISTEN)

ronin@ninjaserver:~$ sudo netstat -tulpn | grep LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 143/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 195/sshd: /usr/sbin
tcp6 0 0 :::22 :::* LISTEN 195/sshd: /usr/sbin
tcp6 0 0 :::9001 :::* LISTEN 608/docker-proxy
tcp6 0 0 :::2377 :::* LISTEN 209/dockerd
tcp6 0 0 :::7946 :::* LISTEN 209/dockerd

Here is my docker-compose.yml

version: '3.3'
services:
  traefik:
    # Use the latest v2.2.x Traefik image available
    image: traefik:v2.2
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - 80:80
      # Listen on port 443, default for HTTPS
      - 443:443
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
      placement:
        constraints:
          # Make the traefik service run only on the node with this label
          # as the node with it has the volume for the certificates
          - node.labels.traefik-public.traefik-public-certificates == true
      labels:
        # Enable Traefik for this service, to make it available in the public network
        - traefik.enable=true
        # Use the traefik-public network (declared below)
        - traefik.docker.network=traefik-public
        # Use the custom label "traefik.constraint-label=traefik-public"
        # This public Traefik will only use services with this label
        # That way you can add other internal Traefik instances per stack if needed
        - traefik.constraint-label=traefik-public
        # admin-auth middleware with HTTP Basic auth
        # Using the environment variables USERNAME and HASHED_PASSWORD
        - traefik.http.middlewares.admin-auth.basicauth.users=USERNAME:HASHED_PASSWORD
        # https-redirect middleware to redirect HTTP to HTTPS
        # It can be re-used by other stacks in other Docker Compose files
        - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
        # traefik-http set up only to use the middleware to redirect to https
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-http.rule=Host(`DOMAIN`)
        - traefik.http.routers.traefik-public-http.entrypoints=http
        - traefik.http.routers.traefik-public-http.middlewares=https-redirect
        # traefik-https the actual router using HTTPS
        # Uses the environment variable DOMAIN
        - traefik.http.routers.traefik-public-https.rule=Host(`DOMAIN`)
        - traefik.http.routers.traefik-public-https.entrypoints=https
        - traefik.http.routers.traefik-public-https.tls=true
        # Use the special Traefik service api@internal with the web UI/Dashboard
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.routers.traefik-public-https.tls.certresolver=le
        # Enable HTTP Basic auth, using the middleware created above
        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=80
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # Mount the volume to store the certificates
      - "/srv/traefik.DOMAIN.TLD/certs:/certificates"
      - "/srv/traefik.DOMAIN.TLD/letsencrypt:/letsencrypt"
    command:
      - --log.level=DEBUG
      - --api.insecure=true
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker=true
      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false
      # Enable Docker Swarm mode
      - --providers.docker.swarmmode
      # Create an entrypoint "http" listening on port 80
      - --entrypoints.http.address=:80
      # Create an entrypoint "https" listening on port 443
      - --entrypoints.https.address=:443
      #websecure address expose
      - --entrypoints.websecure.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.myresolver.acme.email=EMAIL
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      #SSL certificate
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      # Enable the access log, with HTTP requests
      - --accesslog
      # Enable the Traefik log, for configurations and errors
      - --log
      # Enable the Dashboard and API
      - --api
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - traefik-public
    extra_hosts: 
      - EXTRA_HOSTS
    environment:
      - NODE_ID=INSERT_NODE_ID
      - EMAIL=admin@DOMAIN.TLD
      - DOMAIN=traefik.DOMAIN.TLD
      - USERNAME=admin
      - PASSWORD="INSERT_PASSWORD"
      - HASHED_PASSWORD='INSERT_HASHED_PASS'
      #- HASHPASS_ENV: $(HASHPASS_HOST:~(openssl passwd -apr1 $PASSWORD)) 
      #- $SRV_VPATH="/srv/INSERT.DOMAIN.TLD/"
      - EXTRA_HOSTS="INSERT.DOMAIN:123.456.789.123"
    env_file:
      - ./.env
  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.DOMAIN.TLD`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"    
    networks:
      - traefik-public
volumes:
  # Create a volume to store the certificates, there is a constraint to make sure
  # Traefik is always deployed to the same Docker node with the same volume containing
  # the HTTPS certificates
  traefik-public-certificates:
networks:
  # Use the previously created public network "traefik-public", shared with other
  # services that need to be publicly available via this Traefik
  traefik-public:
    external: true
    driver: overlay

You're effectively trying to bind it twice with your command line arguments.

Hmm I see thanks for pointing that out. What would the solution here be to resolve it? Remove websecure completely? Dont I need websecure to be associated with incoming traffic from entrypoints.https.address ?

Remove one of them, they are both doing the same thing.

After I removed that line I am getting this error.

traefik_traefik.1.wkmkq67e11z7@ninjaserver    | time="2020-11-08T21:37:23Z" level=error msg="the router traefik-public-https@docker uses a non-existent resolver: le"

When I remove this line I am getting these in my logs.

traefik_traefik.1.w49ygq7dk6g1@ninjaserver    | time="2020-11-08T21:41:53Z" level=error msg="entryPoint \"https\" doesn't exist" routerName=traefik-public-https@docker entryPointName=https
traefik_traefik.1.w49ygq7dk6g1@ninjaserver    | time="2020-11-08T21:41:53Z" level=error msg="no valid entryPoint for this router" routerName=traefik-public-https@docker
traefik_traefik.1.w49ygq7dk6g1@ninjaserver    | time="2020-11-08T21:41:53Z" level=error msg="entryPoint \"https\" doesn't exist" entryPointName=https routerName=traefik-public-https@docker
traefik_traefik.1.w49ygq7dk6g1@ninjaserver    | time="2020-11-08T21:41:53Z" level=error msg="no valid entryPoint for this router" routerName=traefik-public-https@docker
traefik_traefik.1.w49ygq7dk6g1@ninjaserver    | time="2020-11-08T21:41:55Z" level=error msg="the router traefik-public-https@docker uses a non-existent resolver: le"
traefik_traefik.1.wkmkq67e11z7@ninjaserver    | time="2020-11-08T21:41:19Z" level=error msg="close tcp [::]:80: use of closed network connection" entryPointName=http
traefik_traefik.1.wkmkq67e11z7@ninjaserver    | time="2020-11-08T21:41:19Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=https
traefik_traefik.1.wkmkq67e11z7@ninjaserver    | time="2020-11-08T21:41:19Z" level=error msg="close tcp [::]:8080: use of closed network connection" entryPointName=traefik
traefik_traefik.1.wkmkq67e11z7@ninjaserver    | time="2020-11-08T21:41:19Z" level=error msg="close tcp [::]:443: use of closed network connection" entryPointName=https
traefik_traefik.1.wkmkq67e11z7@ninjaserver    | time="2020-11-08T21:41:19Z" level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik
traefik_traefik.1.wkmkq67e11z7@ninjaserver    | time="2020-11-08T21:41:19Z" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=http

Seems to me that removing websecure gives us less errors since https needs to be defined right? But how do I resolve the non-existent resolver le? I am trying to use letsencrypt and have it automate renewal certification.

https or websecure is just a name for the entrypoint. It could be called cottoncanfy.

You have not defined a certificate resolver called le. You have defined one called myresolver

So where you have referenced le replace it with myresolver.

Thanks for that that seems to have resolved that previous error but now I am getting an LE error.

traefik_traefik.1.zkjkpbewyuwv@ninjaserver    | time="2020-11-08T22:12:42Z" level=error msg="Unable to obtain ACME certificate for domains \"domain\": cannot get ACME client acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: \"EMAIL\" is not a valid e-mail address, url: " providerName=le.acme routerName=traefik-public-https@docker rule="Host(`DOMAIN`)"

I have used the same email previously for multiple certificates on the same host TLD. I cannot use the same email to create wildcard certificate manually using letsencrypt for my subdomains on the the main TLD?

Unless you've obfuscated. This will as it says in the error. An incorrect email address.

I have tried a different email that has never been used for lets encrypt before and its still invalid, I didn't obfuscate it just used environment variables so I guess it prints me that. Any idea what other things I could attempt to solve this?

traefik_traefik.1.zbasa87zvgb2@ninjaserver    | time="2020-11-09T03:32:06Z" level=error msg="Unable to obtain ACME certificate for domains \"domain\": cannot get ACME client acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: \"EMAIL\" is not a valid e-mail address, url: " rule="Host(`DOMAIN`)" providerName=le.acme routerName=traefik-public-https@docker

It does not look like your environment variable is correct. Should it not be EMAIL or {EMAIL} in the compose file. The error is showing you \"EMAIL\" is not a valid e-mail address

Or just put the email address in instead or the envvar.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.