Errors after adding new entrypoint and letsencrypt

Traefik Traefik v3 (latest)
1

Hello. I'm quite new to traefik. In my playground, I had a fully working example with traefik working like reverse proxy for my on-host apps (not systemd or docker).

This is my docker-compose file for traefik, working on host:

name: "traefik"

services:
    traefik:
        image: traefik:3.0.2
        restart: "on-failure"
        volumes:
            - "/home/groosha/traefik/config.yml:/etc/traefik/traefik.yml:ro"
            - "/home/groosha/traefik/configurations:/opt/traefik/configurations"
            - "/home/groosha/traefik/sslcerts:/etc/traefik/acme"
        network_mode: "host"

My static config:

# file config.yml
providers:
  file:
    directory: /opt/traefik/configurations
    watch: true

http:
  entryPoints:
    web:
      address: ":80"
    websecure:
      address: ":443"
      adDefault: true

certificatesResolvers:
  myresolver:
    acme:
      email: myemail@example.com
      storage: acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

log:
  level: "DEBUG"

My dynamic config for a simple Python FastAPI app running on that host (again, no docker yet):

http:
  services:
    fastapi:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8000"

  routers:
    to-fastapi:
      rule: "Host(`fastapidemo.example.com`)"
      service: "fastapi"
      entryPoints:
        - "websecure"

However, upon starting traefik, I see these errors:

> Configuration received config={"http":{"routers":{"to-fastapi":{"entryPoints":["websecure"],"rule":"Host(`fastapidemo.example.com`)","service":"fastapi"}},"services":{"fastapi":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://127.0.0.1:8000"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=file
> Configuration received config={"http":{"routers":{"acme-http":{"entryPoints":["web"],"priority":9223372036854775807,"rule":"PathPrefix(`/.well-known/acme-challenge/`)","ruleSyntax":"v3","service":"acme-http@internal"}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"acme-http":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
> Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=myresolver.acme
> No default certificate, fallback to the internal generated certificate tlsStoreName=default
> EntryPoint doesn't exist entryPointName=web routerName=acme-http@internal
> No valid entryPoint for this router routerName=acme-http@internal
> EntryPoint doesn't exist entryPointName=websecure routerName=to-fastapi@file
> No valid entryPoint for this router routerName=to-fastapi@file
> No default certificate, fallback to the internal generated certificate tlsStoreName=default
> EntryPoint doesn't exist entryPointName=websecure routerName=to-fastapi@file
> No valid entryPoint for this router routerName=to-fastapi@file
> EntryPoint doesn't exist entryPointName=web routerName=acme-http@internal
> No valid entryPoint for this router routerName=acme-http@internal

Before adding Let'sEncrypt and websecure endpoint everything was working, but just with HTTP. Adding HTTPS leads to these errors.

2

I usually prefer tlsChallenge, encryption can’t be wrong, right? :wink:

Entrypoints seem fine on first look, you don’t need to assign on router, as you have set websecure asDefault.

You did not assign the certresolver, I prefer to assign in globally to entrypoint websecure instead of individual routers. Compare to simple Traefik example.

4

Hi, thank you for the answer!
Unfortunately, I still have errors: traefik.log · GitHub

New config version:

providers:
  file:
    directory: /opt/traefik/configurations
    watch: true

http:
  entryPoints:
    web:
      address: ":80"
    websecure:
      address: ":443"
      adDefault: true
      http:
        tls:
          certresolver: myresolver

certificatesResolvers:
  myresolver:
    acme:
      email: me@example.com
      storage: acme.json
      tlsChallenge: {}

log:
  level: "DEBUG"

new dynamic service config:

http:
  services:
    fastapi:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8000"

  routers:
    to-fastapi:
      rule: "Host(`fastapidemo.example.com`)"
      service: "fastapi"
5

There is no ERR, only INF and DBG :slight_smile:

6

Yeah, but it doesn't work anyway. No certs are generated, fastapi service is not available

Also I fixed typo "adDefault" -> "asDefault", but it didn't change anything

7

I just noticed, that my FastAPI service answers on port 80 ("web" endpoint), but doesn't answer on "websecure", despite I changed my configuration:
I kinda fixed this issue by editing my dynamic conf:

http:
  services:
    fastapi:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8000"

  routers:
    to-fastapi:
      rule: "Host(`fastapidemo.example.com`)"
      service: "fastapi"
      tls:
        certResolver: "myresolver"

Now certificates try to generate, but eventually I get Connection Refused error:

Unable to obtain ACME certificate for domains 
error="unable to generate a certificate for the domains 
[fastapidemo.example.com]: 
error: one or more domains had a problem:\n
[fastapidemo.[pngl.cc](http://example.com)] acme: 
error: 400 :: urn:ietf:params:acme:error:connection 
:: 37.187.xxx.xxx: Connection refused"

Maybe something's wrong with my Docker deploy? It's quite simple

name: "traefik"

services:
    traefik:
        image: traefik:3.0.2
        restart: "on-failure"
        volumes:
            - "/home/groosha/traefik/config.yml:/etc/traefik/traefik.yml:ro"
            - "/home/groosha/traefik/configurations:/opt/traefik/configurations"
            - "/home/groosha/traefik/sslcerts:/etc/traefik/acme"
        network_mode: "host"

With network_mode host port 80 is reachable, but 443 may be not?

8

With network_mode: host all opened ports of the application are also opened on host. This is usually not recommended, as you might not know which ports will be opened.

Compare to simple Traefik example.

What’s your setup, running at home or in a data center? Port 443 needs to be reachable from outside.

9

I'm running on a VPS with "white" IP address and DNS names pointing to that VPS