File Provider not generating certs but is routing correctly

IronicBadger · September 12, 2020, 5:05pm

I'm new to Traefik. I am trying to proxy about 20 containers and 2 external services (Home Assistand and Blue Iris).

However, when I attempt to generate a TLS cert for the 2 external services these domains appear to just be completely ignored and no cert is ever generated. To make things simple, I've paired things down to a minimum viable config (and manually redacted a couple of things like emails) - here we go:

# docker-compose.yaml
---
version: "2"
services:
  traefik:
    image: traefik
    container_name: traefik
    volumes:
      - /mnt/tank/appdata/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      - CLOUDFLARE_EMAIL=123@gmail.com
      - CLOUDFLARE_API_KEY=123
    restart: unless-stopped
  nginx:
    image: linuxserver/nginx
    container_name: nginx
    labels:
      - traefik.enable=true
      - traefik.http.routers.nginx.rule=(Host(`al.ktz.me`) && Path(`/nginx`))
      - traefik.http.routers.nginx.entrypoints=websecure
      - traefik.http.routers.nginx.tls.certresolver=cloudflare
      - traefik.http.services.nginx.loadbalancer.server.port=80
    restart: unless-stopped

/etc/traefik is mounted correctly inside the container (checked with docker exec -it traefik sh). My traefik.yaml file looks like this:

entryPoints:
    web:
        address: :80
    websecure:
        address: :443
    traefik:
        address: ":8080"
    
ping: {}

providers:
    docker:
        endpoint: unix:///var/run/docker.sock
        watch: true
        exposedByDefault: false
    file:
        filename: /etc/traefik/rules.yaml
        watch: true

api:
    dashboard: true
    insecure: true

log:
    level: debug

certificatesResolvers:
    cloudflare:
        acme:
            email: 123@gmail.com
            storage: /etc/traefik/acme.json
            dnsChallenge:
                provider: cloudflare
                delayBeforeCheck: 0
                resolvers:
                - 1.1.1.1:53
                - 1.0.0.1:53

serversTransport:
    insecureSkipVerify: true

And finally the most important part:

# rules.yaml
http:
  routers:
    harouter:
      entryPoints:
        - websecure
      rule: Host(`ha.ktz.me`)
      service: homeassistant
      tls:
        certresolver: cloudflare
  services:
    homeassistant:
      loadBalancer:
        servers:
        - url: http://192.168.1.99:8123/

Routing is working perfectly once I accept the insecure default cert in a browser. The Traefik web interface tells me that everything is OK too, but it isn't.

The only cert that appears in acme.json is al.ktz.me. It doesn't seem to detect the Host specified in rules.yaml which ha.ktz.me. The nginx server I have running at al.ktz.me/nginx works perfectly.

I put the raw container logs next for your enjoyment

alex@cartman:/mnt/tank/appdata/traefik$ docker logs traefik 
time="2020-09-12T17:03:39Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yaml"
time="2020-09-12T17:03:39Z" level=info msg="Traefik version 2.2.11 built on 2020-09-07T14:12:48Z"
time="2020-09-12T17:03:39Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000},\"file\":{\"watch\":true,\"filename\":\"/etc/traefik/rules.yaml\"}},\"api\":{\"insecure\":true,\"dashboard\":true},\"ping\":{\"entryPoint\":\"traefik\"},\"log\":{\"level\":\"debug\",\"format\":\"common\"},\"certificatesResolvers\":{\"cloudflare\":{\"acme\":{\"email\":\"123@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]}}}}}"
time="2020-09-12T17:03:39Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
time="2020-09-12T17:03:39Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2020-09-12T17:03:39Z" level=debug msg="Start TCP Server" entryPointName=websecure
time="2020-09-12T17:03:39Z" level=debug msg="Start TCP Server" entryPointName=web
time="2020-09-12T17:03:39Z" level=info msg="Starting provider *file.Provider {\"watch\":true,\"filename\":\"/etc/traefik/rules.yaml\"}"
time="2020-09-12T17:03:39Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2020-09-12T17:03:39Z" level=info msg="Starting provider *acme.Provider {\"email\":\"123@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]},\"ResolverName\":\"cloudflare\",\"store\":{},\"ChallengeStore\":{}}"
time="2020-09-12T17:03:39Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2020-09-12T17:03:39Z" level=info msg="Starting provider *traefik.Provider {}"
time="2020-09-12T17:03:39Z" level=info msg="Testing certificate renew..." providerName=cloudflare.acme
time="2020-09-12T17:03:39Z" level=debug msg="Configuration received from provider file: {\"http\":{\"routers\":{\"harouter\":{\"entryPoints\":[\"websecure\"],\"service\":\"homeassistant\",\"rule\":\"Host(`ha.ktz.me`)\",\"tls\":{}}},\"services\":{\"homeassistant\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.1.99:8123/\"}],\"passHostHeader\":null}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=file
time="2020-09-12T17:03:39Z" level=debug msg="Configuration received from provider cloudflare.acme: {\"http\":{},\"tls\":{}}" providerName=cloudflare.acme
time="2020-09-12T17:03:39Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645},\"ping\":{\"entryPoints\":[\"traefik\"],\"service\":\"ping@internal\",\"rule\":\"PathPrefix(`/ping`)\",\"priority\":2147483647}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{},\"ping\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}}},\"tcp\":{},\"tls\":{}}" providerName=internal
time="2020-09-12T17:03:39Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=harouter@file serviceName=homeassistant middlewareName=pipelining middlewareType=Pipelining
time="2020-09-12T17:03:39Z" level=debug msg="Creating load-balancer" serviceName=homeassistant entryPointName=websecure routerName=harouter@file
time="2020-09-12T17:03:39Z" level=debug msg="Creating server 0 http://192.168.1.99:8123/" routerName=harouter@file serviceName=homeassistant serverName=0 entryPointName=websecure
time="2020-09-12T17:03:39Z" level=debug msg="Added outgoing tracing middleware homeassistant" routerName=harouter@file middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
time="2020-09-12T17:03:39Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
time="2020-09-12T17:03:39Z" level=debug msg="No default certificate, generating one"
time="2020-09-12T17:03:39Z" level=debug msg="Provider connection established with docker 19.03.12 (API 1.40)" providerName=docker
time="2020-09-12T17:03:39Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-alex-5efecf7c0c76765d1a51f9243fdae36416c2be47aa5e5343926a44d8a76c03d3
time="2020-09-12T17:03:39Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"nginx\":{\"entryPoints\":[\"websecure\"],\"service\":\"nginx\",\"rule\":\"(Host(`al.ktz.me`) \\u0026\\u0026 Path(`/nginx`))\",\"tls\":{\"certResolver\":\"cloudflare\"}}},\"services\":{\"nginx\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-09-12T17:03:39Z" level=debug msg="Adding certificate for domain(s) al.ktz.me"
time="2020-09-12T17:03:39Z" level=debug msg="No default certificate, generating one"
time="2020-09-12T17:03:39Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=harouter@file serviceName=homeassistant middlewareName=pipelining middlewareType=Pipelining
time="2020-09-12T17:03:39Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=harouter@file serviceName=homeassistant
time="2020-09-12T17:03:39Z" level=debug msg="Creating server 0 http://192.168.1.99:8123/" entryPointName=websecure serverName=0 routerName=harouter@file serviceName=homeassistant
time="2020-09-12T17:03:39Z" level=debug msg="Added outgoing tracing middleware homeassistant" entryPointName=websecure routerName=harouter@file middlewareName=tracing middlewareType=TracingForwarder
time="2020-09-12T17:03:39Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-09-12T17:03:39Z" level=debug msg="Adding certificate for domain(s) al.ktz.me"
time="2020-09-12T17:03:39Z" level=debug msg="No default certificate, generating one"
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
time="2020-09-12T17:03:40Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareType=RedirectRegex middlewareName=dashboard_redirect@internal
time="2020-09-12T17:03:40Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareType=RedirectRegex middlewareName=dashboard_redirect@internal
time="2020-09-12T17:03:40Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal entryPointName=traefik routerName=dashboard@internal
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware ping@internal" entryPointName=traefik routerName=ping@internal middlewareName=tracing middlewareType=TracingForwarder
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik middlewareType=TracingForwarder middlewareName=tracing routerName=api@internal
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" middlewareType=Pipelining routerName=harouter@file serviceName=homeassistant entryPointName=websecure middlewareName=pipelining
time="2020-09-12T17:03:40Z" level=debug msg="Creating load-balancer" routerName=harouter@file serviceName=homeassistant entryPointName=websecure
time="2020-09-12T17:03:40Z" level=debug msg="Creating server 0 http://192.168.1.99:8123/" routerName=harouter@file serviceName=homeassistant serverName=0 entryPointName=websecure
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware homeassistant" entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=harouter@file
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-09-12T17:03:40Z" level=debug msg="Adding certificate for domain(s) al.ktz.me"
time="2020-09-12T17:03:40Z" level=debug msg="No default certificate, generating one"
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareType=TracingForwarder middlewareName=tracing
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
time="2020-09-12T17:03:40Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal entryPointName=traefik middlewareName=dashboard_stripprefix@internal
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
time="2020-09-12T17:03:40Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2020-09-12T17:03:40Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware ping@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=ping@internal
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" middlewareType=Pipelining serviceName=nginx entryPointName=websecure routerName=nginx@docker middlewareName=pipelining
time="2020-09-12T17:03:40Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=nginx@docker serviceName=nginx
time="2020-09-12T17:03:40Z" level=debug msg="Creating server 0 http://172.18.0.2:80" entryPointName=websecure routerName=nginx@docker serviceName=nginx serverName=0
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware nginx" routerName=nginx@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" entryPointName=websecure routerName=harouter@file serviceName=homeassistant middlewareType=Pipelining middlewareName=pipelining
time="2020-09-12T17:03:40Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=harouter@file serviceName=homeassistant
time="2020-09-12T17:03:40Z" level=debug msg="Creating server 0 http://192.168.1.99:8123/" serverName=0 entryPointName=websecure routerName=harouter@file serviceName=homeassistant
time="2020-09-12T17:03:40Z" level=debug msg="Added outgoing tracing middleware homeassistant" middlewareType=TracingForwarder entryPointName=websecure routerName=harouter@file middlewareName=tracing
time="2020-09-12T17:03:40Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2020-09-12T17:03:40Z" level=debug msg="Try to challenge certificate for domain [al.ktz.me] found in HostSNI rule" providerName=cloudflare.acme routerName=nginx@docker rule="(Host(`al.ktz.me`) && Path(`/nginx`))"
time="2020-09-12T17:03:40Z" level=debug msg="Looking for provided certificate(s) to validate [\"al.ktz.me\"]..." routerName=nginx@docker rule="(Host(`al.ktz.me`) && Path(`/nginx`))" providerName=cloudflare.acme
time="2020-09-12T17:03:40Z" level=debug msg="No ACME certificate generation required for domains [\"al.ktz.me\"]." rule="(Host(`al.ktz.me`) && Path(`/nginx`))" providerName=cloudflare.acme routerName=nginx@docker

RealOrangeOne · September 12, 2020, 5:12pm

Just tried this myself and it seems to be working.

It looks like there's a configuration issue, one which Traefik should really have caught.

tls.certresolver should be tls.certResolver.

IronicBadger · September 12, 2020, 5:13pm

Confirmed that was my issue. Thanks @RealOrangeOne I also agree 100%, why was this parsing failure not logged somewhere in debug mode?

Feature request!

system · September 15, 2020, 5:13pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Internal certificates & TLS issues Traefik v2 docker	0	719	January 1, 2022
Maybe File Provider Issues Traefik v3 (latest) docker , file	4	63	November 20, 2024
No Default certificate... Not loading file provider Traefik v2 docker , file	1	3138	September 24, 2019
Traefik not generating a certificate Traefik v2 docker	0	898	March 23, 2020
Can't Obtain Cert Traefik v2 docker	0	315	May 14, 2021

File Provider not generating certs but is routing correctly

Related topics