I have the following file provider:
http:
routers:
hass-rtr:
rule: "Host(`hass.REDACTED.duckdns.org`)"
entryPoints:
- https
middlewares:
- chain-no-auth
service: hass-svc
tls: {}
services:
hass-svc:
loadBalancer:
servers:
- url: "http://REDACTED:8123"
All my docker containers are setup as follows in my compose file (example for authelia):
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.authelia-rtr.entrypoints=https"
- "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME`)"
- "traefik.http.routers.authelia-rtr.tls=true"
## Middlewares
- "traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file"
## HTTP Services
- "traefik.http.routers.authelia-rtr.service=authelia-svc"
- "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
For some reason, the file provider is using a different SSL cert from all the docker ones, how can this be? The file one is also due to expire soon, so is not auto renewing.
If is expiring in the next 30 days then traefik should be trying to renew it. Check the traefik logs and make sure it is not encountering errors.
I would not be concerned with different certificates or dates as they will all depend on when they were initially added. I have 4 different certificates one I manage probably more on others.
I wonder why it's not using the same wildcard certificate as the one's in my docker-compose file though, is that normal?
Regarding the expiry, yes it's 9th June, so in about 2wks.
I checked logs and couldn't see any errors or issues with ACME. I cleared down my acme.json and forced the certificate to regenerate, which happened fine and all my docker-compose services are using the new certificate. But, the file based app is still using this cert expiring 9th June, but I can't see where this certificate is evening coming from?
You can inspect the acme.json and see what hosts/certificates are in there.
Where are you observing the certificate expiry / difference, in the browser.
Certificates can also be loaded directly I assume you would recall if you did that or not.
The only other thing I could think of is if you set this site as a tcp router with TLS passthrough or its not served by traefik at all.
Yes, it's in the browser where I see the date difference.
Your comment around TLS passthrough is an interesting one. The service i'm actually having an issue with is homeassistant supervised, not sure if you are familiar with this but it's also running in Docker but it's all managed outside of the other services in my docker-compose. I wonder if this is somehow managing the SSL.
I'll do some further digging.
I've made some progress with this, if I change Host(hass.REDACTED.duckdns.org) to Host(**hass2**.REDACTED.duckdns.org) then the correct wildcard certificate from acme.json is used, as soon as I switch back, the (now expired) one is used again.
How can I get rid of this expired one?
Issue is with Brave browser, Private mode shows the correct Cert, as do other browsers. So Brave is doing something wierd.