alxsch
April 29, 2020, 8:49am
1
I think I'm really close to getting it working. I'm just getting an invalid syntax error now when i boot it up as a docker stack. Seems like using a docker secet as the api key.
version: '3.7'
services:
traefik:
command:
- '--api=true'
- '--api.debug=true'
- '--providers.docker=true'
- '--providers.docker.network=reverse_proxy'
- '--providers.docker.exposedbydefault=false'
- '--entrypoints.web.address=:80'
- '--entrypoints.websecure.address=:443'
container_name: traefik
image: 'traefik:chevrotin'
labels:
- traefik.enable=true
- traefik.http.middlewares.custom.headers.browserXSSFilter=true
- traefik.http.middlewares.custom.headers.contentTypeNosniff=true
- traefik.http.middlewares.custom.headers.forceSTSHeader=true
- traefik.http.middlewares.custom.headers.frameDeny=true
- traefik.http.middlewares.custom.headers.sslredirect=true
- traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.custom.headers.stsPreload=true
- traefik.http.middlewares.custom.headers.stsSeconds=157,788,000 #5 years?
- traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.middlewares=admin
- traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.tls.domains[0].main=example.com
- traefik.http.routers.traefik.tls.domains[0].sans=*.example.com
networks:
- reverse_proxy
ports:
- '80:80'
- '443:443'
restart: unless-stopped
volumes:
- ./config:/etc/traefik/config:ro
- ./letsencrypt:/etc/traefik/acme:rw
- ./log:/etc/traefik/log:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
environment:
- CF_API_KEY=cf_key
- CF_API_EMAIL=MY EMAIL
- DOMAIN_NAME=example.com
secrets:
- cf_key
secrets:
cf_key:
external: true
networks:
default:
driver: bridge
reverse_proxy:
driver: overlay
ldez
April 29, 2020, 12:33pm
2
Hello,
there are some invalid and invisible chars in the value of traefik.http.middlewares.custom.headers.stsSeconds
Also you need to define a certificate resolver.
version: '3.7'
services:
traefik:
image: traefik:chevrotin
container_name: traefik
ports:
- 80:80
- 443:443
command:
- --api=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.network=reverse_proxy
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.leresolver.acme.email=your@email.com
- --certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.leresolver.acme.dnsChallenge.provider=cloudflare
labels:
- traefik.enable=true
- traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=admin
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.tls.domains[0].main=example.com
- traefik.http.routers.traefik.tls.domains[0].sans=*.example.com
- traefik.http.middlewares.custom.headers.browserXSSFilter=true
- traefik.http.middlewares.custom.headers.contentTypeNosniff=true
- traefik.http.middlewares.custom.headers.forceSTSHeader=true
- traefik.http.middlewares.custom.headers.frameDeny=true
- traefik.http.middlewares.custom.headers.sslredirect=true
- traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.custom.headers.stsPreload=true
- traefik.http.middlewares.custom.headers.stsSeconds=157788000 #5 years?
- traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
networks:
- reverse_proxy
restart: unless-stopped
volumes:
- ./config:/etc/traefik/config:ro
- ./letsencrypt:/etc/traefik/acme:rw
- ./log:/etc/traefik/log:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
environment:
- CF_API_KEY=xxxx
- CF_API_EMAIL=xxx
- DOMAIN_NAME=example.com
secrets:
cf_key:
external: true
networks:
default:
driver: bridge
reverse_proxy:
driver: overlay
1 Like
alxsch
April 29, 2020, 10:15pm
3
I have removed the invalid characters in traefik.http.middlewares.custom.headers.stsSeconds
.
How might I go on to define a certificate resolver?
Like this? I want it to generate a certificate for services that I put on the public internet using subdomains.
- "--certificatesresolvers.leresolver.acme.dnschallenge=true"
- "--certificatesresolvers.leresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.leresolver.acme.email=${CF_API_EMAIL}"
- "--certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json"
I am still getting this error:
traefik_traefik.1.5so5xju7db80@SERVER01 | time="2020-04-29T18:08:57-04:00" level=error msg="strconv.ParseInt: parsing \"\\u202d\\u202a157788000\\u202c\\u202c\":invalid syntax" providerName=docker container=traefik-traefik-1-5so5xju7db80smhgbll2fzya4-9d33b70c007d71fbc021137a1b0e0d2bbd8a84d94c4ab9c3ed826fedcf58a5b8
ldez
April 29, 2020, 10:17pm
4
alxsch
April 29, 2020, 10:33pm
5
Looks like just one more issue.
traefik_traefik.1.wjcnq2ip4ow6@SERVER01 | time="2020-04-29T18:34:58-04:00" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]:
ldez
April 29, 2020, 11:01pm
6
You have to replace example.com
by your domain.
version: '3.7'
services:
traefik:
image: traefik:chevrotin
container_name: traefik
ports:
- 80:80
- 443:443
command:
- --api=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.network=reverse_proxy
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.leresolver.acme.email=your@email.com
- --certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.leresolver.acme.dnsChallenge.provider=cloudflare
labels:
- traefik.enable=true
- traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=admin
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN_NAME}
- traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN_NAME}
- traefik.http.middlewares.custom.headers.browserXSSFilter=true
- traefik.http.middlewares.custom.headers.contentTypeNosniff=true
- traefik.http.middlewares.custom.headers.forceSTSHeader=true
- traefik.http.middlewares.custom.headers.frameDeny=true
- traefik.http.middlewares.custom.headers.sslredirect=true
- traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.custom.headers.stsPreload=true
- traefik.http.middlewares.custom.headers.stsSeconds=157788000 #5 years?
- traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
networks:
- reverse_proxy
restart: unless-stopped
volumes:
- ./config:/etc/traefik/config:ro
- ./letsencrypt:/etc/traefik/acme:rw
- ./log:/etc/traefik/log:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
environment:
- CF_API_KEY=xxxx
- CF_API_EMAIL=xxx
- DOMAIN_NAME=example.com
secrets:
cf_key:
external: true
networks:
default:
driver: bridge
reverse_proxy:
driver: overlay
alxsch
April 29, 2020, 11:22pm
7
I did that but I think I haven't completely removed dns responsibilities from a web host im using for another page. Im guessing they are butting heads?
My acme file shows: after the private key and account.
"KeyType": "4096"
},
"Certificates": null
}
After adding to the stack I now get the error:
traefik_traefik.1.efns5gp4gz55@SERVER01 | time="2020-04-29T19:56:48-04:00" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]:
error: one or more domains had a problem:\n[*.example.com] [*.example.com] acme: error presenting token: cloudflare: failed to find zone example.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\": false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":6103,\\\"message\\\":\\\"Invalid format for X-Auth-Key header\\\"}]}],\\\"messages\\\":[],\\\"result\\\":null}\"\n[example.com]
[example.com] acme: error presenting token: cloudflare: failed to find zone example.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":
Looks like docker secret/s are not being outputted as plain text for the yml.
Sorry for the spam but here is an updated yml.
version: '3.7'
services:
traefik:
image: traefik:chevrotin
container_name: traefik
ports:
- 80:80
- 443:443
command:
- --api=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.network=reverse_proxy
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencrypt.acme.email=me@example.com
- --certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
labels:
- traefik.enable=true
- traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=admin
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.tls.domains[0].main=example.com
- traefik.http.routers.traefik.tls.domains[0].sans=*.example.com
- traefik.http.middlewares.custom.headers.browserXSSFilter=true
- traefik.http.middlewares.custom.headers.contentTypeNosniff=true
- traefik.http.middlewares.custom.headers.forceSTSHeader=true
- traefik.http.middlewares.custom.headers.frameDeny=true
- traefik.http.middlewares.custom.headers.sslredirect=true
- traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.custom.headers.stsPreload=true
- traefik.http.middlewares.custom.headers.stsSeconds=315360000
- traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
networks:
- reverse_proxy
restart: unless-stopped
volumes:
- ./config:/etc/traefik/config:ro
- ./letsencrypt:/etc/traefik/acme:rw
- ./log:/etc/traefik/log:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
environment:
- CF_API_KEY= the plain text key
- CF_API_EMAIL=me@example.com
- DOMAIN_NAME=example.com
secrets:
cf_key:
external: true
networks:
default:
driver: bridge
reverse_proxy:
driver: overlay
Looks like wrong cloudflare credentials.