First Traefik config - invalid syntax error

I think I'm really close to getting it working. I'm just getting an invalid syntax error now when i boot it up as a docker stack. Seems like using a docker secet as the api key.

version: '3.7'
services:
    traefik:
        command:
            - '--api=true'
            - '--api.debug=true'
            - '--providers.docker=true'
            - '--providers.docker.network=reverse_proxy'
            - '--providers.docker.exposedbydefault=false'
            - '--entrypoints.web.address=:80'
            - '--entrypoints.websecure.address=:443'
        container_name: traefik
        image: 'traefik:chevrotin'
        labels:
            - traefik.enable=true
            - traefik.http.middlewares.custom.headers.browserXSSFilter=true
            - traefik.http.middlewares.custom.headers.contentTypeNosniff=true
            - traefik.http.middlewares.custom.headers.forceSTSHeader=true
            - traefik.http.middlewares.custom.headers.frameDeny=true
            - traefik.http.middlewares.custom.headers.sslredirect=true
            - traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
            - traefik.http.middlewares.custom.headers.stsPreload=true
            - traefik.http.middlewares.custom.headers.stsSeconds=‭‪157,788,000‬‬ #5 years?
            - traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
            - traefik.http.routers.traefik.entrypoints=websecure
            - traefik.http.routers.traefik.middlewares=admin
            - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
            - traefik.http.routers.traefik.service=api@internal
            - traefik.http.routers.traefik.tls.certresolver=letsencrypt
            - traefik.http.routers.traefik.tls.domains[0].main=example.com
            - traefik.http.routers.traefik.tls.domains[0].sans=*.example.com
        networks:
            - reverse_proxy
        ports:
            - '80:80'
            - '443:443'
        restart: unless-stopped
        volumes:
            - ./config:/etc/traefik/config:ro
            - ./letsencrypt:/etc/traefik/acme:rw
            - ./log:/etc/traefik/log:rw
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - /etc/localtime:/etc/localtime:ro
        environment:
            - CF_API_KEY=cf_key
            - CF_API_EMAIL=MY EMAIL
            - DOMAIN_NAME=example.com
        secrets:
          - cf_key
secrets:
    cf_key:
        external: true
networks:
    default:
        driver: bridge
    reverse_proxy:
        driver: overlay

Hello,

there are some invalid and invisible chars in the value of traefik.http.middlewares.custom.headers.stsSeconds

Also you need to define a certificate resolver.

version: '3.7'
services:
  traefik:
    image: traefik:chevrotin
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    command:
        - --api=true
        - --api.debug=true
        - --providers.docker=true
        - --providers.docker.network=reverse_proxy
        - --providers.docker.exposedbydefault=false
        - --entrypoints.web.address=:80
        - --entrypoints.websecure.address=:443
        - --certificatesresolvers.leresolver.acme.email=your@email.com
        - --certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json
        - --certificatesresolvers.leresolver.acme.dnsChallenge.provider=cloudflare
    labels:
        - traefik.enable=true
        - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.routers.traefik.middlewares=admin
        - traefik.http.routers.traefik.tls.certresolver=letsencrypt
        - traefik.http.routers.traefik.tls.domains[0].main=example.com
        - traefik.http.routers.traefik.tls.domains[0].sans=*.example.com

        - traefik.http.middlewares.custom.headers.browserXSSFilter=true
        - traefik.http.middlewares.custom.headers.contentTypeNosniff=true
        - traefik.http.middlewares.custom.headers.forceSTSHeader=true
        - traefik.http.middlewares.custom.headers.frameDeny=true
        - traefik.http.middlewares.custom.headers.sslredirect=true
        - traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
        - traefik.http.middlewares.custom.headers.stsPreload=true
        - traefik.http.middlewares.custom.headers.stsSeconds=157788000 #5 years?
        - traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
        
    networks:
      - reverse_proxy
    restart: unless-stopped
    volumes:
      - ./config:/etc/traefik/config:ro
      - ./letsencrypt:/etc/traefik/acme:rw
      - ./log:/etc/traefik/log:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - CF_API_KEY=xxxx
      - CF_API_EMAIL=xxx
      - DOMAIN_NAME=example.com

secrets:
    cf_key:
        external: true
networks:
    default:
        driver: bridge
    reverse_proxy:
        driver: overlay
1 Like

I have removed the invalid characters in traefik.http.middlewares.custom.headers.stsSeconds.
How might I go on to define a certificate resolver?
Like this? I want it to generate a certificate for services that I put on the public internet using subdomains.

            - "--certificatesresolvers.leresolver.acme.dnschallenge=true"
            - "--certificatesresolvers.leresolver.acme.dnschallenge.provider=cloudflare"
            - "--certificatesresolvers.leresolver.acme.email=${CF_API_EMAIL}"
            - "--certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json"

I am still getting this error:

traefik_traefik.1.5so5xju7db80@SERVER01    | time="2020-04-29T18:08:57-04:00" level=error msg="strconv.ParseInt: parsing \"\\u202d\\u202a157788000\\u202c\\u202c\":invalid syntax" providerName=docker container=traefik-traefik-1-5so5xju7db80smhgbll2fzya4-9d33b70c007d71fbc021137a1b0e0d2bbd8a84d94c4ab9c3ed826fedcf58a5b8

I recommend to copy-paste my version of your file.

\\u202a -> https://www.fileformat.info/info/unicode/char/202a/index.htm
\\u202a -> https://www.fileformat.info/info/unicode/char/202b/index.htm
\\u202d -> https://www.fileformat.info/info/unicode/char/202d/index.htm
\\u202c-> https://www.fileformat.info/info/unicode/char/202c/index.htm

Looks like just one more issue.

traefik_traefik.1.wjcnq2ip4ow6@SERVER01    | time="2020-04-29T18:34:58-04:00" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]:

You have to replace example.com by your domain.

version: '3.7'
services:
  traefik:
    image: traefik:chevrotin
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    command:
        - --api=true
        - --api.debug=true
        - --providers.docker=true
        - --providers.docker.network=reverse_proxy
        - --providers.docker.exposedbydefault=false
        - --entrypoints.web.address=:80
        - --entrypoints.websecure.address=:443
        - --certificatesresolvers.leresolver.acme.email=your@email.com
        - --certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json
        - --certificatesresolvers.leresolver.acme.dnsChallenge.provider=cloudflare
    labels:
        - traefik.enable=true
        - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.routers.traefik.middlewares=admin
        - traefik.http.routers.traefik.tls.certresolver=letsencrypt
        - traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN_NAME}
        - traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN_NAME}

        - traefik.http.middlewares.custom.headers.browserXSSFilter=true
        - traefik.http.middlewares.custom.headers.contentTypeNosniff=true
        - traefik.http.middlewares.custom.headers.forceSTSHeader=true
        - traefik.http.middlewares.custom.headers.frameDeny=true
        - traefik.http.middlewares.custom.headers.sslredirect=true
        - traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
        - traefik.http.middlewares.custom.headers.stsPreload=true
        - traefik.http.middlewares.custom.headers.stsSeconds=157788000 #5 years?
        - traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
        
    networks:
      - reverse_proxy
    restart: unless-stopped
    volumes:
      - ./config:/etc/traefik/config:ro
      - ./letsencrypt:/etc/traefik/acme:rw
      - ./log:/etc/traefik/log:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - CF_API_KEY=xxxx
      - CF_API_EMAIL=xxx
      - DOMAIN_NAME=example.com

secrets:
    cf_key:
        external: true
networks:
    default:
        driver: bridge
    reverse_proxy:
        driver: overlay

I did that but I think I haven't completely removed dns responsibilities from a web host im using for another page. Im guessing they are butting heads?

My acme file shows: after the private key and account.

"KeyType": "4096"
    },
    "Certificates": null
  }

After adding to the stack I now get the error:

traefik_traefik.1.efns5gp4gz55@SERVER01    | time="2020-04-29T19:56:48-04:00" level=error msg="Unable to obtain ACME certificate for domains \"example.com,*.example.com\" : unable to generate a certificate for the domains [example.com *.example.com]:
error: one or more domains had a problem:\n[*.example.com] [*.example.com] acme: error presenting token: cloudflare: failed to find zone example.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\": false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":6103,\\\"message\\\":\\\"Invalid format for X-Auth-Key header\\\"}]}],\\\"messages\\\":[],\\\"result\\\":null}\"\n[example.com]
[example.com] acme: error presenting token: cloudflare: failed to find zone example.com.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content \"{\\\"success\\\":false,\\\"errors\\\":[{\\\"code\\\":6003,\\\"message\\\":\\\"Invalid request headers\\\",\\\"error_chain\\\":[{\\\"code\\\":

Looks like docker secret/s are not being outputted as plain text for the yml.

Sorry for the spam but here is an updated yml.

version: '3.7'
services:
  traefik:
    image: traefik:chevrotin
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    command:
        - --api=true
        - --api.debug=true
        - --providers.docker=true
        - --providers.docker.network=reverse_proxy
        - --providers.docker.exposedbydefault=false
        - --entrypoints.web.address=:80
        - --entrypoints.websecure.address=:443
        - --certificatesresolvers.letsencrypt.acme.email=me@example.com
        - --certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json
        - --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=cloudflare
        - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
    labels:
        - traefik.enable=true
        - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.routers.traefik.middlewares=admin
        - traefik.http.routers.traefik.tls.certresolver=letsencrypt
        - traefik.http.routers.traefik.tls.domains[0].main=example.com
        - traefik.http.routers.traefik.tls.domains[0].sans=*.example.com

        - traefik.http.middlewares.custom.headers.browserXSSFilter=true
        - traefik.http.middlewares.custom.headers.contentTypeNosniff=true
        - traefik.http.middlewares.custom.headers.forceSTSHeader=true
        - traefik.http.middlewares.custom.headers.frameDeny=true
        - traefik.http.middlewares.custom.headers.sslredirect=true
        - traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
        - traefik.http.middlewares.custom.headers.stsPreload=true
        - traefik.http.middlewares.custom.headers.stsSeconds=315360000
        - traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
        
    networks:
      - reverse_proxy
    restart: unless-stopped
    volumes:
      - ./config:/etc/traefik/config:ro
      - ./letsencrypt:/etc/traefik/acme:rw
      - ./log:/etc/traefik/log:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - CF_API_KEY= the plain text key
      - CF_API_EMAIL=me@example.com
      - DOMAIN_NAME=example.com

secrets:
    cf_key:
        external: true
networks:
    default:
        driver: bridge
    reverse_proxy:
        driver: overlay

Looks like wrong cloudflare credentials.