Hi I'm facing couple of problems when using lets encrypt.
traefik version: v2.1
- If I set the file permission of acme.json file to 600 them I'm getting below error.
level=error msg="The ACME resolver \"le\" is skipped from the resolvers list because: unable to get ACME account: open /etc/traefik/acme/acme.json: permission denied"
-
If I set the permisison other than 600 then I'm getting
file permission is too open. please change the file permission to 600. -
I have create a
certificatesResolverswith namemyresolverand using it like below
proxy-config.yaml
`[http.routers]
[http.routers.myrouter]
rule = "Host(`bchain.example.in`)"
middlewares = ["redirect-to-https"]
service = "goserver"
entryPoints = ["websecure"]
[http.routers.myrouter.tls]
certResolver = "myresolver"
[[http.routers.myrouter.tls.domains]]
main = "bchain.example.com"
[http.middlewares]
[http.middlewares.redirect-to-https.redirectScheme]
scheme = "https"
#port = "443"
permanent = true
[http.services]
[http.services.goserver.loadBalancer]
[[http.services.goserver.loadBalancer.servers]]
url = "http://10.160.0.10:8001" # using this to send the req to go app server for REST Api's
[certificatesResolvers.myresolver.acme]
email = "test@gmail.com"
storage = "./letsencrypt/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[certificatesResolvers.myresolver.acme.tlsChallenge]`
But in the logs I'm getting below error
level=error msg="the router myrouter@file uses a non-existent resolver: myresolver"
docker-traefik.yaml file
traefik:
deploy:
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 5
placement:
constraints:
- node.hostname == gcloud1
- node.role == manager
labels:
- "traefik.enable=true"
# here router is api and in proxy-config.toml file router is myrouter
- "traefik.http.routers.api.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.api.service=api@internal" # Let the dashboard access the traefik api
- "traefik.http.routers.api.middlewares=auth" # Creating a auth middleware
- "traefik.http.middlewares.auth.basicauth.users=prayag:XXX" # using double $ to skip single $ else not accepted
- "traefik.http.routers.api.tls.certresolver=le"
- "traefik.http.routers.api.entrypoints=websecure"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# global redirect to https if any request is a http request
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)" # redirect anything
- "traefik.http.routers.redirs.entrypoints=web" # telling to redirect just http request not everything
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
hostname: traefik
image: "traefik:v2.1"
command:
- --providers.file.filename=/etc/traefik/proxy-config.toml # Using file for reading the config
- --entrypoints.websecure.address=:443
#- --api.insecure # enabling dashboard on insecure connection
- --api=true
- --api.dashboard=true
- --api.debug=true
- --log.level=DEBUG
# lets encrypt
- --certificatesresolvers.le.acme.email=mygmail@gmail.com
- --certificatesresolvers.le.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
volumes:
- ./proxy-config.toml:/etc/traefik/proxy-config.toml:ro
- ./letsencrypt/acme.json:/etc/traefik/acme/acme.json
ports:
- target: 5050
published: 5050
mode: host
- target: 443
published: 443
mode: host
- target: 8080
published: 8080
mode: ingress # traefik dashboard
networks:
- proxy-network
- test-network
My Scenario is I'm trying to use two different subdomain. One is for dashboard(traefik.example.com) and other is for my REST Api's(bchain.example.com) and for the same I'm trying to get the tls cert.