Help with configuring Traefik with Self Signed certificates

typedef · October 3, 2020, 1:05pm

Hey community!

I'm using docker as a provider and at the moment trying to configure self signed certificates for Treafik. I'm following step by step all the settings but it seems I'm missing something as Traefik keeps serving its own certs.

This is my docker-compose.yml:

version: '3.7'
services:
  # traefik service
  traefik:
    image: "traefik:v2.2"
    command:
      - --providers.file.filename=/dynconf/dyn.toml
      - --providers.file.watch=true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.to-dashboard.rule=Host(`dashboard.local`)"
      - "traefik.http.routers.to-dashboard.entrypoints=dashboard"
      - "traefik.http.routers.to-dashboard.middlewares=auth"
      - "traefik.http.routers.to-dashboard.service=api@internal"
      - "traefik.http.middlewares.auth.basicauth.users=test:<redacted>"

    container_name: "traefik"
    ports:
      - "11000:80"
      - "11001:443"
      - "127.0.0.1:11002:8181"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/traefik/traefik.toml:/traefik.toml:ro"
      - "/home/traefik/dynconf/dyn.toml:/dynconf/dyn.toml"
      - "/home/traefik/certs/:/certs/"

  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.to-whoami.rule=Host(`container.internal`)"
      - "traefik.http.routers.to-whoami.entrypoints=web"
      - "traefik.http.routers.to-whoami.middlewares=https_redirect"

      - "traefik.http.routers.to-whoami-secure.rule=Host(`container.internal`)"
      - "traefik.http.routers.to-whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.to-whoami-secure.tls=true"

      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

  httpecho2:
    image: "hashicorp/http-echo"
    container_name: "httpecho1"
    command: "-text='whoami hello world'"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.to-httpecho2.rule=Host(`container.internal`) && Path(`/httpecho`)"
      - "traefik.http.routers.to-httpecho2.entrypoints=web"
      - "traefik.http.routers.to-httpecho2.middlewares=https_redirect"

      - "traefik.http.routers.to-httpecho2-secure.rule=Host(`container.internal`) && Path(`/httpecho`)"
      - "traefik.http.routers.to-httpecho2-secure.entrypoints=websecure"
      - "traefik.http.routers.to-httpecho2-secure.entrypoints=websecure"
      - "traefik.http.routers.to-httpecho2-secure.tls=true"

      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

networks:
  default:
    external:
      name: "traefik_network"

And this is my dynamic configuration:

[[tls.certificates]]
  certFile = "/certs/container.crt"
  keyFile = "/certs/container.key"

Would appreciate any recommendations.

Thanks

ldez · October 3, 2020, 2:09pm

Hello,

In Traefik v2, the sources of static configuration are mutually exclusive:

Configuration Introduction | Traefik | v2.3

This means that you can't use CLI flags and file (traefik.toml) at the same time, you have to choose between CLI flags and file (traefik.toml).

So you have to move the section:

to the traefik.toml file.

Also, I recommend using directory instead of filename.

File | Traefik | v2.3

[providers.file]
  directory = "/dynconf"
  watch = true

typedef · October 3, 2020, 2:38pm

Hi @ldez,

Thank you so much! This one worked!

I thought TLS was dynamic configuration, that's why I added it as a command line argument. Any reference in the documentation says it's dynamic configuration: https://doc.traefik.io/traefik/v2.3/https/tls/

I have one more issue. On the server I'm testing Traefik on, I'm already running Apache on ports 80 and 443. When I do a curl to http://container.internal:11000 I'm redirected to https://container.internal and presented with the page that Apache serves on 443 instead of https://container.internal:11001. Which configuration I'll have to change for this? I'm not able to explain why this happens

ldez · October 3, 2020, 2:54pm

The TLS section is a part of the dynamic configuration and must be define through the file provider.

The CLI Flags are related to the static configuration.

system · October 6, 2020, 2:54pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik v2.10 Configuration Issue with Custom SSL Certificate and Docker Traefik v2 (latest) docker	1	316	December 24, 2023
Use self-signed certificates with docker/docker-compose Traefik v2 (latest) docker	1	1902	March 2, 2020
Self Signed Certificate Traefik v2 (latest) docker , letsencrypt-acme , middleware	2	1591	June 7, 2020
Issues with TLS configuration in v2 Traefik v2 (latest) docker	12	5056	December 24, 2019
Cannot get traefik to work with self-signed certificate - an exception cannot be added for the website Traefik v2 (latest) docker	9	2089	October 22, 2021

Help with configuring Traefik with Self Signed certificates

Related Topics