Help with SSL on cpanel DynamicDNS

jmwtac · September 29, 2023, 9:10am

Morning

So I have traefik setup and routing my services from my DynamicDNS I have setup in cpanel with my domain hosts. They automatically create an SSL cert when you setup the dynamicDNS.
Issue I have is when viewing the sites they are showing as not secure as browser cannot read the cert.
How do I get the cert into traefik, I can view the cert , private key etc in cpanel ?

Hope this all makes sense. I used to use Nginx as it has cpanel plugin but its not as flexible as traefik ?

bluepuma77 · September 29, 2023, 10:57am

Traefik can manage LetsEncrypt by itself (create & update certs), check simple Traefik example.

If you want to use a TLS cert created by a different program, than you need to load it in Traefik dynamic config file TLS section, which needs to be loaded in static config with provider.file. (doc)

jmwtac · September 30, 2023, 1:50pm

So I have it working locally . with my allowed Ip's. I now need to add basic auth if come in externally.
This is my fileConfig.yml


http:
  ## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
  routers:
    # Homeassistant routing example - Remove if not used
     adminer:

       entryPoints:

         - https

       rule: 'Host(`adminer.crownparkcomputing.com`)'

       service: adminer

       middlewares:

         - "test-auth"  

  ## SERVICES EXAMPLE ##

  services:

    # Homeassistant service example - Remove if not used

    # homeassistant:

    #   loadBalancer:

    #     servers:

    #       - url: http://192.168.1.211:8123/



  ## MIDDLEWARES ##

  middlewares:

    # Only Allow Local networks

    local-ipwhitelist:

      ipWhiteList:

        sourceRange: 

          - 127.0.0.1/32 # localhost

          - 192.168.1.1/24 # LAN Subnet

    test-auth:

      basicAuth:

        users:

          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"

          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"

    # Security headers

    securityHeaders:

      headers:

        customResponseHeaders:

          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"

          server: ""

          X-Forwarded-Proto: "https"

        sslProxyHeaders:

          X-Forwarded-Proto: https

        referrerPolicy: "strict-origin-when-cross-origin"

        hostsProxyHeaders:

          - "X-Forwarded-Host"

        customRequestHeaders:

          X-Forwarded-Proto: "https"

        contentTypeNosniff: true

        browserXssFilter: true

        forceSTSHeader: true

        stsIncludeSubdomains: true

        stsSeconds: 63072000

        stsPreload: true



# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6

tls:

  options:

    default:

      minVersion: VersionTLS12

      cipherSuites:

        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305