I have spent 3 days trying to get cloudflare full strict ssl/tls to work but have not been successful
so here i am coming for help and am confident you guys will bail me out
essentially this is for docker swarm setup and i have ssl working using self signed certificate and also got cloudflare to work with flexible ssl/tls but now i want to add to cloudflare origin certificates so i can setup full strict ssl/tls mode
here are my current docker swarm yaml config
services:
traefik:
image: "traefik:v3.2"
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
deploy:
replicas: 2
placement:
constraints:
- node.labels.node != server-a
update_config:
parallelism: 1
delay: 1s
order: stop-first
labels:
traefik.enable: "true"
traefik.http.routers.traefik-https.service: api@internal
traefik.http.services.traefik.loadbalancer.server.port: "8080"
traefik.http.routers.traefik-http.entrypoints: http
traefik.http.routers.traefik-http.rule: Host(`router.example.com`)
traefik.http.routers.traefik-https.entrypoints: https
traefik.http.routers.traefik-https.rule: Host(`router.example.com`)
traefik.http.routers.traefik-https.tls: "true"
traefik.http.routers.traefik-https.tls.certresolver: "default"
traefik.http.routers.traefik-http.middlewares: traefik-http-redirect
traefik.http.middlewares.traefik-http-redirect.redirectscheme.scheme: https
traefik.http.middlewares.traefik-http-redirect.redirectscheme.permanent: 'true'
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/store/traefik/conf/dynamic.yaml:/etc/traefik/dynamic.yaml:ro"
- "/store/traefik/certs:/etc/certs:ro"
env_file:
- .env.traefik
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.swarm=true"
- "--providers.swarm.endpoint=unix:///var/run/docker.sock"
- "--providers.swarm.exposedbydefault=false"
- "--providers.file.filename=/etc/traefik/dynamic.yaml"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--entrypoints.http.transport.respondingTimeouts.readTimeout=10m"
- "--entrypoints.https.transport.respondingTimeouts.readTimeout=10m"
networks:
- secret
networks:
secret:
external: true
and here is content of dynamic.yaml
tls:
certificates:
- certFile: "/etc/certs/self-cert.pem"
keyFile: "/etc/certs/self-key.pem"
stores:
- default
- certFile: "/etc/certs/cloudflare-cert.pem"
keyFile: "/etc/certs/cloudflare-key.pem"
stores:
- cloudflare
stores:
default:
defaultCertificate:
certFile: "/etc/certs/self-cert.pem"
keyFile: "/etc/certs/self-key.pem"
the cloudflare origin certs were downloaded in pem format and added as named in the right paths as mounted to traefik and confirmed they are in traefik at specified paths
and here is how i added using cloudflare as the certresolver to use for the app i want to setup cloudflare full strict ssl/tls mode on
services:
app-1:
image: "app/app-1:latest"
networks:
- secret
env_file:
- .env.app-1
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.node != server-a
update_config:
parallelism: 1
order: start-first
monitor: 5s
labels:
traefik.enable: "true"
traefik.docker.network: secret
traefik.http.services.app-1.loadbalancer.server.port: "8080"
traefik.http.routers.app-1-http.entrypoints: http
traefik.http.routers.app-1-http.rule: Host(`app-1.example.com`)
traefik.http.routers.app-1-https.entrypoints: https
traefik.http.routers.app-1-https.rule: Host(`app-1.example.com`)
traefik.http.routers.app-1-https.tls: "true"
traefik.http.routers.app-1-https.tls.certresolver: "cloudflare"
networks:
secret:
external: true
but i notice as soon as i update the ssl mode from flexible to full strict on cloudflare, i am not able to access the app anymore and as soon as i enable the flexible back then am able to access
also i do not seem to see any traffic getting to the app at all when i enable the full strict, so nop way to even check logs or troubleshoot this
and since i have never setup cloudflare full strict before, i have no idea how to troubleshoot this properly
so am here to get help
i did watch this youtube video
which sets things up on nginx but this is traefik so am just kind of in shock why this is not working
another app that is using the default certresolver works fine so i know the setup is fine
services:
app-2:
image: "app/app-2:latest"
networks:
- secret
env_file:
- .env.app-2
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.node != server-a
update_config:
parallelism: 1
order: start-first
monitor: 5s
labels:
traefik.enable: "true"
traefik.docker.network: secret
traefik.http.services.app-2.loadbalancer.server.port: "8080"
traefik.http.routers.app-2-http.entrypoints: http
traefik.http.routers.app-2-http.rule: Host(`app-2.example.com`)
traefik.http.routers.app-2-https.entrypoints: https
traefik.http.routers.app-2-https.rule: Host(`app-2.example.com`)
traefik.http.routers.app-2-https.tls: "true"
traefik.http.routers.app-2-https.tls.certresolver: "default"
networks:
secret:
external: true
so what am i doing wrong and what do i need to do to fix this?
thanks in advance