How to correctly write the TLS data configuration at docker-compose file for TRFK-V2?

Good night Guys.

I need to know how to correctly declare in my docker-compose file, through labels, 2 information that on my file-based configuration (Static.yml and Dynamic.yml) works well.

Are they:

1. Certificate files => local-cert.pem and local-key.PEM

2. Domain Main and Domain Sans

At this point, I have the following file that is not working, ie does not run the traefik dashboard with the request: https://traefik.docker.lochost

<docker-compose.yml>

version: '3.5'

# rede criada para comportar os serviços
networks:
  ntwkr_docker:
    external: true

# volume carregado com os arquivos .PEM
volumes:
  vlm_traefik_certs:
    external: true

services:
  wsltraefik:
    image: traefik:v2.6
    container_name: wsl-traefik
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - 80:80
      # Listen on port 443, default for HTTPS
      - 443:443
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the volume to store/inject the certificates
      - vlm_traefik_certs:/etc/certs:ro
    labels:
      # Enable Traefik for this service, to make it available in the public network
      - traefik.enable=true

      # Use the traefik-public network (declared below)
      - traefik.docker.network=ntwkr_docker

      # https-redirect middleware to redirect HTTP to HTTPS
      # It can be re-used by other stacks in other Docker Compose files
      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=false

      # traefik-http set up only to use the middleware to redirect to https
      - traefik.http.routers.wsltraefik-http.rule=Host(`traefik-docker.localhost`)
      - traefik.http.routers.wsltraefik-http.entrypoints=http
      - traefik.http.routers.wsltraefik-http.middlewares=https-redirect

      # traefik-https the actual router using HTTPS
      - traefik.http.routers.wsltraefik-https.rule=Host(`traefik-docker.localhost`)
      - traefik.http.routers.wsltraefik-https.entrypoints=https
      - traefik.http.routers.wsltraefik-https.tls=true

      # Use the special Traefik service api@internal with the web UI/Dashboard
      - traefik.http.routers.wsltraefik-https.service=api@internal

      # TLS CERTIFICATES & DOMAIN
      # [0]
      - "traefik.tls.stores.Store0.defaultcertificate.certfile=/home/marconobre/.pki/nssdb/local-cert.pem"
      - "traefik.tls.stores.Store0.defaultcertificate.keyfile=/home/marconobre/.pki/nssdb/local-key.pem"
      - "traefik.tls.stores.Store0.defaultgeneratedcert.domain.main=docker.localhost"
      - "traefik.tls.stores.Store0.defaultgeneratedcert.domain.sans=*.docker.localhost"
      - "traefik.tls.stores.Store0.defaultgeneratedcert.resolver=main"

      # Define the port inside of the Docker service to use
      - traefik.http.services.wsltraefik.loadbalancer.server.port=8080

    command:
      # PROVIDERs
      # Enable Docker in Traefik, so that it reads labels from Docker services
      - --providers.docker
      
      # Do not expose all Docker services, only the ones explicitly exposed
      - --providers.docker.exposedbydefault=false

      # Enable Docker Swarm mode
#      - --providers.docker.swarmMode=false


      # ENTRYPOINTs
      # Create an entrypoint "http" listening on port 80
      - --entrypoints.http.address=:80
      # Create an entrypoint "https" listening on port 443
      - --entrypoints.https.address=:443
      # Enable the access log, with HTTP requests
      - --accesslog
      # Enable the Traefik log, for configurations and errors
      - --log
      # Enable the Dashboard and API
      - --api
      - --api.dashboard=true
    networks:
      # Use the public network created to be shared between Traefik and
      # any other service that needs to be publicly available with HTTPS
      - ntwkr_docker

What am I doing wrong?

(TIA: Marcos Nobre)

As far as I know you can not set a TLS cert in dynamic Docker label configuration.

In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates. (Source)

You can use providers.file in static config to load a dynamic configuration file:

#traefik-dynamic.yml
tls:
  options:
    default:
      minVersion: VersionTLS12
  certificates:
    - certFile: /path/example.com.crt
      keyFile: /path/example.com.key
    - certFile: /path/other.eu.crt
      keyFile: /path/other.eu.key

Bluepuma77, let me know if I correct understood.

According to your information, I could point or reference the traefik-dynamic.yml file, containing the TLS metadata, from my docker-compose.yml file.

That's right ?

Or under no circumstances can I mix information from docker-compose.yml with what is inside the referenced files: static.yml and dynamic.yml ?

Traefik has the concept of static and dynamic config, see docs. Static is in traefik.yml or command, dynamic via provider like file or docker (labels).

Sadly TLS can not be configured with provider.docker, so you do need an extra file.

You can use provider.file in command, but need an extra file for the cert file names.

Hi Marcos,
I'm trying to configure something similar to what you asked about a few months back and appear to run into the exact same problems as you did.
I tried following the advice you were given, but can't make it work for me.
If you managed to make it work, would you mind sharing your steps and configuration?

Thanks in advance.
Flemming

As stated above, TLS certs needs to be defined in a (separate) dynamic config file, that is loaded in the main static config (traefik.yml file or compose command) with provider.file.

Thank you for your answer, @bluepuma77.

After many trials and errors, I finally made it work - but it needed some slight changes compared to the example published earlier in this thread. Specifically, I had to have the certificate files referenced twice as below to make it work.

#traefik-dynamic.yml stored in /etc/certs/
tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/company.com_cert.pem
        keyFile: /etc/certs/company.com_key.pem
  certificates:
    - certFile: /etc/certs/company.com_cert.pem
      keyFile: /etc/certs/company.com_key.pem

I then load and use the certificate like this in the docker-compose.yml file:

command: 
# Activate tls on all containers.
- "--entrypoints.websecure.http.tls=true"

# Load certificates to use for tls.
- "--providers.file.filename=/etc/certs/traefik-dynamic.yml"