How to use self assigned certificate in traefik2.0

Traefik Traefik v2
1

I am new to traefik and try to use for my server.
I requested the letsencrypt certificate using certbot and my domain is wildcard domain.
Then, I got the related files inside /etc/letsencrypt/live/mydomain.site/.
This is my inverseproxy.yaml.

version: "2.4"
services:
  proxy:
    image: traefik:2.4
    networks:
      shared:
        aliases: []
      private:
      public:
    volumes:
      - acme:/etc/traefik/acme:rw,Z
      - /etc/letsencrypt/live/mydomain.site/:/certs:ro  # Mount the certificate directory
      - ./traefik.yml:/etc/traefik/dynamic_conf/conf.yml:ro 
    ports:
      - 80:80
      - 443:443
    depends_on:
      - dockersocket
    restart: unless-stopped
    tty: true
    command:
      - "--entrypoints.web-insecure.address=:80"
      - "--entrypoints.web-main.address=:443"
      - "--entrypoints.web-main.http.middlewares=global-error-502@docker"
      - "--log.level=info"
      - "--providers.docker.endpoint=http://dockersocket:2375"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=inverseproxy_shared"
      - "--providers.docker=true"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
      - "--entrypoints.web-insecure.http.redirections.entryPoint.to=web-main"
      - "--entrypoints.web-insecure.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web-main.http.tls=true"  # Ensure TLS is enabled

  dockersocket:
    image: tecnativa/docker-socket-proxy
    privileged: true
    networks:
      private:
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    environment:
      CONTAINERS: 1
      NETWORKS: 1
      SERVICES: 1
      SWARM: 1
      TASKS: 1
    restart: unless-stopped

  error-handling:
    image: nginx:alpine
    restart: unless-stopped
    networks:
      - shared
    volumes:
      - error-handling-config:/etc/nginx/conf.d/
      - error-handling-data:/usr/share/nginx/html/
    labels:
      traefik.docker.network: inverseproxy_shared
      traefik.enable: "true"
      traefik.http.routers.error-handling.rule: HostRegexp(`{any:.+}`)
      traefik.http.routers.error-handling.entrypoints: web-main
      traefik.http.routers.error-handling.priority: 1
      traefik.http.routers.error-handling.service: global-error-handler
      traefik.http.routers.error-handling.middlewares: global-error-502
      traefik.http.middlewares.global-error-502.errors.status: 502
      traefik.http.middlewares.global-error-502.errors.service: global-error-handler
      traefik.http.middlewares.global-error-502.errors.query: "/{status}.html"
      traefik.http.services.global-error-handler.loadbalancer.server.port: 80

networks:
  shared:
    internal: true
    driver_opts:
      encrypted: 1
  private:
    internal: true
    driver_opts:
      encrypted: 1
  public:
    driver_opts:
      encrypted: 1

volumes:
  acme:
  error-handling-config:
  error-handling-data:

And this is my traefik.yml
tls:
stores:
default:
defaultCertificate:
certFile: "/certs/fullchain.pem"
keyFile: "/certs/privkey.pem"

But I found the below issue.

INFO[0000] Configuration loaded from flags.             
INFO[2024-10-29T13:08:38Z] Traefik version 2.4.14 built on 2021-08-16T15:29:25Z 
INFO[2024-10-29T13:08:38Z] 
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/ 
INFO[2024-10-29T13:08:38Z] Starting provider aggregator.ProviderAggregator {} 
INFO[2024-10-29T13:08:38Z] Starting provider *file.Provider {"directory":"/etc/traefik/dynamic_conf","watch":true} 
INFO[2024-10-29T13:08:38Z] Starting provider *traefik.Provider {}       
INFO[2024-10-29T13:08:38Z] Starting provider *acme.ChallengeTLSALPN {"Timeout":4000000000} 
INFO[2024-10-29T13:08:38Z] Starting provider *docker.Provider {"watch":true,"endpoint":"http://dockersocket:2375","defaultRule":"Host(`{{ normalize .Name }}`)","network":"inverseproxy_shared","swarmModeRefreshSeconds":"15s"} 
ERRO[2024-10-29T13:08:38Z] Error while creating certificate store: failed to load X509 key pair: tls: failed to find any PEM data in certificate input  tlsStoreName=default
ERRO[2024-10-29T13:08:39Z] Error while creating certificate store: failed to load X509 key pair: tls: failed to find any PEM data in certificate input  tlsStoreName=default
WARN[2024-10-29T13:08:39Z] No domain found in rule HostRegexp(`{any:.+}`), the TLS options applied for this router will depend on the hostSNI of each request  entryPointName=web-main routerName=error-hand

As a second option, I tried to use like below for inverseproxy.yaml

version: "2.4"
services:
  proxy:
    image: traefik:2.4
    networks:
      shared:
        aliases: []
      private:
      public:
    volumes:
      - acme:/etc/traefik/acme:rw,Z
    ports:
      - 80:80
      - 443:443
    depends_on:
      - dockersocket
    restart: unless-stopped
    tty: true
    command:
      - "--entrypoints.web-insecure.address=:80"
      - "--entrypoints.web-main.transport.respondingTimeouts.idleTimeout=60s"
      - "--entrypoints.web-main.http.middlewares=global-error-502@docker"
      - "--log.level=info"
      - "--providers.docker.endpoint=http://dockersocket:2375"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=inverseproxy_shared"
      - "--providers.docker=true"
      - "--entrypoints.web-main.address=:443"
      - "--entrypoints.web-main.http.tls.certResolver=letsencrypt"
      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.email=mail@example.co"
      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme-v2.json"
      - "--entrypoints.web-insecure.http.redirections.entryPoint.to=web-main"
      - "--entrypoints.web-insecure.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web-insecure"
  dockersocket:
    image: tecnativa/docker-socket-proxy
    privileged: true
    networks:
      private:
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    environment:
      CONTAINERS: 1
      NETWORKS: 1
      SERVICES: 1
      SWARM: 1
      TASKS: 1
    restart: unless-stopped
  error-handling:
    image: nginx:alpine
    restart: unless-stopped
    networks:
      - shared
    volumes:
      - error-handling-config:/etc/nginx/conf.d/
      - error-handling-data:/usr/share/nginx/html/
    labels:
      traefik.docker.network: inverseproxy_shared
      traefik.enable: "true"
      traefik.http.routers.error-handling.rule: HostRegexp(`{any:.+}`)
      traefik.http.routers.error-handling.entrypoints: web-main
      traefik.http.routers.error-handling.priority: 1
      traefik.http.routers.error-handling.service: global-error-handler
      traefik.http.routers.error-handling.middlewares: global-error-502
      traefik.http.middlewares.global-error-502.errors.status: 502
      traefik.http.middlewares.global-error-502.errors.service: global-error-handler
      traefik.http.middlewares.global-error-502.errors.query: "/{status}.html"
      traefik.http.services.global-error-handler.loadbalancer.server.port: 80
networks:
  shared:
    internal: true
    driver_opts:
      encrypted: 1
  private:
    internal: true
    driver_opts:
      encrypted: 1
  public:
    driver_opts:
      encrypted: 1
volumes:
  acme:
  error-handling-config:
  error-handling-data:

But this is not working well and it is http and not https.

2

traefik.yml is usually used for static config (like entrypoints and providers), TLS is dynamic config, should go into a separate file. Use providers.file to load the dynamic config file in static config and set tls=true on your TLS entrypoint, then the loaded certs are automatically used with matching host.

(Assuming you really use certbot to manually create the TLS certs in files. For Traefik LetsEncrypt check simple Traefik example, use dnsChallenge for wildcards)

Please note that Traefik v2.4 is from Jan 19, 2021. Please use a current v2 version or directly go to current v3.

1 Like
3

I reference this approach with my existing configurations and working well now.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.