HTTPS for Plex : Port TCP 32400 - HTTP Challenge Wrong certificate

Traefik Traefik v2 (latest)
,
1

Hello,

I would like to manage the https with traefik, I don't want to configure Plex or some other apps.
For HTTP (port 80) redirects to HTTPS (port 443) -> All works fine.
For HTTP (port 32400) redirects to HTTPS (port 32400) -> It works but I have default certificat.

I have tried to add "plex" entrypoint for ACME, but doesn't change anything.
What can I do ?

Thank you :wink:

version: "3"
services:

  traefik:
    container_name: "traefik"
    image: traefik:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    command:
      - "--log.level=DEBUG"
      #- "--api.insecure=true"
      - '--api=true'
      - '--api.dashboard=true'
      
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      
      - "--entryPoints.plex.address=:32400"
      - "--entrypoints.plex.http.redirections.entrypoint.to=plex"
      - "--entrypoints.plex.http.redirections.entrypoint.scheme=https"
      
      ### HTTPS ###
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web,plex"
      - "--certificatesresolvers.myresolver.acme.email=admin@domain.ext"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" # For live
      
    environment:
      - "TZ=Europe/Paris"
    ports:
      - "80:80"
      - "443:443"
      - "32400:32400"
    networks:
      - traefik_proxy
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/docker/traefik/config:/etc/traefik:ro"
      - "/docker/traefik/letsencrypt:/letsencrypt"
      
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.passHostHeader=true"
      # HTTP Catchall for redirecting HTTP -> HTTPS
      - "traefik.http.routers.traefik.rule=PathPrefix(`/`)"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`routing.domain.ext`)"
      - "traefik.http.routers.traefik.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=websecure"
      # Dashboard
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`routing.domain.ext`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.services.api@internal.loadbalancer.server.port=8080" # Required in swarms, https://doc.traefik.io/traefik/v2.0/routing/providers/docker/#services

networks: 
  traefik_proxy:
    external: true

Plex :

version: '2'
services:
  plex:
    container_name: plex
    image: plexinc/pms-docker:plexpass
    restart: unless-stopped
    network_mode: bridge
    volumes:
      - /docker/plex/config:/config
      - /docker/plex/transcode:/transcode
      - /media/storage/plex:/media:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Paris
      - umask=022
      - plex_claim="...."
      - hostname="plex"
      - advertise_ip=
    networks:
      - traefik_proxy
      - plex
    labels:      
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"
      
      - "traefik.http.routers.plex.rule=Host(`plex.domain.ext`)"
      - "traefik.http.routers.plex.entrypoints=websecure"
      - "traefik.http.routers.plex.tls.certresolver=myresolver"
      - "traefik.http.services.plex.loadbalancer.server.port=32400"
      
      - "traefik.tcp.routers.plex.rule=HostSNI(`plex.domain.ext`)"
      - "traefik.tcp.routers.plex.entrypoints=plex"
      - "traefik.tcp.routers.plex.tls.certresolver=myresolver"
      - "traefik.tcp.routers.plex.tls.passthrough=true"
      - "traefik.tcp.services.plex.loadbalancer.server.port=32400"
      
networks: 
  traefik_proxy:
    external: true
  plex:
    external: true

Similar topic, but I don't have answer :confused:
https://community.traefik.io/t/cant-figure-why-traefik-serve-default-ssl-cert-for-tcp-tls-passthrough/17363/3

2

I think certresolver only uses one entrypoint, so assigning a second one probably does not work.

Your target service uses multiple networks, so you need to set docker.network for Traefik to know which network to use.

I am not sure that a http and tcp router with the same domain will work. Also you need to have different names (not "plex") for the two.

What kind of Traefik is port 32400 used for? Plain TCP, http or https?

3

I have already define the default network for Traefik in Plex :

  - "traefik.docker.network=traefik_proxy"

Now, I have also defined 2 different names for the two :


    labels:      
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"
      
      - "traefik.http.routers.plex.rule=Host(`plex.domain.ext`)"
      - "traefik.http.routers.plex.entrypoints=websecure"
      - "traefik.http.routers.plex.tls.certresolver=myresolver"
      - "traefik.http.services.plex.loadbalancer.server.port=32400"
      
      - "traefik.tcp.routers.plex2.rule=HostSNI(`plex.domain.ext`)"
      - "traefik.tcp.routers.plex2.entrypoints=plex"
      - "traefik.tcp.routers.plex2.tls.certresolver=myresolver"
      - "traefik.tcp.services.plex2.loadbalancer.server.port=32400"
      - "traefik.tcp.routers.plex2.tls.passthrough=true"

But doesn't change anything :confused: