[HTTPS] How to force Traefik to use local certificates (and not self-generated one instead)

Traefik Traefik v2
,
1

Hello everyone !
I'm currently trying to deploy a docker-compose configuration but I'm stuck with the HTTPS setup. I already have a SSL Certificate (not self-signed) and I want to use it for all my instances. The problem is that Traefik doesn't use my certificates I provided and generates instead a self-signed one. As I read in the documentation, I used a dynamic configuration file and set the file provider in my docker-compose label instance but I still have the same error for a few days;

time="2021-08-13T11:31:36Z"; level=debug msg="No default certificate, generating one"

Here is all the informations that could help you (without "personal information"):
My logs:

time="2021-08-13T11:31:35Z" level=info msg="Configuration loaded from file: /traefik.yml"
time="2021-08-13T11:31:35Z" level=info msg="Traefik version 2.4.13 built on 2021-07-30T15:06:29Z"
time="2021-08-13T11:31:35Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}.mydomain.org`)\",\"swarmModeRefreshSeconds\":\"15s\"}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/var/log/traefik-accessLog.txt\",\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}},\"pilot\":{\"dashboard\":true}}"
time="2021-08-13T11:31:35Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2021-08-13T11:31:35Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2021-08-13T11:31:35Z" level=debug msg="Start TCP Server" entryPointName=web
time="2021-08-13T11:31:35Z" level=debug msg="Start TCP Server" entryPointName=websecure
time="2021-08-13T11:31:35Z" level=info msg="Starting provider *traefik.Provider {}"
time="2021-08-13T11:31:35Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"tls\":{}}" providerName=internal
time="2021-08-13T11:31:35Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}.mydomain.org`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2021-08-13T11:31:35Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
time="2021-08-13T11:31:35Z" level=debug msg="No default certificate, generating one"
time="2021-08-13T11:31:35Z" level=debug msg="Provider connection established with docker 20.10.7 (API 1.41)" providerName=docker
time="2021-08-13T11:31:35Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"dashboard\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.mydomain.org`)\",\"tls\":{}},\"web\":{\"service\":\"web-srv\",\"rule\":\"Host(`test.mydomain.org`)\"}},\"services\":{\"traefik-srv\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.48.3:80\"}],\"passHostHeader\":true}},\"web-srv\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.48.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"auth\":{\"basicAuth\":{\"users\":[\"user:myHash\"]}},\"dashboard\":{\"redirectScheme\":{\"scheme\":\"https\"}},\"traefik\":{\"basicAuth\":{\"removeHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2021-08-13T11:31:35Z" level=debug msg="No default certificate, generating one"
time="2021-08-13T11:31:36Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [web websecure]" routerName=web
time="2021-08-13T11:31:36Z" level=debug msg="Creating middleware" routerName=web@docker middlewareName=pipelining middlewareType=Pipelining serviceName=web-srv entryPointName=web
time="2021-08-13T11:31:36Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=web@docker serviceName=web-srv
time="2021-08-13T11:31:36Z" level=debug msg="Creating server 0 http://192.168.48.2:80" routerName=web@docker serviceName=web-srv serverName=0 entryPointName=web
time="2021-08-13T11:31:36Z" level=debug msg="Added outgoing tracing middleware web-srv" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=web@docker
time="2021-08-13T11:31:36Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
time="2021-08-13T11:31:36Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-08-13T11:31:36Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=dashboard@docker
time="2021-08-13T11:31:36Z" level=debug msg="Creating middleware" middlewareName=auth@docker middlewareType=BasicAuth entryPointName=websecure routerName=dashboard@docker
time="2021-08-13T11:31:36Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@docker middlewareName=auth@docker entryPointName=websecure
time="2021-08-13T11:31:36Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery entryPointName=websecure middlewareType=Recovery
time="2021-08-13T11:31:36Z" level=debug msg="No default certificate, generating one"
time="2021-08-13T11:31:36Z" level=debug msg="No default certificate, generating one"
time="2021-08-13T11:31:36Z" level=debug msg="Adding route for mydomain.org with TLS options default" entryPointName=websecure

My traefik.yml config file:

################################################################
#
# Configuration sample for Traefik v2.
#
# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
#
################################################################

################################################################
# Global configuration
################################################################
global:
  checkNewVersion: true
  sendAnonymousUsage: false

################################################################
# EntryPoints configuration
################################################################

# EntryPoints definition
#
# Optional
#
entryPoints:
  web:
    address: :80

  websecure:
    address: :443

################################################################
# Traefik logs configuration
################################################################

# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
log:
  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
        level: "DEBUG"

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  #  filePath: log/traefik.log

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
#  format: json

################################################################
# Access logs configuration
################################################################

# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
accessLog:
  # Sets the file path for the access log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath: /var/log/traefik-accessLog.txt

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  format: common

################################################################
# API and dashboard configuration
################################################################

# Enable API and dashboard
# Optional
api:
  # Enable the API in insecure mode
  # Optional
  # Default: false
        insecure: false

  # Enabled Dashboard
  # Optional
  # Default: true
        dashboard: true

################################################################
# Ping configuration
################################################################

# Enable ping
#ping:
# Name of the related entry point
  # Optional
  # Default: "traefik"
#  entryPoint: traefik

################################################################
# Docker configuration backend
################################################################

providers:
  # Enable Docker configuration backend
        docker:
    # Docker server endpoint. Can be a tcp or a unix socket endpoint.
    # Required
    # Default: "unix:///var/run/docker.sock"
          endpoint: "unix:///var/run/docker.sock"

    # Default host rule.
    # Optional
    # Default: "Host(`{{ normalize .Name }}`)"
          defaultRule: Host(`{{ normalize .Name }}.mydomain.org`)

    # Expose containers by default in traefik
    #
    # Optional
    # Default: true
          exposedByDefault: false
    #      network: traefik_network

My dynamic config file:

tls:
        certificates:
                - certFile: /etc/certs/ssl_certificate.cer
                  keyFile: /etc/certs/private_key.key
                  stores:
                          - default
        stores:
                default:
                        defaultCertificate:
                                certFile:/etc/certs/ssl_certificate.cer
                                keyFile:/etc/certs/private_key.key

My docker-compose file:

version: "3.9"

services:
        web:
                image: traefik/whoami:latest
                labels:
                        - "traefik.enable=true"
                        - "traefik.http.routers.web.rule=Host(`test.mydomain.org`)"
                        - "traefik.frontend.redirect.permanent: 'true'"
                restart: always

        traefik:
                image: traefik:v2.4
                ports:
                        - 80:80
                        - 443:443
                volumes:
                        - /var/run/docker.sock:/var/run/docker.sock:ro
                        - ./traefik.yml:/traefik.yml
                        - ./dynamic/certs-traefik.yml:/etc/traefik/dynamic_conf/certs-traefik.yml:ro
                        - /etc/certs:/etc/certs
                labels:
                        - providers.docker=true
                        - providers.file.directory= /etc/traefik/dynamic_conf
                        - providers.file.watch=true
                        - traefik.enable=true
                        - traefik.http.routers.dashboard.rule=Host(`traefik.mydomain.org`)
                        - traefik.http.routers.dashboard.entryPoints=websecure
                        - traefik.http.routers.dashboard.tls=true
                        - traefik.http.routers.dashboard.service=api@internal
                        - traefik.http.middlewares.dashboard.redirectscheme.scheme=https
                        - traefik.http.routers.dashboard.middlewares=auth
                        - traefik.http.middlewares.auth.basicauth.users=user:myHash
                        - traefik.http.middlewares.traefik.basicauth.removeheader=true
                restart: always

Do you know where is the problem ?
Thanks in advance ! :slight_smile:

2

These are not valid container labels. They are static configuration. Set in your traefik.yml, command line options or environmnet variable.

3

Hi cakiwi,
Thanks, problem solved !
Have a great day :slight_smile:

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.