I cant get file with sytem LE issued certs work

Traefik Traefik v2 (latest)
1

Hi

I am trying to set up Traefik on Debian 9.11

What I want is to be able to use the file type and serve an existing server app that is running on 4000 I also use LE cert client to generate the certificates for this domain. And that is how I would like to handle it for now.

I get page error 404 with the http access and certificate error with https ,So I seem to be missing multiple issues here. I at least would like to get http acess going first then worry about https after words.

Any recommendations?

traefik.yml

entryPoints:
  http:
    address: :80
  https:
    address: :443


providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true

/etc/traefik/dynamic/custom.yml

http:
 routers:
  custom:
    rule: "Host(`sub.example.com`)"
    service: custom
    tls:
      stores:
      default:
      defaultCertificate:
      - certFile: /etc/letsencrypt/live/sub.example.com/cert.pem
      - keyFile: /etc/letsencrypt/live/sub.example.com/privkey.pem

 services:
  custom:
    loadBalancer:
      servers:
      - url: "http://127.0.0.1:4000/"
      passHostHeader: false

here is the error log

DEBU[2020-01-29T00:50:53Z] No entryPoint defined for this router, using the default one(s) instead: [http https]  routerName=custom@file
DEBU[2020-01-29T00:50:53Z] Creating middleware                           middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=custom@file serviceName=custom
DEBU[2020-01-29T00:50:53Z] Creating load-balancer                        serviceName=custom entryPointName=https routerName=custom@file
DEBU[2020-01-29T00:50:53Z] Creating server 0 http://127.0.0.1:4000/      routerName=custom@file serviceName=custom entryPointName=https serverName=0
DEBU[2020-01-29T00:50:53Z] Added outgoing tracing middleware custom      entryPointName=https routerName=custom@file middlewareName=tracing middlewareType=TracingForwarder
DEBU[2020-01-29T00:50:53Z] Creating middleware                           entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
DEBU[2020-01-29T00:50:53Z] Creating middleware                           entryPointName=http middlewareType=Recovery middlewareName=traefik-internal-recovery
DEBU[2020-01-29T00:50:53Z] No entryPoint defined for this router, using the default one(s) instead: [http https]  routerName=custom@file
DEBU[2020-01-29T00:50:53Z] No default certificate, generating one
DEBU[2020-01-29T00:50:57Z] Serving default certificate for request: "sub.example.com"
DEBU[2020-01-29T00:50:57Z] http: TLS handshake error from 127.0.0.1:50122: remote error: tls: bad certificate

thanks

2

Hello,

Your entrypoints port are unquoted in your static file... And have you think to let traefik manage your certificate with let's encrypt like this:

entryPoints:
 web:
   address: ":80"
 web-secure:
   address: ":443"

api:
 insecure: false # You can check the dashboard at http://example.com:8080
 dashboard: true
 debug: true

certificatesResolvers:
 le:
   acme:
      email: leria-tech@listes.univ-angers.fr
      storage: acme.json
      # Uncomment the line to use Let's Encrypt's staging server,
      # leave commented to go to prod.
      # Optional
      # Default: "https://acme-v02.api.letsencrypt.org/directory"
      #
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      tlsChallenge: {}
      httpChallenge:
        entryPoint: web

And dynamic file like this:

http:
 routers:
  custom:
    entryPoints:
      - web
      - web-secure
    rule: "Host(`sub.example.com`)"
    service: custom
    tls:
      certResolver: le 

 services:
  custom:
    loadBalancer:
      servers:
        - url: "http://127.0.0.1:4000/"
      passHostHeader: false

Regards,

Jean-Mathieu

3

Hi

Thanks for your help, but I am trying to do it with system issued/self certificates. I might do it the way you recommended later once I learn that stage first.

4

Hi

So I guess I am trying to resort to your method but I cant get any cert issued

DEBU[2020-01-30T06:10:37Z] No domain parsed in provider ACME routerName=site@file rule="Path(/SITE)" providerName=le.acme

EBU[2020-01-30T06:20:08Z] legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35979867
DEBU[2020-01-30T06:20:09Z] legolog: [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/35979867
ERRO[2020-01-30T06:20:09Z] Unable to obtain ACME certificate for domains "DOMAIN": unable to generate a certificate for the domains [DOMAIN]: acme: Error -> One or more domains had a problem:
[DOMAIN] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:   providerName=le.acme routerName=SITEA@file rule="Host(`DOMAIN`) && Path(`/SITEA`)"
5

try removing tlsChallenge: {} in the code.
httpChallenge should be enough.