Hi,
I need help integrating and using a certificate in traefik.
Despite spending hours reading the documentation and the forum, I am left with questions. I can't seem to apply it perfectly to my use case. I may also lack knowledge about certificates. I would love to hear your thoughts and experiences.
I succeeded:
- Install traefik on a docker in my synology nas
- Redirect traffic from port 443 of my router to traefik
- Access the traefik interface
- Enable logs that I can see in dozzle
I want now :
- Access my DSM applications, my dockers and my VM from my NAS using traefik, with an https connection. Today, I access these components via DDNS and the default reverse proxy of the Synology NAS. For example, for my NAS: https://abc.synology.me. For my docker vaultwarden: https://vw.abc.synology.me.
My docker-compose.yml
version: "3.3"
services:
traefik:
image: "traefik:v2.10"
command:
- "--api.dashboard=true"
- "--api.insecure=true"
- "--api.debug=true"
container_name: "traefik"
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- published: 4580 # web
target: 80
protocol: tcp
mode: host
- published: 4543 # websecure
target: 443
protocol: tcp
mode: host
- published: 8085 # UI
target: 8080
protocol: tcp
mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /volume1/docker/traefik/traefik.yaml:/etc/traefik/traefik.yaml
- /volume1/docker/traefik/config.yaml:/etc/traefik/config.yaml
- /volume1/docker/traefik/certificats:/etc/traefik/certs:ro
My static configuration, the traefik.yml file
global:
checkNewVersion: true
sendAnonymousUsage: false
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
file:
directory: "/etc/traefik/"
watch: true
api:
dashboard: true
insecure: true
debug: true
log:
level: DEBUG
accessLog: {}
My dynamic configuration, i.e. the config.yml file
http:
routers:
nas-router:
rule: "Host(`abc.synology.me`)"
service: nas-service
entryPoints:
- websecure
services:
nas-service:
loadBalancer:
servers:
- url: "https://[IP_NAS]:[PORT_NAS]"
How do I integrate my certificate?
Knowing that I have a Letsencrypt wildcard certificate from Synology for my DDNS (*.synology.me), I want to reuse it for traefik. To do this, I am thinking of dropping the cert.pem and privkey.pem files in the directory: /volume1/docker/traefik/certificates
These 2 files come from the export of my NAS certificate:
Then, in the docker-compose.yml, I am thinking of adapting it and adding 4 commands:
command:
- --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
#- --certificatesresolvers.certresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.leresolver.acme.email=email@gmail.com
- --certificatesresolvers.leresolver.acme.storage=/acme/acme.json
- --certificatesresolvers.leresolver.acme.tlschallenge=true
I know I need to use the staging environment to avoid hitting the limits. But how is it possible to reach the limits if the certificate is created the first time and renewed after x days? I don't understand.
What are the limitations of the staging environment?
In my static file (traefik.yml), I am thinking of adding this:
certificateResolvers:
myresolver:
acme:
email: your-email@example.com
storage: acme.json
httpChallenge:
entryPoint: web
But I realize that I've already set some of this information in my docker-compose file.
I don't like the httpChallenge, because I have to open port 80. But I think the other challenges are not possible for my certificate.
In my dynamic file (config.yml), I don't see what modifications I need to make. Suggestions?
This?
http:
routers:
nas-router:
rule: "Host(`abc.synology.me`)"
service: nas-service
entryPoints:
- websecure
tls:{}
Thank you for your explanations, your patience and your indulgence.