I use a singularity container and a systemd service. In this case the container port should be identical to the server port.
I use a VM with a floating (external) ip, referred to as <ip-ext> and an internal ip, referred to as <ip-int>. The apache server listens to port 8888 and I added a customized web address to etc/hosts, lets call it mywebsite.com.
So in an external client device, I can type <ip-ext>:8888 and I access to the webpage. In the server I can curl <ip-int>:8888 or mywebsite.com:8888 and it connects. All good. Now I added Traefik with the web port to be 10080 and the websecure port to be 10443. What I do is
- in the client device:
https://<ip-ext>:10443
- in the server device I curl following:
curl --insecure -H Host:mywebsite.com https://127.0.0.1:10443.
In both cases the output is 404 not found and the cert info shows Common Name (CN) TRAEFIK DEFAULT CERT. But this is not ok because I'm using my own self-signed certificate..so why it is not reading the one I have.
NOTE: web is called http and websecure is called https in my case. Below is the relevant file
[[tls.certificates]]
certFile = "/opt/traefik/SSL/mycert.crt"
keyFile = "/opt/traefik/SSL/mycert.key"
[tls.options]
[tls.options.myTLSOptions]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
[serversTransport]
insecureSkipVerify = true
[http.routers]
[http.routers.http_catchall]
entryPoints = ["http"]
middlewares = ["https_redirect"]
rule = "HostRegexp(`{any:.+}`)"
service = "name"
[http.routers.name]
entryPoints = ["https"]
rule = "Host(`mywebsite.com`)"
middlewares = ["sts"]
service = "name"
[http.routers.name.tls]
options = "myTLSOptions"
[http.middlewares]
[http.middlewares.sts.headers]
stsSeconds = 63072000
stsIncludeSubdomains = true
stsPreload = true
[http.middlewares.https_redirect.redirectScheme]
scheme = "https"
permanent = true
what could be wrong? Any ideas I created the certificates following: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -subj /C=US/ST=AAA/L=BB/O=CC/OU=DD/CN=mywebsite.com/emailAddress=proxy@mywebsite.com
I used as CN the website name but the browser shows that CN is TRAEFIK DEFAULT CERT.
Thanks
You need to load your custom TLS certs as default certs when not using a matching domain name. (Doc)
unluckily it didn't work.. still getting the same 404 with default CN TRAEFIK DEFAULT CERT
Share your full Traefik static and dynamic config.
Your help is truly appreciated. Here is my static.toml
[[tls.certificates]]
certFile = "/opt/traefik/SSL/mycert.crt"
keyFile = "/opt/traefik/SSL/mycert.key"
stores = ["default"]
[tls.options]
[tls.options.myTLSOptions]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/opt/traefik/SSL/mycert.crt"
keyFile = "/opt/traefik/SSL/mycert.key"
[serversTransport]
insecureSkipVerify = true
[http.routers]
[http.routers.http_catchall]
entryPoints = ["http"]
middlewares = ["https_redirect"]
rule = "HostRegexp(`{any:.+}`)"
service = "name"
[http.routers.name]
entryPoints = ["https"]
rule = "Host(`mywebsite.localhost.com`)"
middlewares = ["sts"]
service = "name"
[http.routers.name.tls]
options = "myTLSOptions"
[http.middlewares]
[http.middlewares.stripprefix-theia.stripPrefixRegex]
regex = ["/ta_[a-z0-9]+/"]
[http.middlewares.sts.headers]
stsSeconds = 63072000
stsIncludeSubdomains = true
stsPreload = true
[http.middlewares.https_redirect.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.proxy-auth-Name.forwardAuth]
address = "http://192.168.128.141:8888/proxy_auth/"
[http.services]
[[http.services.name.loadBalancer.servers]]
url = "http://192.168.128.141:8888"
and here is the traefik.toml
[entryPoints]
[entryPoints.traefik]
address = ":8081"
[entryPoints.http]
address = ":10080"
[entryPoints.https]
address = ":10443"
[providers]
providersThrottleDuration = "2s"
[providers.file]
directory = "/opt/traefik/routes/"
watch = true
[api]
dashboard = true
[ping]
[log]
level = "INFO"
filePath = "/var/log/traefik/traefik.log"
[accessLog]
bufferingSize = 0
OK I removed https redirect to focus on the http port and I also get 404 not found,
Considering 10080 port , i.e., curl -vL mywebsite.com:10080, shows connections refused. I I change it to anything else, e.g., 7777, it shows 404 not found
That is , the problem is not strictly a TLS problem as it appears via http also
With the loaded default certs, you still need to enable TLS on entrypoint or router.
YAML: …tls={}
Labels: …tls=true
Check the doc for TOML.
On the router I already added tls,
[http.routers.name.tls] # ----> similar to tls={}
options = "myTLSOptions"
and In the entry point I couldn't find the equivalent tls=true but I added
[entryPoints.https]
address = ":10443"
[entryPoints.https.http.tls]
options = "myTLSOptions"
and it didn't work (I also removed options). What I see with curl is that it checks for the cert in
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
but not sure why it cannot look for my default certs