Greetings All,
I have been experimenting with Version 2 (rc-1) and I have been getting some weird issues when trying to make the Let's Encrypt part do it's thing. It is running on a Docker Swarm (single host at present, Note: the names have been changed to protect the innocent).
I'd appreciate any insights people may have.
The error in question is:
Unable to obtain ACME certificate for domains "api.some.domain.space": unable to generate a certificate for the domains [api.some.domain.space]: acme: Error -> One or more domains had a problem:\n[api.some.domain.space] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.some.domain.space/.well-known/acme-challenge/D36Bp10PohIHEgD6SkpMeL1K_JiniuNHmVNHVNGakYw: Timeout after connect (your server may be slow or overloaded), url: \n" providerName=ebiac.acme routerName=backend rule="Host(`api.some.domain.space`)
The domain(s) in question have pointed at the machine with Traefik on it. The docker-compose file used to spin everything up is:
version: '3'
services:
reverse-proxy:
image: traefik:v2.0
command:
- "--api.dashboard=true"
- "--log.level=debug"
- "--global.sendAnonymousUsage=false"
- "--providers.docker.swarmMode=true"
- "--providers.docker.exposedByDefault=false"
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--certificatesResolvers.ebiac.acme.email=someone@somewhere.io"
- "--certificatesResolvers.ebiac.acme.storage=/opt/acme.json"
- "--certificatesResolvers.ebiac.acme.httpChallenge.entryPoint=web"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/acme.json:/opt/acme.json
deploy:
replicas: 1
docs:
image: "location/of/image/docs:${TAG}"
deploy:
replicas: 1
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.docs_auth.basicauth.users=a_user:$$apr1$$Qh87YAzE$$UwoZ9yziQae5AewR5H6CO0"
- "traefik.http.routers.docs.tls=true"
- "traefik.http.routers.docs.tls.certResolver=ebiac"
- "traefik.http.routers.docs.rule=Host(`docs.${DOMAIN}`)"
- "traefik.http.routers.docs.entrypoints=websecure"
- "traefik.http.services.docs.loadbalancer.server.port=80"
- "traefik.http.routers.docs.middlewares=docs_auth@docker"
backend:
image: "location/of/image/backend:${TAG}"
environment:
- DATABASE_URL
- EMAIL_URL
- SECRET_KEY
- ALLOWED_HOSTS
deploy:
replicas: 2
labels:
- "traefik.enable=true"
- "traefik.http.routers.backend.tls=true"
- "traefik.http.routers.backend.tls.certResolver=ebiac"
- "traefik.http.routers.backend.rule=Host(`api.${DOMAIN}`)"
- "traefik.http.routers.backend.entrypoints=websecure"
- "traefik.http.services.backend.loadbalancer.server.port=8000"
- "traefik.http.routers.backend.service=backend"
# - "traefik.http.routers.https-redirect.rule=HostRegexp(`{and:.*}`)"
# - "traefik.http.routers.https-redirect.middlewares=https-redirect"
# - "traefik.http.middlewares.https-redirect.redirectScheme.scheme=https"
# - "traefik.http.services.dummy.loadBalancer.server.port=80"
# - "traefik.http.routers.https-redirect.service=dummy"
frontend:
image: "location/of/image/frontend:${TAG}"
deploy:
replicas: 2
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.frontend_auth.basicauth.users=a_user:$$apr1$$Qh87YAzE$$UwoZ9yziQae5AewR5H6CO0"
- "traefik.http.routers.frontend.tls=true"
- "traefik.http.routers.frontend.tls.certResolver=ebiac"
- "traefik.http.routers.frontend.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.frontend.entrypoints=websecure"
- "traefik.http.services.frontend.loadbalancer.server.port=80"
- "traefik.http.routers.frontend.middlewares=frontend_auth@docker"
The server in question is barely registering any load, so it is not slow in itself.
Also - I'd really like to get HTTP -> HTTPS redirecting working for all configured domains (without interferring with let's encrypts HTTP challenge). There is a commented out bit in that stack that seemed to work previously but may have horribly broken the http challenge.
Thanks,
Jon