LetsEncrypt\ACME\LEGO Environment Variables on Windows

Traefik Traefik v3 (latest)
,
1

Hi all,

Hoping for a little bit o guidance on configuring Traefik with LetsEncrypt on Windows.

I've been playing around with setting up Traefik using Docker on Ubunut a ThinClient but found the lack of resources on that device restrictive, so I'm now trying to configure Traefik on Windows without Docker, if I can help it. I have a few services running on the Windows server that I want to put behind a reverse proxy with Crowdsec, which I'll get to eventually.

I've got Traefik running and proxying traffic, but I'm having trouble getting the LetsEncrypt part working on Windows. Had it working fine in Docker on Ubuntu so I understand the method and requirements.

I have an API token with the required permissions on CloudFlare, and I understand that token needs to be configured as an Environment Variable, but nothing I have tried has worked.

I'm fairly certain I've tried all supported combinations of the following variables...

image
image906×388 23.3 KB

But whenever I start Traefik I get an error stating "invalid token".

Is there anyway I can add these variables to my Traefik config that doesn't involve adding them as ENV VARs in Windows? Does anyone have this working with ENV VARs in Windows configured that can share their experience?

There's a lack of info around for running Traefik as a binary on Windows, and I understand most people run it in Docker, but I'd rather not complicate things by adding another layer, if at all possible. I'm sure if I can get past this issue of providing the required token for LetsEncrypt via whatever means, I'll be fine with the rest.

Any and all suggestions welcome.

Thanks

2

Traefik Debug Logs

2025-03-25T00:15:08Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:241 > Loading plugins... plugins=["bouncer"]
2025-03-25T00:15:08Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: bouncer: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin@v1.4.1
2025-03-25T00:15:08Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.1
2025-03-25T00:15:08Z DBG github.com/hashicorp/go-retryablehttp@v0.7.7/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.1
2025-03-25T00:15:09Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:251 > Plugins loaded. plugins=["bouncer"]
2025-03-25T00:15:09Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator *aggregator.ProviderAggregator
2025-03-25T00:15:09Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=https
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231 > Starting TCP Server entryPointName=http
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"directory":"C:/traefik/configs","watch":true}
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: C:/traefik/configs
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: C:/traefik/configs/dynamic.yml
2025-03-25T00:15:09Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
2025-03-25T00:15:09Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
2025-03-25T00:15:09Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.Provider
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"letsencrypt-test","TLSChallengeProvider":{},"caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"delayBeforeCheck":"10s","propagation":{"delayBeforeChecks":"10s"},"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]},"email":"redacted@REDACTED.com","keyType":"RSA4096","storage":"acme.json","store":{}}
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:232 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:884 > Testing certificate renew... acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"crowdsec":{"plugin":{"bouncer":{"clientTrustedIPs":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"],"crowdsecAppsecEnabled":"false","crowdsecAppsecFailureBlock":"true","crowdsecAppsecHost":"crowdsec:7422","crowdsecAppsecUnreachableBlock":"true","crowdsecLapiHost":"crowdsec:8080","crowdsecLapiKey":"REDACTED","crowdsecLapiScheme":"http","crowdsecLapiTLSInsecureVerify":"false","crowdsecMode":"live","defaultDecisionSeconds":"60","enabled":"true","forwardedHeadersTrustedIPs":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]}}},"traefik-auth":{"basicAuth":{"users":["redacted:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'"]}}},"routers":{"dashboard":{"middlewares":["traefik-auth"],"rule":"Host(`traefik.REDACTED.com`)","service":"api@internal","tls":{"certResolver":"letsencrypt-test","domains":[{"main":"REDACTED.com","sans":["*.REDACTED.com"]}]}}}},"tcp":{},"tls":{"options":{"default":{"alpnProtocols":["h2","http/1.1","acme-tls/1"],"cipherSuites":["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"],"clientAuth":{},"minVersion":"VersionTLS12"}}},"udp":{}} providerName=file
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"serversTransports":{"default":{"insecureSkipVerify":true,"maxIdleConnsPerHost":200}},"services":{"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:52 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["http","https"] routerName=dashboard
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:37 > Creating middleware entryPointName=https middlewareName=traefik-auth@file middlewareType=BasicAuth routerName=dashboard@file
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=https middlewareName=traefik-auth@file routerName=dashboard@file
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.REDACTED.com with TLS options default entryPointName=http
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.REDACTED.com with TLS options default entryPointName=https
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:52 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["http","https"] routerName=dashboard
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940 > Looking for provided certificate(s) to validate ["REDACTED.com" "*.REDACTED.com"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:986 > Domains need ACME certificates generation for domains "REDACTED.com,*.REDACTED.com". ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["REDACTED.com","*.REDACTED.com"] providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:706 > Loading ACME certificates [REDACTED.com *.REDACTED.com]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:270 > Building ACME client... providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:276 > https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:37 > Creating middleware entryPointName=http middlewareName=traefik-auth@file middlewareType=BasicAuth routerName=dashboard@file
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=http middlewareName=traefik-auth@file routerName=dashboard@file
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.REDACTED.com with TLS options default entryPointName=http
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for traefik.REDACTED.com with TLS options default entryPointName=https
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:940 > Looking for provided certificate(s) to validate ["REDACTED.com" "*.REDACTED.com"]... ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:984 > No ACME certificate generation required for domains ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["REDACTED.com","*.REDACTED.com"] providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:317 > Using DNS Challenge provider: cloudflare providerName=letsencrypt-test.acme
2025-03-25T00:15:09Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [REDACTED.com, *.REDACTED.com] acme: Obtaining bundled SAN certificate lib=lego
2025-03-25T00:15:10Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.REDACTED.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/191321344/16532183694 lib=lego
2025-03-25T00:15:10Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [REDACTED.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/191321344/16532183704 lib=lego
2025-03-25T00:15:10Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.REDACTED.com] acme: use dns-01 solver lib=lego
2025-03-25T00:15:10Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [REDACTED.com] acme: Could not find solver for: tls-alpn-01 lib=lego
2025-03-25T00:15:10Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [REDACTED.com] acme: Could not find solver for: http-01 lib=lego
2025-03-25T00:15:10Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [REDACTED.com] acme: use dns-01 solver lib=lego
2025-03-25T00:15:10Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.REDACTED.com] acme: Preparing to solve DNS-01 lib=lego
2025-03-25T00:15:11Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [REDACTED.com] acme: Preparing to solve DNS-01 lib=lego
2025-03-25T00:15:12Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [*.REDACTED.com] acme: Cleaning DNS-01 challenge lib=lego
2025-03-25T00:15:12Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [WARN] [*.REDACTED.com] acme: cleaning up failed: cloudflare: failed to find zone REDACTED.com.: ListZonesContext command failed: Invalid access token (9109)  lib=lego
2025-03-25T00:15:12Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] [REDACTED.com] acme: Cleaning DNS-01 challenge lib=lego
2025-03-25T00:15:13Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [WARN] [REDACTED.com] acme: cleaning up failed: cloudflare: failed to find zone REDACTED.com.: ListZonesContext command failed: Invalid access token (9109)  lib=lego
2025-03-25T00:15:13Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/191321344/16532183694 lib=lego
2025-03-25T00:15:14Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz/191321344/16532183704 lib=lego
2025-03-25T00:15:14Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:553 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [REDACTED.com *.REDACTED.com]: error: one or more domains had a problem:\n[*.REDACTED.com] [*.REDACTED.com] acme: error presenting token: cloudflare: failed to find zone REDACTED.com.: ListZonesContext command failed: Invalid access token (9109)\n[REDACTED.com] [REDACTED.com] acme: error presenting token: cloudflare: failed to find zone REDACTED.com.: ListZonesContext command failed: Invalid access token (9109)\n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["REDACTED.com","*.REDACTED.com"] providerName=letsencrypt-test.acme routerName=dashboard@file rule=Host(`traefik.REDACTED.com`)
2025-03-25T00:15:28Z INF github.com/traefik/traefik/v3/pkg/server/server.go:51 > I have to go...
2025-03-25T00:15:28Z INF github.com/traefik/traefik/v3/pkg/server/server.go:52 > Stopping server gracefully
2025-03-25T00:15:28Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:298 > Waiting 10s seconds before killing connections entryPointName=http
2025-03-25T00:15:28Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:298 > Waiting 10s seconds before killing connections entryPointName=https
2025-03-25T00:15:28Z ERR github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:240 > error="accept tcp [::]:80: use of closed network connection" entryPointName=http
2025-03-25T00:15:28Z ERR github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:240 > error="accept tcp [::]:443: use of closed network connection" entryPointName=https
2025-03-25T00:15:28Z ERR github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:316 > error="close tcp [::]:80: use of closed network connection" entryPointName=http
2025-03-25T00:15:28Z ERR github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:316 > error="close tcp [::]:443: use of closed network connection" entryPointName=https
2025-03-25T00:15:28Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:153 > Entrypoint closed entryPointName=http
2025-03-25T00:15:28Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:153 > Entrypoint closed entryPointName=https
2025-03-25T00:15:28Z INF github.com/traefik/traefik/v3/pkg/server/server.go:76 > Server stopped
2025-03-25T00:15:28Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:169 > Shutting down
3
  1. Traefik is a "Cloud Native Application Proxy", so don't use Windows :wink:
  2. Share your full Traefik static and dynamic config
  3. Enable and check Traefik DEBUG log (doc). Look for err and acme
  4. Enable and check Traefik access log in JSON format (doc) during requests
  5. Check the LE doc:

You may use CF_API_EMAIL and CF_API_KEY to authenticate, or CF_DNS_API_TOKEN , or CF_DNS_API_TOKEN and CF_ZONE_API_TOKEN .

You domain DNS needs to be hosted by Cloudflare. If you use sub-domains, I think Cloudflare needs to be aware of those.

4

Thanks for taking time to reply bluepuma77.

I appreciate that it's a "Cloud Native Application Proxy", but that doesn't exclude Windows by definition. Plenty of Windows workloads running in the "Cloud". And I do understand that everyone likes to containerise these days, but if I can run it on Windows without adding additional complexity I'd rather do that. I'm only setting it up at home. That said, if I can't find a way to make it work how I'd prefer I'll eventually give in and spin up Docker on Windows.

I have added the DEBUG logs already, but for ease of reading, the part I'm focused on is below:

2025-03-25T00:15:13Z DBG github.com/go-acme/lego/v4@v4.22.2/log/logger.go:48 > [WARN] [REDACTED.com] acme: cleaning up failed: cloudflare: failed to find zone REDACTED.com.: ListZonesContext command failed: Invalid access token (9109)  lib=lego

I get one of these errors for both DOMAIN.com and *.DOMAIN.com.

I have tried all combinations, I'm certain, of the ENV VARs provided in the LEGO documentation.

My domain is hosted by CF and I have had this working on Docker on Ubuntu so I know it all works. I just can't get the API TOKEN to be picked up by LE in Windows.

I've checked the ACCESS.log and found nothing of note in there. Ports 80 and 443 are open and forwarded to Traefik and I have disabled http to https redirection to make sure thats not interfering.

Is there a way to define the API TOKEN in the static or dynamic config? Or in a separate file that can be called by the configs? I'm sure there is a way to make this work. It just seems to be the road less travelled so not many have experience with it.

Static.yml

api: {}

entryPoints:
  http:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Start of Cloudlare's public IP list
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 108.162.192.0/18
        - 131.0.72.0/22
        - 141.101.64.0/18
        - 162.158.0.0/15
        - 172.64.0.0/13
        - 173.245.48.0/20
        - 188.114.96.0/20
        - 190.93.240.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 10.0.0.0/24
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
#    http:
 #     redirections:
  #      entryPoint:
   #       to: https
    #      scheme: https

  https:
    address: :443
    forwardedHeaders:
      trustedIPs: *trustedIps

serversTransport:
  insecureSkipVerify: true

experimental:
  plugins:
    bouncer:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: v1.4.1

providers:
  file:
    directory: "C:/traefik/configs"
    watch: true

certificatesResolvers:
  letsencrypt-test:
    acme:
      email: xxxxxxxxxxxxxxxxxxxxxxxxxx
      storage: acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
#  letsencrypt-prod:
#    acme:
#      email: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#      storage: acme.json
#      caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
#      dnsChallenge:
#        provider: cloudflare
#        delayBeforeCheck: 10
#        resolvers:
#          - "1.1.1.1:53"
#          - "1.0.0.1:53"

accessLog:
  filePath: "C:/traefik/logs/access.log"
  format: json
  filters:
    statusCodes:
      - "200-299" # log successful http requests
      - "400-599" # log failed http requests
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop # drop all headers per default
      names:
          User-Agent: keep # log user agent strings

log:
  filePath: "C:/traefik/logs/traefik.log"
  level: DEBUG

Dynamic.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
http:
  routers:
    dashboard:
      rule: Host(`traefik.REDACTED.com`)
      service: api@internal
      middlewares:
        - traefik-auth
      tls:
        certResolver: letsencrypt-test
        domains:
          - main: "REDACTED.com"
            sans: 
              - "*.REDACTED.com"

  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - "REDACTED:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'"
    crowdsec:
      plugin:
        bouncer:
          enabled: true
          defaultDecisionSeconds: 60
          crowdsecMode: live
          crowdsecAppsecEnabled: false
          crowdsecAppsecHost: crowdsec:7422
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecUnreachableBlock: true
          crowdsecLapiKey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http
          crowdsecLapiTLSInsecureVerify: false
          forwardedHeadersTrustedIPs:
            # private class ranges
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
          clientTrustedIPs:
            # private class ranges
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
5

You want to use Windows. So you should know how to supply an env var. Sorry, 99.9% Linux users here.

I can tell you how to do it with Docker compose. But please don’t start with Docker Desktop, it’s a development tool and not meant to continuously run production workloads.

The error message you supplied is about cleanup. Did you check in Cloudflare if the TXT records were created?

6

Yes, I would like to use Windows, that is why I'm here asking for assistance. Traefik provides a binary for Windows so I would expect there to be a way to use it.

I am also a Linux user. As stated in my original post, I had this working on Ubuntu. But due to the lack of resources on that device I decided to try to get it working on Windows. Also stated in my original post, I have configured the variables in Windows, the problem is I can't tell if they're being referenced or not. There's no indication in the logs, aside from the error stating that "lego failed to ListZonesContext due to an invalid token". I wanted to know if there was a way to add the required variables to the Traefik config to rule out any issue reading the Windows Environment Variables. Or to hear from someone using the binary that has come across a similar issue.

I know I said I'd welcome any and all suggestions, but if you have nothing productive to contribute, because you don't know, just say so. Or, better yet, wait to see if one of the 0.1% of Windows users has anything to add. Don't patronise me with your, "we're all Linux users.... you want to use Windows so you should know.... pleeeaaassee don't use Docker Desktop..." crap.

I'm an infrastructure engineer. We run Traefik on TKG where I work. I work with numerous different technologies and products. I like to challenge myself and learn. It's also been a loooonnggg day, so apologies if my response comes across with a hint of frustration....

The services I want to connect to securely with a reverse proxy are currently running on a Windows Server and migrating to Linux would be a huge, if not impossible, task. I could host the Traefik proxy on the other device but I would be sacrificing performance if I did that.

So, I thought I would join the community forum to ask if anyone could assist.

Docker Desktop is likely going to by next option if I can't make this work. I've used it before and not had any issues and this is a home server setup.

And yes, I have checked and no TXT records have been created.

I would still welcome any suggestions you have that might assist me in making this work on Windows.

7

For anyone else having this issue... all 0.1% of you... :wink: here is the command you need to run:

SET CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx && traefik

Replace the X's with your API TOKEN and run this from the traefik folder.

Bosh!

8

Thanks for sharing how to set an env var in Windows. Your solution might help other Windows users in the future.

9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.