Letsencrypt + Own certificates can't get it work

Traefik Traefik v2
, ,
1

Hello!

Can someone please help to solve problem.
We using letsencrypt certificates, but for some sites we need to use wildcard certificate.

Letsencrypt section defined in static config:

certificatesResolvers:
  crl:
    acme:
      email: х@х
      storage: acme.json
      httpChallenge:
        entrypoint: web

.cert and .key placed into docker container with chmod 600:

      - ./data/certs/:/etc/certs/

dynamic configuration folder mapped

      - ./data/configuration/:/configuration/

Ive created file for certs /configuration/certificates.yml

tls:
  certificates:
    # x
    - certFile: /etc/certs/x.cert
      keyFile: /etc/certs/x.key

in dynamic config for letsencrypt we using:

http:
 #region routers 
  routers:
    sx.x:
      rule: Host(`sx.x`)
      middlewares:
        - internet
      tls:
        certResolver: crl
      service: sx.x

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  # TLS 1.2
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
        - TLS_AES_256_GCM_SHA384                  # TLS 1.3
        - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
        - TLS_FALLBACK_SCSV                       # TLS FALLBACK
      curvePreferences:
        - secp521r1
        - secp384r1
    modern:
      minVersion: VersionTLS13

and i totaly dont uderstand how i can tell traefik to use our certificate for some of our services. what need to be defined?

Thank you

2

You can use Traefik with custom cert and LetsEncrypt at the same time.

Define a LetsEncrypt certresolver and use a provider.file in the static config to load a dynamic config with the custom TLS certs. Then in the routers assign the certresolver for LE certs and just use TLS=true for the custom certs.

# traefik.yml - Traefik static config
entryPoints:
  ...

providers:
  file:
    filename: /traefik-dynamic.yml
    watch: true

certificatesResolvers:
  myresolver:
    acme:
      email: your-email@example.com
      storage: /acme.json
      tlsChallenge:
        entryPoint: websecure

# traefik-dynamic.yml - Traefik dynamic config
tls:
  options:
    default:
      minVersion: VersionTLS12
  certificates:
    - certFile: /run/secrets/example.com.crt
      keyFile: /run/secrets/example.com.key
  stores: # add this if you want to set default cert for unknown hosts
    default:
      defaultCertificate:
        certFile: /run/secrets/example.com.crt
        keyFile: /run/secrets/example.com.key

# docker-compose.yml with labels for provider.docker
services:
  whoami-with-custom-cert:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.entrypoints=websecure
      - traefik.http.routers.mywhoami.rule=Host(`example.com`)
      - traefik.http.routers.mywhoami.tls=true
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

  whoami-with-letsencrypt-cert:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.entrypoints=websecure
      - traefik.http.routers.mywhoami.rule=Host(`example2.com`)
      - traefik.http.routers.mywhoami.tls.certresolver=myresolver
      - traefik.http.services.mywhoami.loadbalancer.server.port=80
3

Thank you! But how i can define tls=true if im using external service, like

    x.x.com
      rule: Host(`x.x.com`)
      service: x.x.com
	  
    x.x.com:
      loadBalancer:
        servers:
          - url: "http://10.15.103.75:9000"
        passHostHeader: true
4

In config file you use this for true:

tls: {}
5

Thank you!

Have a nice day

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.