Letsencrypt + Own certificates can't get it work

Hello!

Can someone please help to solve problem.
We using letsencrypt certificates, but for some sites we need to use wildcard certificate.

Letsencrypt section defined in static config:

certificatesResolvers:
  crl:
    acme:
      email: х@х
      storage: acme.json
      httpChallenge:
        entrypoint: web

.cert and .key placed into docker container with chmod 600:

      - ./data/certs/:/etc/certs/

dynamic configuration folder mapped

      - ./data/configuration/:/configuration/

Ive created file for certs /configuration/certificates.yml

tls:
  certificates:
    # x
    - certFile: /etc/certs/x.cert
      keyFile: /etc/certs/x.key

in dynamic config for letsencrypt we using:

http:
 #region routers 
  routers:
    sx.x:
      rule: Host(`sx.x`)
      middlewares:
        - internet
      tls:
        certResolver: crl
      service: sx.x

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  # TLS 1.2
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
        - TLS_AES_256_GCM_SHA384                  # TLS 1.3
        - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
        - TLS_FALLBACK_SCSV                       # TLS FALLBACK
      curvePreferences:
        - secp521r1
        - secp384r1
    modern:
      minVersion: VersionTLS13

and i totaly dont uderstand how i can tell traefik to use our certificate for some of our services. what need to be defined?

Thank you

You can use Traefik with custom cert and LetsEncrypt at the same time.

Define a LetsEncrypt certresolver and use a provider.file in the static config to load a dynamic config with the custom TLS certs. Then in the routers assign the certresolver for LE certs and just use TLS=true for the custom certs.

# traefik.yml - Traefik static config
entryPoints:
  ...

providers:
  file:
    filename: /traefik-dynamic.yml
    watch: true

certificatesResolvers:
  myresolver:
    acme:
      email: your-email@example.com
      storage: /acme.json
      tlsChallenge:
        entryPoint: websecure

# traefik-dynamic.yml - Traefik dynamic config
tls:
  options:
    default:
      minVersion: VersionTLS12
  certificates:
    - certFile: /run/secrets/example.com.crt
      keyFile: /run/secrets/example.com.key
  stores: # add this if you want to set default cert for unknown hosts
    default:
      defaultCertificate:
        certFile: /run/secrets/example.com.crt
        keyFile: /run/secrets/example.com.key

# docker-compose.yml with labels for provider.docker
services:
  whoami-with-custom-cert:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.entrypoints=websecure
      - traefik.http.routers.mywhoami.rule=Host(`example.com`)
      - traefik.http.routers.mywhoami.tls=true
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

  whoami-with-letsencrypt-cert:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.entrypoints=websecure
      - traefik.http.routers.mywhoami.rule=Host(`example2.com`)
      - traefik.http.routers.mywhoami.tls.certresolver=myresolver
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

Thank you! But how i can define tls=true if im using external service, like

    x.x.com
      rule: Host(`x.x.com`)
      service: x.x.com
	  
    x.x.com:
      loadBalancer:
        servers:
          - url: "http://10.15.103.75:9000"
        passHostHeader: true

In config file you use this for true:

tls: {}

Thank you!

Have a nice day

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.