Manage several user-defined certificates

jose · October 6, 2020, 10:47am

Hi,
I am trying to implement a NextCloud + OnlyOffice service behind traefik with docker-compose. I have create a user-defined certificate for Nextcloud but I need to do for onlyoffice too.
To do working the https for Nextcloud I have modified the default certificate store but I dont know how to add a new certificate-store entry for onlyoffice.

Any idea?

This my code:

version: "2.2"

networks:
  proxy:
    external: true
  internal:
    external: false

services:

  traefik:
    image: "traefik:v2.2"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.filename=/etc/traefik/tls/nextcloud-nxtsvc-pre.toml"
      - "--providers.file.watch=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`monitor-nxtsvc-pre.mydomain.org`)"
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik/tls/:/etc/traefik/tls/"
      - "/etc/localtime:/etc/localtime:ro"
    mem_reservation: 512 mb
    mem_limit: 1000000000
    networks:
      - proxy

  nextcloud:
    image: nextcloud
    environment:
      - MYSQL_DATABASE=nextcloudpre
      - MYSQL_USER=root
    links:
      - mysql
    restart: always
    volumes:
      - ./nextcloud/nextcloud:/var/www/html
      - ./nextcloud/apps:/var/www/html/custom_apps
      - ./nextcloud/data:/var/www/html/data
      - ./nextcloud/config:/var/www/html/config
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"

      - "traefik.http.routers.nextcloudpre-http.rule=Host(`nextcloud-nxtsvc-pre.mydomain.org`)"
      - "traefik.http.routers.nextcloudpre-http.entrypoints=web"
      - "traefik.http.routers.nextcloudpre-http.service=pool-nextcloudpre"

      - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud-nxtsvc-pre.mydomain.org`)"
      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
      - "traefik.http.routers.nextcloud-https.tls=true"
      - "traefik.http.routers.nextcloud-https.service=pool-nextcloudpre"

      - "traefik.http.services.pool-nextcloudpre.loadbalancer.server.port=80"
      - "traefik.http.services.pool-nextcloudpre.loadbalancer.server.scheme=http"
      - "traefik.http.services.pool-nextcloudpre.loadbalancer.sticky.cookie=true"
      - "traefik.http.services.pool-nextcloudpre.loadbalancer.sticky.cookie.name=nxtc-pre-cookie"
      #- "traefik.http.services.nextcloud.loadbalancer.sticky.cookie.secure=true"
      #- "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
    mem_reservation: 2 gb
    mem_limit: 4000000000
    scale: 2
    networks:
      - internal
      - proxy
    depends_on:
      - mysql

  onlyoffice-ds:
    #container_name: onlyoffice
    image: onlyoffice/documentserver:latest
    stdin_open: true
    tty: true
    restart: always
    expose:
      - '80'
    volumes:
      - ./onlyoffice/Data:/var/www/onlyoffice/data
      - ./onlyoffice/log:/var/www/onlyoffice/log
      - ./onlyoffice/config/default.json:/etc/onlyoffice/documentserver/default.json
      - ./onlyoffice/config/local.json:/etc/onlyoffice/documentserver/local.json
      - ./onlyoffice/config/http-common.conf:/etc/onlyoffice/documentserver/nginx/includes/http-common.conf
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice-ds.rule=Host(`onlyoffice-nxtsvc-pre.mydomain.org`)"
      - "traefik.http.routers.onlyoffice-ds.entrypoints=web"
      - "traefik.docker.network=proxy"
      - "traefik.http.services.onlyoffice-ds.loadbalancer.server.port=80"
      - "traefik.http.services.onlyoffice-ds.loadbalancer.server.scheme=http"
      - "traefik.http.services.onlyoffice-ds.loadbalancer.sticky.cookie=true"
      - "traefik.http.services.onlyoffice-ds.loadbalancer.sticky.cookie.name=ooffice-pre-cookie"
    mem_reservation: 2 gb
    mem_limit: 4000000000
    networks:
      - proxy
    depends_on:
      - nextcloud

  mysql:
    image: mariadb:latest
    environment:
      - MYSQL_ROOT_PASSWORD=XXXXXXXXXX
    restart: always
    volumes:
      - ./mysql/mysqldir:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    mem_reservation: 512 mb
    mem_limit: 756000000
    networks:
      - internal
    labels:
      - traefik.enable=false

/etc/traefik/tls/nextcloud-nxtsvc-pre.toml

# Dynamic configuration

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
         certFile = "/etc/traefik/tls/nextcloud-nxtsvc-pre_tls.crt"
         keyFile = "/etc/traefik/tls/nextcloud-nxtsvc-pre_tls.key"
  [tls.stores.onlyofficepre]
    [tls.stores.onlyofficepre.defaultCertificate]
         certFile = "/etc/traefik/tls/onlyoffice-nxtsvc-pre_tls.crt"
         keyFile = "/etc/traefik/tls/onlyoffice-nxtsvc-pre_tls.key"

ldez · October 6, 2020, 12:24pm

Hello,

Take a look to https://doc.traefik.io/traefik/v2.3/https/tls/#user-defined

jose · October 6, 2020, 1:12pm

Thanks Idez...

Yes that´s the solution!!

I didn´t read well the documentation and several minutes after post the question in somewhere I found reading that traefik use the certificate that match with the host´s FQDN of the request.

The code thats works is this:

version: "2.2"

networks:
  proxy:
    external: true
  internal:
    external: false

services:

  traefik:
    image: "traefik:v2.2"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.filename=/etc/traefik/tls/nextcloud-nxtsvc-pre.toml"
      - "--providers.file.watch=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`monitor-nxtsvc-pre.mydomain.org`)"
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik/tls/:/etc/traefik/tls/"
      - "/etc/localtime:/etc/localtime:ro"
    mem_reservation: 512 mb
    mem_limit: 1000000000
    networks:
      - proxy

  nextcloud:
    image: nextcloud
    environment:
      - MYSQL_DATABASE=nextcloudpre
      - MYSQL_USER=root
    links:
      - mysql
    restart: always
    volumes:
      - ./nextcloud/nextcloud:/var/www/html
      - ./nextcloud/apps:/var/www/html/custom_apps
      - ./nextcloud/data:/var/www/html/data
      - ./nextcloud/config:/var/www/html/config
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"

      - "traefik.http.routers.nextcloudpre-http.rule=Host(`nextcloud-nxtsvc-pre.mydomain.org`)"
      - "traefik.http.routers.nextcloudpre-http.entrypoints=web"
      - "traefik.http.routers.nextcloudpre-http.service=pool-nextcloudpre"
      - "traefik.http.routers.nextcloudpre-http.middlewares=redirect2https-nextcloudpre"

      - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud-nxtsvc-pre.mydomain.org`)"
      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
      - "traefik.http.routers.nextcloud-https.tls=true"
      - "traefik.http.routers.nextcloud-https.service=pool-nextcloudpre"

      - "traefik.http.services.pool-nextcloudpre.loadbalancer.server.port=80"
      - "traefik.http.services.pool-nextcloudpre.loadbalancer.server.scheme=http"
      - "traefik.http.services.pool-nextcloudpre.loadbalancer.sticky.cookie=true"
      - "traefik.http.services.pool-nextcloudpre.loadbalancer.sticky.cookie.name=nxtc-pre-cookie"
      #- "traefik.http.services.nextcloud.loadbalancer.sticky.cookie.secure=true"
      #- "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"

      - "traefik.http.middlewares.redirect2https-nextcloudpre.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect2https-nextcloudpre.redirectscheme.permanent=true"

    mem_reservation: 2 gb
    mem_limit: 4000000000
    scale: 2
    networks:
      - internal
      - proxy
    depends_on:
      - mysql

  onlyoffice-ds:
    #container_name: onlyoffice
    image: onlyoffice/documentserver:latest
    stdin_open: true
    tty: true
    restart: always
    expose:
      - '80'
    volumes:
      - ./onlyoffice/Data:/var/www/onlyoffice/data
      - ./onlyoffice/log:/var/www/onlyoffice/log
      - ./onlyoffice/config/default.json:/etc/onlyoffice/documentserver/default.json
      - ./onlyoffice/config/local.json:/etc/onlyoffice/documentserver/local.json
      - ./onlyoffice/config/http-common.conf:/etc/onlyoffice/documentserver/nginx/includes/http-common.conf
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"

      - "traefik.http.routers.onlyofficepre-http.rule=Host(`onlyoffice-nxtsvc-pre.mydomain.org`)"
      - "traefik.http.routers.onlyofficepre-http.entrypoints=web"
      - "traefik.http.routers.onlyofficepre-http.service=pool-onlyofficepre"

      - "traefik.http.routers.onlyofficepre-https.rule=Host(`onlyoffice-nxtsvc-pre.mydomain.org`)"
      - "traefik.http.routers.onlyofficepre-https.entrypoints=websecure"
      - "traefik.http.routers.onlyofficepre-https.tls=true"
      - "traefik.http.routers.onlyofficepre-https.service=pool-onlyofficepre"

      - "traefik.http.services.pool-onlyofficepre.loadbalancer.server.port=80"
      - "traefik.http.services.pool-onlyofficepre.loadbalancer.server.scheme=http"
      - "traefik.http.services.pool-onlyofficepre.loadbalancer.sticky.cookie=true"
      - "traefik.http.services.pool-onlyofficepre.loadbalancer.sticky.cookie.name=ooffice-pre-cookie"
    mem_reservation: 2 gb
    mem_limit: 4000000000
    networks:
      - proxy
    depends_on:
      - nextcloud

  mysql:
    image: mariadb:latest
    environment:
      - MYSQL_ROOT_PASSWORD=XXXXXXXX
    restart: always
    volumes:
      - ./mysql/mysqldir:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    mem_reservation: 512 mb
    mem_limit: 756000000
    networks:
      - internal
    labels:
      - traefik.enable=false

/etc/traefik/tls/nextcloud-nxtsvc-pre.toml

# Dynamic configuration

[[tls.certificates]] #first certificate
   certFile = "/etc/traefik/tls/nextcloud-nxtsvc-pre_tls.crt"
   keyFile = "/etc/traefik/tls/nextcloud-nxtsvc-pre_tls.key"

[[tls.certificates]] #second certificate
   certFile = "/etc/traefik/tls/onlyoffice-nxtsvc-pre_tls.crt"
   keyFile = "/etc/traefik/tls/onlyoffice-nxtsvc-pre_tls.key"

# and so on

system · October 9, 2020, 1:13pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docker: Nextcloud yes \|\| onlyoffice yes, but both together doesn't work Traefik v2 docker	4	685	May 29, 2023
Traefik >=2.0 and onlyoffice not work, work correctly in V<2 Traefik v2 docker	7	13864	January 10, 2021
Docker SSL Certificates Traefik v2 docker	6	5387	September 24, 2019
[HTTPS] How to force Traefik to use local certificates (and not self-generated one instead) Traefik v2 docker , file	3	2381	August 17, 2021
Different certificate for a non proxied subdomain (cloudflare with full strict SSL option) Traefik v3 (latest) docker	2	19	June 15, 2025

Manage several user-defined certificates

Related topics