Need help with setting up traefik

newlinus1 · January 20, 2025, 5:02pm

Hello Team,

I am setting up traefik for the first time. I run traefik in a lxc. I have some services (immich, paperless) running in a container in a vm. I don't own a public domain as I need to use my services locally. Is there any way to do it?

my traefik.yaml

providers:
  file:
    directory: /etc/traefik/conf.d/

entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls: {}
  traefik:
    address: ':8080'

tls:
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/ssl/traefik.crt"
        keyFile: "/etc/traefik/ssl/traefik.key"

api:
  dashboard: true
  insecure: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: DEBUG

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

dynamic file

http:
  routers:
    immich:
      rule: "Host(`immich.homelab.local`)"
      service: immich
      entryPoints:
        - websecure

    bookstack:
      rule: "Host(`bookstack.homelab.local`)"
      service: bookstack
      entryPoints:
        - websecure

    paperless:
      rule: "Host(`paperless.homelab.local`)"
      service: paperless
      entryPoints:
        - websecure

  services:
    immich:
      loadBalancer:
        servers:
          - url: "http://192.168.1.211:2283"

    bookstack:
      loadBalancer:
        servers:
          - url: "http://192.168.1.215:6875"

    paperless:
      loadBalancer:
        servers:
          - url: "http://192.168.1.215:8010"
tls:
  certificates:
    - certFile: /etc/traefik/ssl/traefik.crt
      keyFile: /etc/traefik/ssl/traefik.key
      stores:
        - default

The certificates are placed under /etc/traefik/ssl

I am lost and have spent almost one week searching for docs but in vain. Please let us know if anyone can assist.

The dns resolution looks good too

nslookup immich.homelab.local
Server:		192.168.1.217
Address:	192.168.1.217#53

Name:	immich.homelab.local
Address: 192.168.1.211

In the traefik.log I see the certificate that I generated is never used


{"level":"debug","time":"2025-01-20T22:05:11+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/certificate.go:132","message":"Adding certificate for domain(s) homelab.local"}
{"level":"debug","tlsStoreName":"default","time":"2025-01-20T22:05:11+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321","message":"No default certificate, fallback to the internal generated certificate"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-01-20T22:05:11+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/st
ripprefix/strip_prefix.go:32","message":"Creating middleware"}

bluepuma77 · January 20, 2025, 7:42pm

tls as root element is Traefik dynamic config, it needs to be loaded by a provider, like providers.file in static config from a separate dynamic config file (doc).

newlinus1 · January 26, 2025, 1:23am

Hello @bluepuma77 ,
Thank you for your response.

As you can see in my static config , i've already passed the dynamic config file details

providers:
  file:
    directory: /etc/traefik/conf.d/

Also moved the tls into the dynamic config

http:
  routers:
    immich:
      rule: "Host(`immich.homelab.local`)"
      service: immich
      entryPoints:
        - websecure

    bookstack:
      rule: "Host(`bookstack.homelab.local`)"
      service: bookstack
      entryPoints:
        - websecure

    paperless:
      rule: "Host(`paperless.homelab.local`)"
      service: paperless
      entryPoints:
        - websecure

  services:
    immich:
      loadBalancer:
        servers:
          - url: "http://192.168.1.213:2283"

    bookstack:
      loadBalancer:
        servers:
          - url: "http://192.168.1.215:6875"

    paperless:
      loadBalancer:
        servers:
          - url: "http://192.168.1.215:8010"

tls:
  certificates:
    - certFile: /etc/traefik/ssl/traefik.crt
      keyFile: /etc/traefik/ssl/traefik.key
      stores:
        - default

I get the same messages as above in traefik.log

And excuse me for the delay in response as I get to work on my side project only on weekends

bluepuma77 · January 26, 2025, 6:38am

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Debug log: Is the dynamic config file read, are the routers and services created. Do requests arrive at Traefik?

Access log: Do requests arrive at Traefik, are errors returned by Traefik (only DownstreamStatus) or by target service (OriginStatus)?

Enable and check Traefik /dashboard/, if the routers and services are registered.

Update: Checking your config again, you changed the TLS loading. Without default, the TLS cert needs to contain the domain(s) it should be used for.

Recommendation: Load your cert(s) the standard way, a single one as default (doc):

# Dynamic configuration

tls:
  certificates:
    - certFile: /path/to/cert.cert
      keyFile: /path/to/cert.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key
  stores:
    default:
      defaultCertificate:
        certFile: /path/to/cert.crt
        keyFile: /path/to/cert.key

newlinus1 · February 1, 2025, 4:58pm

Hello @bluepuma77 ,

Thank you again for your time.

I have tried the whole thing but I believe I am missing something.

I've destroyed the whole setup and reinstalled again. This time I generated certificate for one service. Vaultwarden

Here is the dynamic file

http:
  routers:
    vaultwarden:
      rule: "Host(`vaultwarden.homelab.local`)"
      service: vaultwarden
      entryPoints:
        - websecure

  services:
    vaultwarden:
      loadBalancer:
        servers:
          - url: "http://192.168.1.212:8000"

tls:
  certificates:
    - certFile: /etc/traefik/ssl/vaultwarden.crt
      keyFile: /etc/traefik/ssl/vaultwarden.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/ssl/vaultwarden.crt
        keyFile: /etc/traefik/ssl/vaultwarden.key

traefik.yaml

providers:
  file:
    directory: /etc/traefik/conf.d/

entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls: {}
  traefik:
    address: ':8080'

api:
  dashboard: true
  insecure: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: DEBUG

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

I get the following message in the traefik.log

ggregator *aggregator.ProviderAggregator"}
{"level":"debug","entryPointName":"traefik","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"web","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231","message":"Starting TCP Server"}
{"level":"debug","entryPointName":"websecure","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:231","message":"Starting TCP Server"}
{"level":"info","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *file.Provider"}
{"level":"debug","config":{"directory":"/etc/traefik/conf.d/","watch":true},"time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*file.Provider prov
ider configuration"}
{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/"}
{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/file/file.go:122","message":"add watcher on: /etc/traefik/conf.d/dynamic_conf.yml"}
{"level":"info","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *traefik.Provider"}
{"level":"debug","config":{},"time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*traefik.Provider provider configuration"}
{"level":"debug","providerName":"internal","config":{"http":{"routers":{"api":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","ruleSyntax":"v3","priority":9223372036854775806},"dashboard":{"en
tryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","ruleSyntax":"v3","priority":9223372036854775805},"web-to-websecur
e":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"service":"noop@internal","rule":"HostRegexp(`^.+$`)","ruleSyntax":"v3","priority":9223372036854775806}},"services":{"api":{},"dashboard":{},"noop":{}},"m
iddlewares":{"dashboard_redirect":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true}},"dashboard_stripprefix":{"stripPrefix":{"prefixes":["/da
shboard/","/dashboard"]}},"redirect-web-to-websecure":{"redirectScheme":{"scheme":"https","port":"443","permanent":true}}},"models":{"websecure":{"tls":{}}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"udp":{},"tls":{}},"time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"debug","providerName":"file","config":{"http":{"routers":{"vaultwarden":{"entryPoints":["websecure"],"service":"vaultwarden","rule":"Host(`vaultwarden.homelab.local`)"}},"services":{"vaultwarden":{"loadBalancer":{"servers":[{"url":"http://192.168.1.212:8000"}],"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"}}}}},"tcp":{},"udp":{},"tls":{"stores":{"default":{}}}},"time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227","message":"Configuration received"}
{"level":"info","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202","message":"Starting provider *acme.ChallengeTLSALPN"}
{"level":"debug","config":{},"time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203","message":"*acme.ChallengeTLSALPN provider configuration"}
{"level":"debug","tlsStoreName":"default","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321","message":"No default certificate, fallback to the internal generated certificate"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:97","message":"No store is defined to add the certificate MIIDrzCCApegAwIBAgIUHVK0RuvBi4fouUirmOSCyYU8TlcwDQ, it will be added to the default store"}
{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/certificate.go:132","message":"Adding certificate for domain(s) vaultwarden.homelab.local"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/t
raefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}

{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:97","message":"No store is defined to add the certificate MIIDrzCCApegAwIBAgIUHVK0RuvBi4fouUirmOSCyYU8TlcwDQ, it will be added to the default store"}
{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/certificate.go:132","message":"Adding certificate for domain(s) vaultwarden.homelab.local"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29","message":"Creating middleware"}
{"level":"debug","entryPointName":"web","routerName":"web-to-websecure@internal","middlewareName":"redirect-web-to-websecure@internal","middlewareType":"RedirectScheme","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30","message":"Setting up redirection to https 443"}
{"level":"debug","entryPointName":"web","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","middlewareType":"StripPrefix","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/t
raefik/v3/pkg/middlewares/stripprefix/strip_prefix.go:32","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_stripprefix@internal","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/obser
vability/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/tr
aefik/v3/pkg/middlewares/redirect/redirect_regex.go:17","message":"Creating middleware"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","middlewareType":"RedirectRegex","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/tr
aefik/v3/pkg/middlewares/redirect/redirect_regex.go:18","message":"Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/"}
{"level":"debug","entryPointName":"traefik","routerName":"dashboard@internal","middlewareName":"dashboard_redirect@internal","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/observab
ility/middleware.go:33","message":"Adding tracing to middleware"}
{"level":"debug","entryPointName":"traefik","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recover
y.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","routerName":"vaultwarden@file","serviceName":"vaultwarden@file","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:318","me
ssage":"Creating load-balancer"}
{"level":"debug","entryPointName":"websecure","routerName":"vaultwarden@file","serviceName":"vaultwarden@file","serverName":"2af45ea5d86fb13e","target":"http://192.168.1.212:8000","time":"2025-02-01T22:16:12+05:30","caller":
"github.com/traefik/traefik/v3/pkg/server/service/service.go:355","message":"Creating server"}
{"level":"debug","entryPointName":"websecure","middlewareName":"traefik-internal-recovery","middlewareType":"Recovery","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/middlewares/recovery/recov
ery.go:25","message":"Creating middleware"}
{"level":"debug","entryPointName":"websecure","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237","message":"Adding route for vaultwarden.homelab.local with TLS op
tions default"}

I get the same messages as above in traefik.log

As I said in my initial description, I don't own any domain. Is that a pre-requisite? Can't I generate a self-signed certificate to host the service internally as I am not going to expose it to internet?

bluepuma77 · February 1, 2025, 5:30pm

LetsEncrypt can only create TLS certs for public TLDs.

If you use a private custom cert, you need to create it with your domain(s) or wildcard, and need to import it into your client (OS or browser) to trust it, otherwise you will see warnings.

newlinus1 · February 1, 2025, 5:40pm

I created custom cert with my domain. But as I said, I dont think it is still using my certs

{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:97","message":"No store is defined to add the certificate MIIDrzCCApegAwIBAgIUHVK0RuvBi4fouUirmOSCyYU8TlcwDQ, it will be added to the default store"}
{"level":"debug","time":"2025-02-01T22:16:12+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/certificate.go:132","message":"Adding certificate for domain(s) vaultwarden.homelab.local"}

dynamic conf

http:
  routers:
    vaultwarden:
      rule: "Host(`vaultwarden.homelab.local`)"
      service: vaultwarden
      entryPoints:
        - websecure

  services:
    vaultwarden:
      loadBalancer:
        servers:
          - url: "http://192.168.1.212:8000"

tls:
  certificates:
    - certFile: /etc/traefik/ssl/vaultwarden.crt
      keyFile: /etc/traefik/ssl/vaultwarden.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/ssl/vaultwarden.crt
        keyFile: /etc/traefik/ssl/vaultwarden.key

cert validity and domain

  Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = State, L = City, O = Organization, CN = vaultwarden.homelab.local
        Validity
            Not Before: Feb  1 15:57:50 2025 GMT
            Not After : Feb  1 15:57:50 2026 GMT
        Subject: C = US, ST = State, L = City, O = Organization, CN = vaultwarden.homelab.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

bluepuma77 · February 1, 2025, 6:59pm

You need to enable TLS on entrypoint or router:

tls: {}

Then TLS certs from files will be used.

newlinus1 · February 2, 2025, 5:01am

I tried the adding the tls: {} in traefik.yaml

providers:
  file:
    directory: /etc/traefik/conf.d/

entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls: {}
  traefik:
    address: ':8080'

api:
  dashboard: true
  insecure: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: DEBUG

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

and tried in dynamic file

http:
  routers:
    vaultwarden:
      rule: "Host(`vaultwarden.homelab.local`)"
      service: vaultwarden
      entryPoints:
        - websecure
      tls: {}
  services:
    vaultwarden:
      loadBalancer:
        servers:
          - url: "http://192.168.1.212:8000"

tls:
  certificates:
    - certFile: /etc/traefik/ssl/vaultwarden.crt
      keyFile: /etc/traefik/ssl/vaultwarden.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/ssl/vaultwarden.crt
        keyFile: /etc/traefik/ssl/vaultwarden.key

Tried specifying in one of the above files, and tried with both as well. But I get the same message in the traefik.logs


{"level":"debug","time":"2025-02-02T10:10:39+05:30","caller":"github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:97","message":"No store is defined to add the certificate MIIDpTCCAo2gAwIBAgIUYEmqBYgZyjZRrPUJe3B6dGNcITowDQ, it will be added to the default store"}

bluepuma77 · February 2, 2025, 8:15am

It’s a level debug message, it can be ignored. Traefik only has one default store (doc).

system · March 1, 2025, 5:38am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trying to create a simple http router with authentication to a local nginx fails with 404 Traefik v3 (latest) file	2	12	March 27, 2025
Traefik to Traefik mTLS authentication Traefik v1 file	13	3609	December 9, 2020
Errors after adding new entrypoint and letsencrypt Traefik v3 (latest) file	7	976	June 12, 2024
Maybe File Provider Issues Traefik v3 (latest) docker , file	4	65	November 20, 2024
Minimal config parameters for Traefik v2 Traefik v2 docker	1	537	March 5, 2020

Need help with setting up traefik

Related topics