Non-existent resolver, step-ca+traefik

Hi,

I'm having some trouble getting Traefik and Step-CA to work. The routing works correctly, but it falls back to using the default self signed Traefik certificate. The goal is to set up: Build a Tiny Certificate Authority For Your Homelab.

At this point I don't really know what else to try. Anyway, in my Traefik logs I see:

the router whoami@docker uses a non-existent resolver: stepca

I made sure to export the root CA and import it on my Docker host:

step ca root ca.crt
sudo trust anchor --store root.crt

I checked a few other posts on here and don't seem to be making the same mistakes. I'm wondering if it's because I don't have the correct data in acme.json, I actually don't even know what really goes in there because nowhere I've seen says what to put in that. Even this blog post Traefik+Nextcloud+Step-ca+Docker doesn't say what goes in acme.json. I looked at these documents:

• Configure popular ACME clients to use a private CA with the ACME protocol: Traefik
• Run your own private CA & ACME server using step-ca

I don't think the problem is with how I am specifying the certresolver. Anyway this is what I have:

whoami:

services:
  whoami:
    image: "containous/whoami"
    container_name: "whoami"
    hostname: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.$MY_DOMAIN`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=stepca"

networks:
  default:
    external: true
    name: ${DEFAULT_NETWORK} ## Note this is traefik-proxy, set in the .env var

traefik:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    hostname: traefik
    networks:
      - traefik-proxy
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik.yml:/traefik.yml:ro"
      - "./traefik_stepca.yml:/etc/traefik/traefik_stepca.yml:ro"
      - "./acme.json:/etc/acme/acme.json" # This is an empty file
      - "/mnt/container_data/traefik/certs:/etc/traefik/certs:ro"

networks:
  traefik-proxy:
    external: true

traefik.yml:

log:
  level: INFO

api:
  insecure: true
  dashboard: true

entryPoints:
  web:
   address: ":80"
# Temporarily disabled redirections
#   http:
#     redirections:
#      entrypoint:
#        to: "websecure"
#        scheme: "https"
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /etc/traefik/traefik_stepca.yml

traefik_stepca.yml:

certificatesResolvers:
  stepca:
    acme:
      caServer: "https://tinyca.rpi1.home.arpa/acme/acme/directory"
      email: "admin@home.arpa"
      storage: "/etc/acme/acme.json"
      httpChallenge:
        entryPoint: web

I checked to see that directory URL can be accessed and it can.

are static configuration and go directly into traefik.yml.

That does seem to be the case. I guess I had it like that because it's kind of how I did it previously when I had a static configuration ie with traefik_tls.yml under providers:

# Configuration used with static keys generated with openssl
tls:
   certificates:
    - certFile: "/etc/traefik/certs/srv1.home.arpa.crt"
      keyFile: "/etc/traefik/certs/srv1.home.arpa.key"
      stores:
        - default
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/certs/srv1.home.arpa.crt"
        keyFile: "/etc/traefik/certs/srv1.home.arpa.key"

In any case that does seem to be working better though now I am getting:

level=info msg="Testing certificate renew..." ACME CA="https://tinyca.rpi1.home.arpa/acme/acme/directory" providerName=stepca.acme

level=error msg="Unable to obtain ACME certificate for domains "whoami.srv1.home.arpa": cannot get ACME client get directory at 'https://tinyca.rpi1.home.arpa/acme/acme/directory': Get "https://tinyca.rpi1.home.arpa/acme/acme/directory\": x509: certificate signed by unknown authority" rule="Host(whoami.srv1.home.arpa)" ACME CA="https://tinyca.rpi1.home.arpa/acme/acme/directory" providerName=stepca.acme routerName=whoami@docker

Do I have to do anything with my root CA other than add it to the trust store? This particular page says:

Most importantly, Traefik will need to trust your root CA certificate. Either use the LEGO_CA_CERTIFICATES environment variable to provide the full path to your root_ca.crt when running traefik, or install your root certificate in your system's trust store by running step certificate install root_ca.crt.

I know the certificate works (shows up when I type trust list on the host. It also seems to work with Curl with no errors. That should mean I dont need to specify LEGO_CA_CERTIFICATES or the path.

So it seems I did need to add:

    environment:
      LEGO_CA_CERTIFICATES: "/etc/traefik/certs/root.crt"

To my docker compose file, because otherwise the Traefik container doesn't know the root cert is there. I wonder if this is possible to do with traefik.yml.

At some point I'd planned to move from docker over to podman, so i've been trying to keep my configuration in the compose file to an absolute minimum.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.