I have been trying to to convert my Docker swarm Traefik yml file to version 2.1 from version 1.7 for several hours now.
I can get it running just fine with the exception that it just WILL NOT generate my lets encrypt wildcard certs for me.
I can access the dashboard but it has insecure TRAEFIK DEFAULT CERT.
What am I doing wrong ????
This can't possibly be this difficult...........
Here is my traefik.yml file:
Obviously, *.my-domain.com and my-domain.com is not what I have in my real yml file the AWS_ are not XXXX..... etc.
version: '3.7'
services:
proxy:
image: traefik:v2.1
command:
- --log.level=DEBUG
- --api
- --providers.docker
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=public
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencryptresolver.acme.dnschallenge=true
- --certificatesresolvers.letsencryptresolver.acme.dnschallenge.provider=route53
- --certificatesresolvers.letsencryptresolver.acme.email=admin@my-domain.com
- --certificatesresolvers.letsencryptresolver.acme.storage=/etc/traefik/acme.json
# Use staging server until we get this working
- --certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- 80:80
- 443:443
environment:
AWS_ACCESS_KEY_ID: "XXXXXXXXXXXX"
AWS_SECRET_ACCESS_KEY: "XXXXXXXXXXXXX"
AWS_REGION: "XXXXXXXXXX"
AWS_HOSTED_ZONE_ID: "XXXXXXXXXXXXXX"
volumes:
- data-traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- public
deploy:
placement:
constraints:
- node.role == manager
labels:
- "traefik.enable=true"
# Redirect HTTP to HTTPS
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect"
# Dashboard
- "traefik.http.routers.dashboard.rule=host(`dashboard.my-domain.com`)"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls.domains[0].main=my-domain.com"
- "traefik.http.routers.dashboard.tls.domains[0].sans=*.my-domain.com"
# Services
# This is a dummy as we need a port in swarm mode for a service
- "traefik.http.services.dashboard.loadbalancer.server.port=888"
# Middlewares
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
volumes:
data-traefik:
driver: local
driver_opts:
type: nfs
o: addr=172.31.2.29,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2
device: 172.31.2.29:/traefik
networks:
public:
driver: overlay
external: true
Resolved:
Revisiting this issue after scanning the community board I finally managed to get this resolved and I now have my wildcard certs generated just fine....
I don't like the fact that almost EVERY SINGLE example shows the wildcard cert being created on a service like "whoami".
As EVERY service I deploy has the same domain.tls with various sub-domains, I wanted to get the definition of the traefik proxy service to generate the certs and not one of my services, I did not want to treat one as "special"
Here is my final traefik.yml:
version: '3.7'
services:
proxy:
image: traefik:v2.1
command:
- --log.level=DEBUG
- --api
- --providers.docker
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=public
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencryptresolver.acme.dnschallenge=true
- --certificatesresolvers.letsencryptresolver.acme.dnschallenge.provider=route53
- --certificatesresolvers.letsencryptresolver.acme.email=user@my-domain.tld
- --certificatesresolvers.letsencryptresolver.acme.storage=/etc/traefik/acme.json
# Use staging server until we get this working
# - --certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- 80:80
- 443:443
environment:
AWS_ACCESS_KEY_ID: "XXXXXXXXX"
AWS_SECRET_ACCESS_KEY: "XXXXXXXXXX"
AWS_REGION: "XXXXXXXXXX"
AWS_HOSTED_ZONE_ID: "XXXXXXXXXXX"
volumes:
- data-traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- public
deploy:
placement:
constraints:
- node.role == manager
labels:
- "traefik.enable=true"
# Redirect HTTP to HTTPS
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect"
# Dashboard
- "traefik.http.routers.dashboard.rule=host(`dashboard.my-domain.tld`)"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls.certresolver=letsencryptresolver"
- "traefik.http.routers.dashboard.tls.domains[0].main=my-domain.tld"
- "traefik.http.routers.dashboard.tls.domains[0].sans=*.my-domain.tld"
# Services
# This is a dummy as we need a port in swarm mode for a service
- "traefik.http.services.dashboard.loadbalancer.server.port=8080"
# Middlewares
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.auth.basicauth.users=user:password"
volumes:
data-traefik:
driver: local
driver_opts:
type: nfs
o: addr=172.31.2.29,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2
device: 172.31.2.29:/traefik
networks:
public:
driver: overlay
external: true
1 Like
Thank you so much for posting this. Hugely, hugely helpful. Like you, I don't want wildcard certs for subdomains; I want a different cert for each one.
Thank you, thank you, thank you.
Traefik is a great product, but the documentation for simple use cases like this is way, way too obtuse. I've learned more from two blog posts, Traefik 2.0 and Docker 101, and Traefik 2.0 and TLS 101, than I have from all the official documentation. The startling thing is that those are official blog posts, so clearly, Containous is capable of writing better learner docs.
The official docs may work well as reference material, but they assume FAR too much prior knowledge to be useful to me.
@chuckmckinnon
Reading your reply it seems to me that you want the complete OPPOSITE of what I configured.
I just want one wildcard cert for ALL sub-domains covering a single domain. i.e. one wildcard cert *.example.com that covers ALL of the following.
sub-domain-a.example.com
sub-domain-b.example.com
sub-domain-c.example.com
etc. etc.
The configuration here just ensures that the acme client generates the certificates on the "traefik" service and NOT on one of my other services, as if often shown in the examples.
Setting up the wildcard on any other service would make that service special in they eyes of ALL of my stack yml files, of which I have many...
Steve
I probably shouldn't be reading this as it's getting later at night, then. 
Thanks.