Only one of the docker containers is getting an HTTPS certification

mig50 · February 17, 2024, 2:16pm

Hello, I'm getting an issue where only one of the containers is getting a certificate for https, do you know what i can do to solve it? I'm probably trying to use the same certificate for both containers, i'm not sure, how can i generate 2 different certificates for the 2 containers?

api:
    image: api:latest
    container_name: api
    restart: unless-stopped
    environment:
      ASPNETCORE_URLS: http://*:5000
      #ASPNETCORE_Kestrel__Certificates__Default__Password: "longPassword1234"
      #ASPNETCORE_Kestrel__Certificates__Default__Path: "/App/https/aspnetapp.pfx"
      ASPNETCORE_ENVIRONMENT: DebianLocal
      DB_HOST: db
      DB_PORT: 5432
      DB_NAME: db
      DB_USER: admin
      DB_PASSWORD: admin
    ports:
      - 127.0.0.1:5000:5000
      #- 127.0.0.1:5001:5001
    labels:
      traefik.enable: true
      traefik.http.routers.api.entrypoints: websecure
      traefik.http.routers.api.rule: Host(`example-api.xyz`)
      #traefik.http.services.api.loadbalancer.server.port: 5001
      traefik.http.routers.api.tls: true
      traefik.http.routers.api.tls.certresolver: production
      traefik.docker.network: traefik-network
    volumes:
      - ./config/api/ssl-certs:/https_certificate
    networks:
      keycloak_network:
      db_network:
      traefik-network:

  angular:
    image: angular:latest
    container_name: angular
    restart: unless-stopped
    #ports:
      #- 8080:80
    volumes:
      - ./config/angular/nginx/nginx.conf:/etc/nginx/nginx.conf
    labels:
      traefik.enable: true
      traefik.http.routers.angular.entrypoints: websecure
      traefik.http.routers.angular.rule: Host(`example.xyz`)
      traefik.http.routers.angular.tls: true
      #traefik.http.routers.angular.tls.certresolver: production
    networks:
      traefik-network:

  traefik:
    image: traefik:v2.11.0
    container_name: traefik
    ports:
      - 80:80
      - 443:443
      # -- (Optional) Enable Dashboard, don't do in production
      #- 8081:8080
    volumes:
      - ./config/traefik:/etc/traefik
      - ./config/traefik/ssl-certs:/ssl-certs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      traefik-network:
      vpn_network:
        ipv4_address: 192.168.123.4
    restart: unless-stopped

global:
  checkNewVersion: false
  sendAnonymousUsage: false

# -- (Optional) Change Log Level and Format here...
#     - loglevels [DEBUG, INFO, WARNING, ERROR, CRITICAL]
#     - format [common, json, logfmt]
log:
 level: DEBUG
 format: common
 filePath: /var/log/traefik/traefik.log

# -- (Optional) Enable Accesslog and change Format here...
#     - format [common, json, logfmt]
accesslog:
  format: common
  filePath: /var/log/traefik/access.log

# -- (Optional) Enable API and Dashboard here, don't do in production
api:
  dashboard: true
  insecure: true

# -- Change EntryPoints here...
entryPoints:
  web:
    address: :80
    # -- (Optional) Redirect all HTTP to HTTPS
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
  # -- (Optional) Add custom Entrypoint
  # custom:
  #   address: :8080

# -- Configure your CertificateResolver here...
certificatesResolvers:
  staging:
    acme:
      email: miguel12071999@hotmail.com
      storage: /ssl-certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      #-- (Optional) Remove this section, when using DNS Challenge
      httpChallenge:
        entryPoint: web
      #-- (Optional) Configure DNS Challenge
      # dnsChallenge:
      #   provider: your-resolver (e.g. cloudflare)
      #   resolvers:
      #     - "1.1.1.1:53"
      #     - "8.8.8.8:53"
  production:
    acme:
      email: miguel12071999@hotmail.com
      storage: /ssl-certs/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      #-- (Optional) Remove this section, when using DNS Challenge
      httpChallenge:
        entryPoint: web
      #-- (Optional) Configure DNS Challenge
      # dnsChallenge:
      #   provider: your-resolver (e.g. cloudflare)
      #   resolvers:
      #     - "1.1.1.1:53"
      #     - "8.8.8.8:53"

# -- (Optional) Disable TLS Cert verification check
# serversTransport:
#   insecureSkipVerify: true

# -- (Optional) Overwrite Default Certificates
# tls:
#   stores:
#     default:
#       defaultCertificate:
#         certFile: /etc/traefik/certs/cert.pem
#         keyFile: /etc/traefik/certs/cert-key.pem
# -- (Optional) Disable TLS version 1.0 and 1.1
#   options:
#     default:
#       minVersion: VersionTLS12

providers:
  docker:
    # -- (Optional) Enable this, if you want to expose all containers automatically
    exposedByDefault: false
  file:
    directory: /etc/traefik
    watch: true

bluepuma77 · February 17, 2024, 6:54pm

You need to assign the certresolver to all router, tls=true is not enough.

You can also assign the certresolver globally to entrypoint, see simple Traefik example.

mig50 · February 17, 2024, 7:36pm

Yeah, i tried with both as certresolve: Production and it did not work, i set them both in a docker compose label to Production

bluepuma77 · February 17, 2024, 8:46pm

You can also assign the certresolver globally to entrypoint, see simple Traefik example.

Traefik LetsEncrypt will automatically create a cert for each Host().

mig50 · February 17, 2024, 9:08pm

I created multiple certificate entries in the traefik.yaml and it worked, in the docker compose i added one of the certificates to each of the containers

api:
      acme:
        email: example@example.com
        storage: /ssl-certs/acme2.json
        caServer: "https://acme-v02.api.letsencrypt.org/directory"
        #-- (Optional) Remove this section, when using DNS Challenge
        httpChallenge:
          entryPoint: web

    angular:
      acme:
        email: example@example.com
        storage: /ssl-certs/angular.json
        caServer: "https://acme-v02.api.letsencrypt.org/directory"
        #-- (Optional) Remove this section, when using DNS Challenge
        httpChallenge:
          entryPoint: web

api:
    image: api:latest
    container_name: api
    restart: unless-stopped
    environment:
      ASPNETCORE_URLS: http://*:5000
      #ASPNETCORE_Kestrel__Certificates__Default__Password: "longPassword1234"
      #ASPNETCORE_Kestrel__Certificates__Default__Path: "/App/https/aspnetapp.pfx"
      ASPNETCORE_ENVIRONMENT: DebianLocal
      DB_HOST: db
      DB_PORT: 5432
      DB_NAME: db
      DB_USER: admin
      DB_PASSWORD: admin
    ports:
      - 127.0.0.1:5000:5000
      #- 127.0.0.1:5001:5001
    labels:
      traefik.enable: true
      traefik.http.routers.api.entrypoints: websecure
      traefik.http.routers.api.rule: Host(`example-api.xyz`)
      traefik.docker.network: traefik-network
      traefik.http.routers.api.tls: true
      traefik.http.routers.api.tls.certresolver: api
    volumes:
      - ./config/api/ssl-certs:/https_certificate
    networks:
      keycloak_network:
      db_network:
      traefik-network:

  angular:
    image: angular:latest
    container_name: angular
    restart: unless-stopped
    #ports:
      #- 8080:80
    volumes:
      - ./config/angular/nginx/nginx.conf:/etc/nginx/nginx.conf
    labels:
      traefik.enable: true
      traefik.http.routers.angular.entrypoints: websecure
      traefik.http.routers.angular.rule: Host(`example.xyz`)
      traefik.http.routers.angular.tls: true
      traefik.http.routers.angular.tls.certresolver: angular
    networks:
      traefik-network:

Thanks a lot for your help.
Is this right what i did or should i do it some other way?

bluepuma77 · February 18, 2024, 10:04am

You usually need to define a single certresolver and assign it to the global entrypoint or to every router.

mig50 · February 18, 2024, 10:54am

Yeah, i ended up figuring that out, my issue was that i had a docker volume with just the old certificate and when i deployed the new container with the label to get the certification the old docker volume was still being used and it did not generate the new certificate.

Do you know if its possible to define a rule with an ip instead of a domain, and even add the port?
Something like:
traefik.http.routers.api.rule: Host(123.132.123.11, 123.132.123.11:3211)

I would like to do this so i could have traefik HTTPS certificate but to not have to buy a domain, thanks for all your help btw!

bluepuma77 · February 18, 2024, 12:30pm

The port is defined by entrypoint, you can tell a router to only listen to a single entrypoint (default: all).

You can only create TLS certs for domain names, not for IPs. But you can by a single domain at a DNS provider, usually sub-domains are free.

The only alternative is to create own custom TLS certs, those need to be imported in the client to be trusted, otherwise your browser shows an error.

mig50 · February 20, 2024, 8:15am

This helped, i ended up creating a sub domain, thanks a lot for all the help!

system · February 23, 2024, 8:16am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
2 Certificates for 2 Subdomains of Same Container, Traefik v2 letsencrypt-acme	2	614	November 8, 2021
Docker SSL Certificates Traefik v2 docker	6	5381	September 24, 2019
Traefik in docker with Multiple domains and SSL Traefik v2 docker	1	981	April 6, 2023
Http is working - https is not Traefik v2 docker	7	3502	February 15, 2021
TLS certificates with Docker Traefik v2 docker	2	4424	September 18, 2019

Only one of the docker containers is getting an HTTPS certification

Related topics