Permission issue on acme.json

Today I'm having my fair share of frustrations around acme.json and 600 permission.. It's been 3+ hours and no dice.

I'm trying to persist my acme.json but if I put it myself in the container I'm unable to set the permissions. no matter I do, can't get around it.

In a few places I read that I can't change permissions of files in volumes. Traefik docs suggests to re-use the file and set permission to 600 but no example of how to do it in a proper/repeatable way. Like without going into the container and manually setting it..

One way I managed to do it is by creating a new image of traefik, copy and chmod.. Now I am failing to build the docker compose in github actions because it can't find the file/context consistently one issue thing leads to another..

What is the proper way to set the correct permission without manual intervention, possibly in a docker compose and github actions.. I'm on ubuntu.

Are you using Docker rootless or assigning a special user to Traefik?

Share your docker-compose.yml.

Hello!

Apologies for late response, I did make things work but in a very cumbersome way, I ended up with two docker compose files + a custom traefik docker, far from ideal..

Below is my current docker-compose file. I'm with the root user and not assigning special user to Traefik, I did read in somewhere that I could/should try/do that, but given no mention of it in Traefik docs, I thought I shouldn't need to go to that extent.

Full disclosure, this is my first time using Traefik, so I'm sure there some things I'm doing wrong here in combination to my traefik.yml (let me know if I should post it too)

services:
  traefik:
    image: traefikcustom:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/etc/traefik/traefik.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.tls=true"

  test:
    image: test:latest
    restart: unless-stopped
    ports:
      - "3002:3002"
    depends_on:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.test.entrypoints=websecure"
      - "traefik.http.routers.test.rule=Host(`test.dev.example.com`)"
      - "traefik.http.routers.test.tls=true"
      - "traefik.http.routers.test.tls.certresolver=production"
      - "traefik.http.routers.test.middlewares=redirect-to-https@file"

My custom docker of traefik look like this;

FROM traefik:v3.0

ARG SERVICE_ENV

ENV SERVICE_ENV=${SERVICE_ENV}

COPY ./config/traefik.yml /etc/traefik/traefik.yml

COPY ./config/certs/acme-${SERVICE_ENV}.json /usr/src/app/acme.json

RUN chmod 600 /usr/src/app/acme.json

ENTRYPOINT ["traefik"]

Overall these are the things I want to achieve;

• Get rid of the custom traefik image
• Declare two hosts and use a single acme.json (eg. test.dev.example.com and test.example.com)
• Reuse the acme.json

Currently, (unfortunately) I had to separate the hosts by using different docker-compose file for each environment, I kept getting a 400, I don't have the error message around but I can reproduce if needed.

This is what I did but kept getting the same error on each service.

- "traefik.http.routers.test.rule=Host(`${SERVICE_HOST_PROD}`) || Host(`${SERVICE_HOST_DEV}`)"

Thank you for taking the time, appreciate it!

––
Edit: I thought maybe the reason for 400 was because of the http -> https redirect causing http challenge to fail, but I think removing it didn't solve it.

Not sure what your issue is, works for me on Debian with Docker CE. Maybe check simple Traefik example.