Hi, I've been searching this forum and the web for about a week now and finally decided to make a question of my own.
I am running a server with Traefik and various Docker containers for years now, and have several of them available through a domain handled and certified by Traefik.Bad Gateway error when trying to acces the interface through Traefik. When I access it via its local ip and port everything works fine. I've tried about every version of a docker wordpress stack I could find.
My Wordpress docker-compose
version: '3'
services:
wordpress:
container_name: wordpress
depends_on:
- db
image: wordpress:latest
volumes:
- ./wp_data:/var/www/html
- ./uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
restart: on-failure
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: ${MYSQL_USER}
WORDPRESS_DB_PASSWORD: ${MYSQL_USER_PASSWORD}
ports:
- 8889:80
networks:
- traefik
- backend
labels:
- traefik.enable=true
- traefik.http.routers.${PROJECT_NAME}.tls=true
- traefik.http.routers.${PROJECT_NAME}.tls.certresolver=lets-encrypt
- traefik.http.routers.${PROJECT_NAME}.entrypoints=websecure
- traefik.http.routers.${PROJECT_NAME}.rule=Host(`${HOST_NAME}`)
- traefik.http.services.${PROJECT_NAME}.loadbalancer.server.port=8889
db:
container_name: db-blog
image: mariadb
volumes:
- ./db_data:/var/lib/mysql
restart: on-failure
networks:
- backend
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: ${MYSQL_DATABASE}
MYSQL_USER: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_USER_PASSWORD}
networks:
backend:
external: false
traefik:
external: true
My traefik docker-compose:
version: '3.5'
services:
traefik:
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
- '/home/daniel/docker/traefik/config/traefik.toml:/traefik.toml'
- '/home/daniel/docker/traefik/traefik_dynamic.toml:/traefik_dynamic.toml'
- '/home/daniel/docker/traefik/acme.json:/acme.json'
ports:
- '80:80'
- '443:443'
- '8081:8080'
networks:
- traefik
container_name: traefik
image: 'traefik:v2.10.7'
restart: always
networks:
traefik:
name: traefik
traefik-dynamic:
[http.middlewares.simpleAuth.basicAuth]
users = [
"admin:password"
]
[http.routers.api]
rule = "Host(`192.168.178.84`,`mediaserver`)"
entrypoints = ["websecure"]
middlewares = ["simpleAuth"]
service = "api@internal"
[http.routers.api.tls]
certResolver = "lets-encrypt"
traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[api]
dashboard = true
# insecure = true
[certificatesResolvers.lets-encrypt.acme]
email = "admin@example.de"
storage = "acme.json"
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
[providers.docker]
exposedByDefault = false
watch = true
network = "traefik"
[providers.file]
filename = "traefik_dynamic.toml"
Hi MaggiWuerze,
please try to remove
ports:
- 8889:80
and set the loadbalancer definition to
- traefik.http.services.${PROJECT_NAME}.loadbalancer.server.port=80
Traefik uses the "internal" ports of the container, not the ports linked to the host system.
1 Like
That actually did it. Now I'm confused, since I know for a fact hat I also had your version during my previous tests.
Thanks for the effort
1 Like
Do you maybe also have an idea why Traefik can't get a certificate for the domain?
Timeout during connect (likely firewall problem)\n"
After taking a short look, the TLS challenge looks good I think.https://acme-staging-v02.api.letsencrypt.org/directory ) to not run into some rate limiting while testing
1 Like
I switched to LE staging, here's the log. It now says "Error getting validation data"
Sorry for the late answer, apparently the spam filter found me suspicious
traefik | time="2024-01-16T19:07:04Z" level=debug msg="Trying to challenge certificate for domain [DOMAIN.de www.DOMAIN.de] found in HostSNI rule" rule="Host(`DOMAIN.de`, `www.DOMAIN.de`)" providerName=lets-encrypt-staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=wordpress@docker
traefik | time="2024-01-16T19:07:04Z" level=debug msg="Looking for provided certificate(s) to validate [\"DOMAIN.de\" \"www.DOMAIN.de\"]..." providerName=lets-encrypt-staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=wordpress@docker rule="Host(`DOMAIN.de`, `www.DOMAIN.de`)"
traefik | time="2024-01-16T19:07:04Z" level=debug msg="No ACME certificate generation required for domains [\"DOMAIN.de\" \"www.DOMAIN.de\"]." providerName=lets-encrypt-staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=wordpress@docker rule="Host(`DOMAIN.de`, `www.DOMAIN.de`)"
traefik | time="2024-01-16T19:07:04Z" level=debug msg="Loading ACME certificates
traefik | time="2024-01-16T19:07:05Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10649409914"
traefik | time="2024-01-16T19:07:05Z" level=error msg="Unable to obtain ACME certificate for domains \"DOMAIN.de,www.DOMAIN.de\": unable to generate a certificate for the domains [DOMAIN.de www.DOMAIN.de]: error: one or more domains had a problem:\n[DOMAIN.de] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 2003:d0:bf05:7d00:1dfb:e1ef:23f1:471a: Error getting validation data\n[www.DOMAIN.de] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 2003:d0:bf05:7d00:1dfb:e1ef:23f1:471a: Error getting validation data\n" providerName=lets-encrypt-staging.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=wordpress@docker rule="Host(`DOMAIN.de`, `www.DOMAIN.de`)"
Looking at the messages and output by https://letsdebug.net and https://check-your-website.server-daten.de/ it might be an issue with my ipv6 address. I deactivated the privacy extensions on my server and now wait for it to get a new ipv6 address that might work better with public access.
Any input is still welcome though
1 Like
Did you set an AAAA record in DNS for your IPv6?
Is your server and Docker setup IPv6 ready?
The AAAA is there and has my servers ipv6 address. What exactly do you mean if docker is ipv6 ready? my server has an ipv6 address and my router allows ipv6 connections on 80 and 443 to my server.
My DNS Setup currently looks like this:
AAAA DOMAIN_A | <-- CNAME *.DOMAIN_A
| <-- CNAME DOMAIN B <-- CAA
| <-- CNAME *.DOMAIN_B
| <-- CAA
Edit:
Ok, I enabled ipv6 for my docker setup now, following this guide: IPv6, Docker(-compose), and Shorewall6/ip6tables
Still no luck with the certificate. Still getting:
traefik | time="2024-01-18T12:05:36Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/10681545544"
traefik | time="2024-01-18T12:05:36Z" level=error msg="Unable to obtain ACME certificate for domains \"DOMAIN.de,www.DOMAIN.de\": unable to generate a certificate for the domains [DOMAIN.de www.DOMAIN.de]: error: one or more domains had a problem:\n[DOMAIN.de] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 2003:d0:bf1c:f800:8cd1:2b9:3e98:de0: Error getting validation data\n" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=lets-encrypt-staging.acme routerName=wordpress@docker rule="Host(`DOMAIN.de`, `www.DOMAIN.de`)"
Ok, I now removed my AAAA record from my dynDNS provider and everything works again.
/thread I guess
system
January 21, 2024, 1:48pm
13
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
