It seems like Taefik by default hits Letsencrypt for every new container I create. Even if I just manually do a simple docker run -it alpine /bin/sh the Traefik-deamon picks up that and tries to give me a certificate using the randomly generated name (like brave_lamarr) as the host.
time="2019-06-26T19:07:18Z" level=error msg="Unable to obtain ACME certificate for domains "brave-lamarr.webhost1-XXX" detected thanks to rule "Host:brave-lamarr.webhost1-XXX" : unable to generate a certificate for the domains [brave-lamarr.webhost1-XXX]: acme: Error -> One or more domains had a problem:\n[brave-lamarr.webhost1-XXX] acme: error: 400 :: urn:ietf:params:acme:error:connection :: dns :: DNS problem: NXDOMAIN looking up A for brave-lamarr.webhost1-XXX, url: \n"
Since this attempt obviously fail Letsencrypt starts to rate-limit me after a number of created containers. Luckily the temporary ban is released in a rather short time so it's not a huge issue. But it is stil something I'd like to fix anyways.
I thought that the
[docker]
exposedByDefault = false
setting in Traefik.toml would not only stop the proxying, but also the handling of certificates. But it seems like that is not the case....
If there's a way of turning off the certificate handling altogether and then selectively enabling it with a - label in docker-compose.yml for each site there I'd be happy. I guess there's some way of achieving this.
Ah yes - if it is version dependent I'd better say that I run Docker 18.06.1-ce, docker-compose 1.24.1 and Traefik v1.7.12
Generally, if you use somebody else’s copied and pasted configuration (and who does not?), it’s ususally useful to go through it line by line, and understand what these lines mean. It could help avoid “surprises” like this.
But in this case I had already read that part of the dox and and have set it to true. I interpreted the This will request a certificate from Let's Encrypt for each frontend with a Host rule. as that a host rule for the domain in question would be required for Traefik actually request a cert.
When I just manually spin up a container (that have nothing at all to do with the containers and web sites already defined in docker-compose that all have their own labels with a - “traefik.basic.frontend.rule=”) there shouldn’t be a Host-rule defined for it? Or is there some automatic/impicit host-rule that is applied anyways?
I have to admit that I don’t fully understand the (for frontends wired to the acme.entryPoint) -part in the onhostrule description…
traefik.basic.frontend.rule=Host:brave-lamarr.webhost1-XXX is a host rule. it says that this is a rule on the left , and the rule itself on the right starts with Host: therefore it’s a host rule.
Yes, that’s absolutely reasonable. But from where is that rule coming? I haven’t explicitly defined it anywhere.
The “brave-lamarr” here is dockers randomized name for a container that is created automatically when starting a container without an explicit name tag.
If I manually spin up 20 containers from any image (like alpine) I’ll get 20 random names, and Traefik will hit Letsencrypt with all of those names.
This even if I have onhostrule=true in the [acme] section of the Traefik.toml file.
Actually to think of it I recently span out a container, and saw in the dahsboard a host rule that I did not create which was based on the container name. I dismissed it at that time, but now I wonder why that is. I did not notice this rule autocreation before.
It’s an old feature: if you don’t define a rule on a container, Traefik generate a rule based on container information.
It’s related to:
[docker]
# Default base domain used for the frontend rules.
# Can be overridden by setting the "traefik.domain" label on a services.
#
# Optional
# Default: ""
#
domain = "docker.localhost"
