Problem passing route53 DNS challenge credentials via docker secrets

Hello,

I'd like to pass my route53 DNS challenge credentials via docker secrets, but AWS_ACCESS_KEY_ID_FILE and AWS_SECRET_ACCESS_KEY_FILE environment variables pointing to my docker secret paths doesn't work!?!

Directly passing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY on the otherhand works. I'd like to use docker secrets, instead of passing account information via environment variables...

Thanks in advance for your support!

version: '3.7'

services:

  traefik:
    image: traefik:2.0-alpine
    environment:
      - AWS_REGION=xxx
      - AWS_HOSTED_ZONE_ID=xxx
      - AWS_ACCESS_KEY_ID_FILE=/run/secrets/AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/AWS_SECRET_ACCESS_KEY
    deploy:
      replicas: 1
      restart_policy:
        delay: 5s
        max_attempts: 3
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik_http.rule=Host(`traefik.domain.tld`)"
        - "traefik.http.routers.traefik_http.entrypoints=http"
        - "traefik.http.routers.traefik_http.middlewares=http-chain@file"
        - "traefik.http.routers.traefik_https.rule=Host(`traefik.domain.tld`)"
        - "traefik.http.routers.traefik_https.entrypoints=https"
        - "traefik.http.routers.traefik_https.middlewares=https-basicauth-chain@file"
        - "traefik.http.routers.traefik_https.tls=true"
        - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
        - "traefik.http.routers.traefik_https.tls.domains[0].main=domain.tld"
        - "traefik.http.routers.traefik_https.tls.domains[0].sans=*.domain.tld"
        - "traefik.http.routers.traefik_https.service=traefik_https"
        - "traefik.http.services.traefik_https.loadbalancer.server.port=8080"
        - "traefik.http.services.traefik_https.loadbalancer.server.scheme=http"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/docker.swarm/traefik/traefik.toml:/traefik.toml:ro
      - /opt/docker.swarm/traefik/acme.json:/acme.json
      - /opt/docker.swarm/traefik/conf.d/:/etc/traefik/conf.d/
#      - /var/log/:/var/log/
    secrets:
      - AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY
      - AWS_HOSTED_ZONE_ID
      - AWS_REGION

  whoami:
    image: containous/whoami
    deploy:
      replicas: 1
      restart_policy:
        delay: 5s
        max_attempts: 3
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.whoami_http.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami_http.entrypoints=http"
        - "traefik.http.routers.whoami_http.middlewares=http-chain@file"
        - "traefik.http.routers.whoami_https.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami_https.entrypoints=https"
        - "traefik.http.routers.whoami_https.middlewares=https-chain@file"
        - "traefik.http.routers.whoami_https.tls=true"
        - "traefik.http.routers.whoami_https.tls.certresolver=letsencrypt"
        - "traefik.http.routers.whoami_https.tls.domains[0].main=domain.tld"
        - "traefik.http.routers.whoami_https.tls.domains[0].sans=*.domain.tld"
        - "traefik.http.routers.whoami_https.service=whoami_https"
        - "traefik.http.services.whoami_https.loadbalancer.server.port=80"
        - "traefik.http.services.whoami_https.loadbalancer.server.scheme=http"

networks:
  default:
    external: true
    name: traefik

secrets:
  AWS_ACCESS_KEY_ID:
    external: true
  AWS_SECRET_ACCESS_KEY:
   external: true
time="2019-07-24T19:56:00Z" level=debug msg="Loading ACME certificates [domain.tld *.domain.tld]..." providerName=acme.letsencrypt
time="2019-07-24T19:56:00Z" level=debug msg="Building ACME client..." providerName=acme
time="2019-07-24T19:56:00Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=acme
time="2019-07-24T19:56:00Z" level=debug msg="Loading ACME certificates [domain.tld *.domain.tld]..." providerName=acme.letsencrypt
time="2019-07-24T19:56:00Z" level=debug msg="Using DNS Challenge provider: route53" providerName=acme
time="2019-07-24T19:56:00Z" level=debug msg="legolog: [INFO] [domain.tld, *.domain.tld] acme: Obtaining bundled SAN certificate"
time="2019-07-24T19:56:00Z" level=debug msg="legolog: [INFO] [domain.tld, *.domain.tld] acme: Obtaining bundled SAN certificate"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: tls-alpn-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: http-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: tls-alpn-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: http-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:08Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:16Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:23Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Cleaning DNS-01 challenge"
time="2019-07-24T19:56:30Z" level=debug msg="legolog: [WARN] [*.domain.tld] acme: error cleaning up: failed to determine Route 53 hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated."
time="2019-07-24T19:56:30Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Cleaning DNS-01 challenge"
time="2019-07-24T19:56:37Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Cleaning DNS-01 challenge"
2019/07/24 19:56:42 server.go:3012: http: TLS handshake error from 10.255.0.2:4358: strict SNI enabled - No certificate found for domain: "", closing connection
time="2019-07-24T19:56:44Z" level=debug msg="legolog: [WARN] [domain.tld] acme: error cleaning up: failed to determine Route 53 hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated."

Could you please provide your toml configuration file?

Thanks!

Hi Daniel,

here are my toml files:

traefik.toml

[global]
  checkNewVersion = false
  sendAnonymousUsage = false

[entrypoints]
  [entrypoints.http]
    address = ":80"

  [entrypoints.https]
    address = ":443"

  [entrypoints.smtp-relay]
    address = ":25"

  [entrypoints.smtp-ssl]
    address = ":465"

  [entrypoints.smtp]
    address = ":587"

  [entrypoints.pop3]
    address = ":110"

  [entrypoints.pop3-ssl]
    Address = ":995"

  [entrypoints.imap]
    address = ":143"

  [entrypoints.imap-ssl]
    address = ":993"

[log]
  level = "DEBUG"
# filePath = "/var/log/traefik.log"

#[accessLog]
#  filePath = "/var/log/traefik.access.log"
#  format = "common"

[accessLog.filters]
  statusCodes = ["200", "300-302"]
  retryAttempts = true
  minDuration = "10ms"

[accessLog.fields]
  defaultmode = "keep"
  [accessLog.fields.names]
    "clientUsername" = "drop"

  [accessLog.fields.headers]
    defaultMode = "keep"
    [accessLog.fields.headers.names]
      "User-Agent" = "redact"
      "Authorization" = "drop"
      "Content-Type" = "keep"

[api]

[ping]

[providers]
  [providers.file]
    directory = "/etc/traefik/conf.d"

  [providers.docker]
    network = "traefik"
    defaultRule = "Host(`{{ normalize .Name }}.domain.tld`)"
    exposedByDefault = false
    swarmMode = true

[certificatesResolvers.letsencrypt.acme]
  email = "admin@domain.tld"
  storage = "acme.json"

  [certificatesResolvers.letsencrypt.acme.dnsChallenge]
    provider = "route53"

middlewares.toml

    [http.middlewares.http-chain.chain]
      middlewares = ["redirect-https"]

    [http.middlewares.https-chain.chain]
      middlewares = ["headers-sts", "compress"]

    [http.middlewares.https-basicauth-chain.chain]
      middlewares = ["headers-sts", "compress", "test-auth"]

    [http.middlewares.redirect-https.redirectScheme]
      scheme = "https"
      permanent = true

    [http.middlewares.headers-sts.headers]
      STSSeconds = 315360000
      STSIncludeSubdomains = true
      STSPreload = true
      forceSTSHeader = true

    [http.middlewares.compress.compress]

    [http.middlewares.test-auth.basicauth]
      users = [
        "admin:$xxx"
      ]

tls.toml

[tls]
  [tls.options]
    [tls.options.default]
      sniStrict = true
      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", # TLS 1.2
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", # TLS 1.2
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_AES_128_GCM_SHA256",
        "TLS_AES_256_GCM_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256",
        "TLS_FALLBACK_SCSV"
      ]