Problem passing route53 DNS challenge credentials via docker secrets

qm78 · July 24, 2019, 8:53pm

Hello,

I'd like to pass my route53 DNS challenge credentials via docker secrets, but AWS_ACCESS_KEY_ID_FILE and AWS_SECRET_ACCESS_KEY_FILE environment variables pointing to my docker secret paths doesn't work!?!

Directly passing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY on the otherhand works. I'd like to use docker secrets, instead of passing account information via environment variables...

Thanks in advance for your support!

version: '3.7'

services:

  traefik:
    image: traefik:2.0-alpine
    environment:
      - AWS_REGION=xxx
      - AWS_HOSTED_ZONE_ID=xxx
      - AWS_ACCESS_KEY_ID_FILE=/run/secrets/AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/AWS_SECRET_ACCESS_KEY
    deploy:
      replicas: 1
      restart_policy:
        delay: 5s
        max_attempts: 3
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik_http.rule=Host(`traefik.domain.tld`)"
        - "traefik.http.routers.traefik_http.entrypoints=http"
        - "traefik.http.routers.traefik_http.middlewares=http-chain@file"
        - "traefik.http.routers.traefik_https.rule=Host(`traefik.domain.tld`)"
        - "traefik.http.routers.traefik_https.entrypoints=https"
        - "traefik.http.routers.traefik_https.middlewares=https-basicauth-chain@file"
        - "traefik.http.routers.traefik_https.tls=true"
        - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
        - "traefik.http.routers.traefik_https.tls.domains[0].main=domain.tld"
        - "traefik.http.routers.traefik_https.tls.domains[0].sans=*.domain.tld"
        - "traefik.http.routers.traefik_https.service=traefik_https"
        - "traefik.http.services.traefik_https.loadbalancer.server.port=8080"
        - "traefik.http.services.traefik_https.loadbalancer.server.scheme=http"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/docker.swarm/traefik/traefik.toml:/traefik.toml:ro
      - /opt/docker.swarm/traefik/acme.json:/acme.json
      - /opt/docker.swarm/traefik/conf.d/:/etc/traefik/conf.d/
#      - /var/log/:/var/log/
    secrets:
      - AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY
      - AWS_HOSTED_ZONE_ID
      - AWS_REGION

  whoami:
    image: containous/whoami
    deploy:
      replicas: 1
      restart_policy:
        delay: 5s
        max_attempts: 3
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.whoami_http.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami_http.entrypoints=http"
        - "traefik.http.routers.whoami_http.middlewares=http-chain@file"
        - "traefik.http.routers.whoami_https.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami_https.entrypoints=https"
        - "traefik.http.routers.whoami_https.middlewares=https-chain@file"
        - "traefik.http.routers.whoami_https.tls=true"
        - "traefik.http.routers.whoami_https.tls.certresolver=letsencrypt"
        - "traefik.http.routers.whoami_https.tls.domains[0].main=domain.tld"
        - "traefik.http.routers.whoami_https.tls.domains[0].sans=*.domain.tld"
        - "traefik.http.routers.whoami_https.service=whoami_https"
        - "traefik.http.services.whoami_https.loadbalancer.server.port=80"
        - "traefik.http.services.whoami_https.loadbalancer.server.scheme=http"

networks:
  default:
    external: true
    name: traefik

secrets:
  AWS_ACCESS_KEY_ID:
    external: true
  AWS_SECRET_ACCESS_KEY:
   external: true

time="2019-07-24T19:56:00Z" level=debug msg="Loading ACME certificates [domain.tld *.domain.tld]..." providerName=acme.letsencrypt
time="2019-07-24T19:56:00Z" level=debug msg="Building ACME client..." providerName=acme
time="2019-07-24T19:56:00Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=acme
time="2019-07-24T19:56:00Z" level=debug msg="Loading ACME certificates [domain.tld *.domain.tld]..." providerName=acme.letsencrypt
time="2019-07-24T19:56:00Z" level=debug msg="Using DNS Challenge provider: route53" providerName=acme
time="2019-07-24T19:56:00Z" level=debug msg="legolog: [INFO] [domain.tld, *.domain.tld] acme: Obtaining bundled SAN certificate"
time="2019-07-24T19:56:00Z" level=debug msg="legolog: [INFO] [domain.tld, *.domain.tld] acme: Obtaining bundled SAN certificate"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: tls-alpn-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: http-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxx"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: tls-alpn-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Could not find solver for: http-01"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [domain.tld] acme: use dns-01 solver"
time="2019-07-24T19:56:02Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:08Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:16Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Preparing to solve DNS-01"
time="2019-07-24T19:56:23Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Cleaning DNS-01 challenge"
time="2019-07-24T19:56:30Z" level=debug msg="legolog: [WARN] [*.domain.tld] acme: error cleaning up: failed to determine Route 53 hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated."
time="2019-07-24T19:56:30Z" level=debug msg="legolog: [INFO] [domain.tld] acme: Cleaning DNS-01 challenge"
time="2019-07-24T19:56:37Z" level=debug msg="legolog: [INFO] [*.domain.tld] acme: Cleaning DNS-01 challenge"
2019/07/24 19:56:42 server.go:3012: http: TLS handshake error from 10.255.0.2:4358: strict SNI enabled - No certificate found for domain: "", closing connection
time="2019-07-24T19:56:44Z" level=debug msg="legolog: [WARN] [domain.tld] acme: error cleaning up: failed to determine Route 53 hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated."

daniel.tomcej · July 24, 2019, 9:45pm

Could you please provide your toml configuration file?

Thanks!

qm78 · July 25, 2019, 5:13am

Hi Daniel,

here are my toml files:

traefik.toml

[global]
  checkNewVersion = false
  sendAnonymousUsage = false

[entrypoints]
  [entrypoints.http]
    address = ":80"

  [entrypoints.https]
    address = ":443"

  [entrypoints.smtp-relay]
    address = ":25"

  [entrypoints.smtp-ssl]
    address = ":465"

  [entrypoints.smtp]
    address = ":587"

  [entrypoints.pop3]
    address = ":110"

  [entrypoints.pop3-ssl]
    Address = ":995"

  [entrypoints.imap]
    address = ":143"

  [entrypoints.imap-ssl]
    address = ":993"

[log]
  level = "DEBUG"
# filePath = "/var/log/traefik.log"

#[accessLog]
#  filePath = "/var/log/traefik.access.log"
#  format = "common"

[accessLog.filters]
  statusCodes = ["200", "300-302"]
  retryAttempts = true
  minDuration = "10ms"

[accessLog.fields]
  defaultmode = "keep"
  [accessLog.fields.names]
    "clientUsername" = "drop"

  [accessLog.fields.headers]
    defaultMode = "keep"
    [accessLog.fields.headers.names]
      "User-Agent" = "redact"
      "Authorization" = "drop"
      "Content-Type" = "keep"

[api]

[ping]

[providers]
  [providers.file]
    directory = "/etc/traefik/conf.d"

  [providers.docker]
    network = "traefik"
    defaultRule = "Host(`{{ normalize .Name }}.domain.tld`)"
    exposedByDefault = false
    swarmMode = true

[certificatesResolvers.letsencrypt.acme]
  email = "admin@domain.tld"
  storage = "acme.json"

  [certificatesResolvers.letsencrypt.acme.dnsChallenge]
    provider = "route53"

middlewares.toml

    [http.middlewares.http-chain.chain]
      middlewares = ["redirect-https"]

    [http.middlewares.https-chain.chain]
      middlewares = ["headers-sts", "compress"]

    [http.middlewares.https-basicauth-chain.chain]
      middlewares = ["headers-sts", "compress", "test-auth"]

    [http.middlewares.redirect-https.redirectScheme]
      scheme = "https"
      permanent = true

    [http.middlewares.headers-sts.headers]
      STSSeconds = 315360000
      STSIncludeSubdomains = true
      STSPreload = true
      forceSTSHeader = true

    [http.middlewares.compress.compress]

    [http.middlewares.test-auth.basicauth]
      users = [
        "admin:$xxx"
      ]

tls.toml

[tls]
  [tls.options]
    [tls.options.default]
      sniStrict = true
      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", # TLS 1.2
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", # TLS 1.2
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_AES_128_GCM_SHA256",
        "TLS_AES_256_GCM_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256",
        "TLS_FALLBACK_SCSV"
      ]

siva1024 · August 1, 2023, 4:04am

Can you please let me know if this is resolved?

I am also facing a similar problem with Cloudflare configuration.

bluepuma77 · August 1, 2023, 6:12am

According to doc this should work:

Many lego environment variables can be overridden by their respective _FILE counterpart, which should have a filepath to a file that contains the secret as its value. For example, CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email could be used to provide a Cloudflare API email address as a Docker secret named traefik_cf-api-email .

Share your full Traefik static and dynamic config, and full docker-compose.yml.

Topic		Replies	Views
Letsencrypt dnsChallenge with traefik standalone - how to provide the API key variable for the challenge provider Traefik v2 (latest) letsencrypt-acme	2	322	June 19, 2021
How do I properly configure Traefik2 and IngressRoutes to provision Let's Encrypt certificates with DNS challenge and AWS Route 53 Traefik v2 (latest) kubernetes-crd	6	4080	December 19, 2019
Help for DNS challenge setup Traefik v2 (latest) docker , letsencrypt-acme	2	693	September 7, 2021
Issue with acme-challenge using Cloudflare DNS Traefik v2 (latest) docker , letsencrypt-acme	4	110	March 25, 2024
Noob connectivity issues when connecting to backend services Traefik v2 (latest) docker-swarm	11	500	April 11, 2024

Problem passing route53 DNS challenge credentials via docker secrets

Related Topics