Hello folks,
I'm fairly new to traefik so please bear with me.
I want to get tls certificates for my internal docker applications and tried it for hours to get it to work but had no success. Maybe someone has advice for me. I run a few docker container on my LAN and can reach them via my wildcard dns e.g.: smokeping.internal.foo.bar this works like a charm. To achieve this I used a domain which is registered via cloudflare and points to my local machine. This is my traefik docker-compose file (post tls configuration):
version: "3.3"
services:
traefik:
image: "traefik:v2.5"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entryPoints.web-secure.address=:443"
- "--certificatesResolvers.primary.acme.email=mymail@mail.com"
- "--certificatesResolvers.primary.acme.storage=acme.json"
- "--certificatesResolvers.primary.acme.dnsChallenge=true"
- "--certificatesResolvers.primary.acme.dnsChallenge.provider=cloudflare"
- "--certificatesResolvers.primary.acme.dnsChallenge.delayBeforeCheck=0"
- "--certificatesResolvers.primary.acme.dnsChallenge.resolvers=1.1.1.1:53"
environment:
- CF_API_EMAIL=mymail@mail.com
- CF_API_KEY=thisismyapikey
ports:
- "80:80"
- "443:443"
# - "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/app/traefik/acme.json:/acme.json"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`traefik.internal.foo.bar`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.entrypoints=web"
# wildcard certs
- "traefik.http.routers.api.tls.domains[0].main=internal.foo.bar"
- "traefik.http.routers.api.tls.domains[0].sans=*.internal.foo.bar"
networks:
- web
networks:
web:
external: true
This is my e.g. smokeping docker-compose file:
version: "2.1"
services:
smokeping:
image: lscr.io/linuxserver/smokeping
container_name: smokeping
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- /app/smokeping/config:/config
- /app/smokeping/data:/data
# ports:
# - 80:80
networks:
- web
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.smokeping.rule=Host(`smokeping.internal.foo.bar`)"
- "traefik.http.routers.smokeping.entrypoints=web-secure"
- "traefik.http.routers.smokeping.tls.certResolver=primary"
networks:
web:
external: true
This is the traefik log file with the error which causes the problem (well atleast it think this is the problem):
time="2022-03-21T08:32:39Z" level=error msg="Unable to obtain ACME certificate for domains \"smokeping.internal.foo.bar\": unable to generate a certificate for the domains [smokeping.internal.foo.bar]: error: one or more domains had a problem:\n[smokeping.internal.foo.bar] [smokeping.internal.foo.bar] acme: error presenting token: cloudflare: failed to find zone foo.bar.: ListZonesContext command failed: HTTP status 400: Invalid request headers (6003)\n" routerName=smokeping@docker rule="Host(`smokeping.internal.foo.bar`)" providerName=primary.acme
I tried to resolve the hostname within the traefik container and it does work. I also created a API-token for my cloudflare account which has the following abilities: Zone Settings:Read, Zone:Read, DNS:Edit
For reference to build my docker stack i followed this guide: SensePost | Building a hipster-aware pi home server Everything works till the tls configuration: SensePost | Building a hipster-aware pi home server
Maybe someone can help me, thank you in advance!