Problems with migrating from 1.x: Invalid SSL certificate

Traefik Traefik v2
1

I'm currently trying to migrate from 1.x to 2.1.2, however I get an Error 526: Invalid SSL certificate.

Here is my v1 config.toml:

[api]
entryPoint = "traefik"
dashboard = true

[docker]
endpoint = "unix://var/run/docker.sock"
watch = true
swarmmode = true

[retry]
attempts = 5

defaultEntryPoints = ["https", "http"]

[entryPoints]

[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"

[entryPoints.https]
address = ":443"
compress = true

[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/live/mydomain/fullchain.pem"
keyFile = "/certs/live/mydomain/privkey.pem"

This is the migrated v2 version:

[api]
dashboard = true

[providers.docker]
endpoint = "unix://var/run/docker.sock"
swarmMode = true

[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"

[[tls.certificates]]
certFile = "/certs/live/mydomain/fullchain.pem"
keyFile = "/certs/live/mydomain/privkey.pem"

I have several services in my docker swarm, they are all pretty similiar, but this is the traefik image on v1:

  traefik:
    image: traefik:alpine
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.port=8080
        - traefik.backend.loadbalancer.method=drr
        - traefik.frontend.rule=Host:status.mydomain
        - traefik.frontend.entryPoints=http,https
        - traefik.backend=traefik
    networks:
      - app
    ports:
      - 80:80
      - 443:443
      - 8080:8080

and here migrated to v2:

  traefik:
    image: traefik:v2.1.2
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.service=traefik
        - traefik.http.services.traefik.loadbalancer.server.port=8080
        - traefik.http.routers.traefik_api.rule=Host(`status.mydomain`)
        - traefik.http.routers.traefik_api.entrypoints=https
        - traefik.http.routers.traefik_api.service=api@internal
        - traefik.http.routers.traefik_api.tls=true
        # HTTP to HTTPS redirection
        - traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)
        - traefik.http.routers.http_catchall.entrypoints=http
        - traefik.http.routers.http_catchall.middlewares=https_redirect
        - traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.https_redirect.redirectscheme.permanent=true
    networks:
      - app
    ports:
      - 80:80
      - 443:443
      - 8080:8080

and this is what the other service labels look like (e.g. the one handling the actual workload and where I'm getting the SSL error) on v1:

      labels:
        - traefik.port=3000
        - traefik.backend.loadbalancer.method=drr
        - traefik.frontend.rule=Host:mydomain
        - traefik.frontend.entryPoints=http,https
        - traefik.backend=service-name

and now look like this on v2:

      labels:
        - traefik.service=service-name
        - traefik.http.services.ui.loadbalancer.server.port=3000
        - traefik.http.routers.ui.rule=Host(`mydomain`)
        - traefik.http.routers.ui.entrypoints=https
        - traefik.http.routers.ui.tls=true

I can't figure out what I'm doing wrong :confused:

2

Hello,

I recommend to use our migration tool to migrate your traefik.toml:

If you use this tool, you will see that tls (dynamic configuration) cannot be define the traefik.toml (static configuration)

1 Like
3

Ah, thanks that was the issue! I added an additional file provider and put the TLS config in there and it works fine now.