Server gave HTTP response to HTTPS client

jsaarela · September 18, 2019, 12:51pm

I've initialized traefik in docker swarm with following parameters:

docker service create
--name traefik
--mode global
--constraint=node.role==manager
--network mynet
--network dockersocket4traefiknet
--publish 80:80
--publish 443:443
--mount type=bind,source=/etc/ssl/certs,target=/ssl
traefik:1.7
--defaultentrypoints="https"
--retry
--debug=true
--logLevel=DEBUG
--docker
--docker.endpoint="tcp://dockersocket4traefik:2375"
--docker.swarmmode
--docker.watch
--docker.exposedbydefault=true
--docker.tls
--docker.tls.ca=/ssl/root.crt
--docker.tls.cert=/ssl/mycert.crt
--docker.tls.key=/ssl/mykey.key \

What is odd is that the traffic to port 2375 is realized using https instead of http. This results in the following error:

traefik.0.qkxia79i3jmp@myhost | time="2019-09-18T12:48:25Z" level=error msg="Failed to retrieve information of the docker client and server host: error during connect: Get https://dockersocket4traefik:2375/v1.24/version: http: server gave HTTP response to HTTPS client"

I fail to find documentation that would help so I'm asking if you've run to the same error? The source code indicates (quick check) that whenever the --docker.tls option is active, the traefik built-in http client switches to https (whereas we would not want that to happen).

Sorry we cannot use letsencrypt but have to use non-self-signed certificates from a commercial source.

daniel.tomcej · September 18, 2019, 1:46pm

Hello @jsaarela,

The source code indicates (quick check) that whenever the --docker.tls option is active, the traefik built-in http client switches to https

That is correct. This is when you require TLS Authentication to communicate with your docker or swarm daemon.

Sorry we cannot use letsencrypt but have to use non-self-signed certificates from a commercial source.

For protecting your docker daemon? It is unlikely that you would have a public certificate for this purpose, due to the DNS and other configuration required.

jsaarela · September 18, 2019, 2:00pm

Thanks for the quick reply! How can I preserve http in the docker/swarm daemon communications but still have https entrypoint to traefik from the Internet?

daniel.tomcej · September 18, 2019, 3:22pm

Hello @jsaarela,

The entrypoint configuration is separate from the communication with docker.

Remember that the docker provider configurations are used to talk with docker for configuration updates, not for proxied requests.

This user guide shows how this is configured:

(https://docs.traefik.io/v1.7/user-guide/docker-and-lets-encrypt/). Disregard the letsencrypt setup, but the entrypoint configuration, and the docker configuration are what you should be looking at.

Topic		Replies	Views
Error in starting traefik with https Traefik v2 docker , file	3	3906	November 26, 2019
Traefik 2 only publishes port 80 and ignores 443 and dashboard port on docker swarm Traefik v2 docker-swarm	2	2231	April 8, 2020
Https always responds 404 with docker provider Traefik v2 docker	3	567	November 5, 2019
Trying to use self-signed certificate with docker swarm Traefik v2 docker-swarm , file	0	1348	October 16, 2019
TLS certificates with Docker Traefik v2 docker	2	4446	September 18, 2019

Server gave HTTP response to HTTPS client

Related topics