z3ky
1
Hi,
I'm running Traefik in a Docker container using docker compose.
When I try to connect to my service, I get
level=debug msg="'500 Internal Server Error' caused by: x509: certificate signed by unknown authority"
In the dynamic conf I set
[[tls.certificates]]
certFile = "/etc/ssl/fullchain.crt"
keyFile = "/etc/ssl/privkey.key"
[http.serversTransports.myservice]
serverName = "service.com"
and the service container is labled with
"traefik.http.services.gitlab.loadbalancer.serverstransport=myservice@file"
This setup works, when I just use the Traefik bin and don't run it in a container.
From within the container it works, when I add
insecureSkipVerify = true
to the serversTransports.myservice.
cakiwi
2
Sounds like the crt and key file might not be mounted/included in the container properly, particularly if it works with the traefik binary direct.
z3ky
3
I simply mounted the files folder into the container. Traefik can find the files, read the domains and does the ssl termination correctly.
z3ky
4
Aaah no, Traefik in the container can not find all certificates. I have to provide the rootCAs. Using the Traefik binary, is already on the machine
Hi @z3ky I am facing a similar issue, were you able to get past the error.
Can you also please share how the serversTransports needs to be configured and refereed.
I have the following configuration
Traefik.toml
#General
[api]
dashboard = true
[metrics]
[metrics.prometheus]
[ping]
[log]
level = "DEBUG"
filepath = "/traefik/logs/traefik/traefik.log"
format = "json"
[accessLog]
filePath = "/traefik/logs/access/access.log"
bufferingSize = 10
# Allows Traefik to skip the SSL Certificate verification on HTTPS Globally
# Note : Traefik documentation doesn't specify that this configuration needs to be
# backed with the below label on the service
# - traefik.http.services.nifi-flow.loadbalancer.server.scheme=https
[serversTransport]
insecureSkipVerify = false
# Allows Traefik to skip the SSL Certificate verification on HTTPS for a specific service
[http.serversTransports.nifiui]
serverName = "mynifi"
insecureSkipVerify = true
#ENTRYPOINTS
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.forwardedHeaders]
trustedIPs = ["<IP_Address>"] # f5
[entryPoints.websecure.http.tls]
[entryPoints.apiDashboard]
address = ':70000'
#MIDDLEWARES
[http.middlewares]
[http.middlewares.test-retry.retry]
attempts = 4
[http.middlewares.https-redirectscheme.redirectScheme]
scheme = "https"
permanent = true
#TLS
[[tls.certificates]]
certFile = "/folder/cert.cer"
keyFile = "/folder/cert.key"
#PROVIDERS
[providers]
providersThrottleDuration = 2
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = true
swarmMode = true
swarmModeRefreshSeconds = 15
network = "traefik_webgateway"
[providers.file]
filename = "/etc/traefik/traefik.toml"
watch = true
Docker-Compose.yml
version: "3.7"
services:
nifi:
user: root
hostname: mynifi
image: apache/nifi:latest
restart: on-failure
environment:
- NIFI_WEB_HTTPS_PORT=8443
- NIFI_WEB_PROXY_HOST=$DOCKER_HOST_URL:443
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- SINGLE_USER_CREDENTIALS_USERNAME=admin
- SINGLE_USER_CREDENTIALS_PASSWORD=ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB
- NIFI_SECURITY.AUTORELOAD.ENABLED=true
volumes:
- nifi_database_repository:/opt/nifi/nifi-current/database_repository
- nifi_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
- nifi_content_repository:/opt/nifi/nifi-current/content_repository
- nifi_provenance_repository:/opt/nifi/nifi-current/provenance_repository
- nifi_state:/opt/nifi/nifi-current/state
- nifi_logs:/opt/nifi/nifi-current/logs
- nifi_conf:/opt/nifi/nifi-current/conf
networks:
- traefik_webgateway
deploy:
labels:
# traefik
- traefik.enable=true
- "traefik.docker.lbswarm=true"
# service
- traefik.http.services.nifi-flow.loadbalancer.server.port=8443
- traefik.http.services.nifi-flow.loadbalancer.server.scheme=https
- "traefik.http.services.nifi-flow.loadBalancer.serversTransport:nifiui"
# middlewares
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyScheme=https"
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyHost=$DOCKER_HOST_URL"
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyPort=443"
- "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyContextPath:/"
# Routers
- traefik.http.routers.nifi-flow.middlewares=nifi-headers
- traefik.http.routers.nifi-flow.service=nifi-flow
- traefik.http.routers.nifi-flow.entrypoints=$TRAEFIK_HTTPS_ENTRYPOINT
- traefik.http.routers.nifi-flow.tls=true
- traefik.http.routers.nifi-flow.rule=Host(`$DOCKER_HOST_URL`) && PathPrefix(`/nifi`)
restart_policy:
condition: on-failure
delay: 120s
max_attempts: 3
window: 60s
networks:
traefik_webgateway:
external: true
volumes:
nifi_conf: {external: true}
nifi_database_repository: {external: true}
nifi_flowfile_repository: {external: true}
nifi_content_repository: {external: true}
nifi_provenance_repository: {external: true}
nifi_state: {external: true}
nifi_logs: {external: true}
z3ky
6
@jojejoby try this
[http.serversTransports.nifiui]
serverName = "mynifi.your.domain.com"
insecureSkipVerify = true
rootCAs = "/path/to/your/cert/in/the/container/cert.cer"
You can also try to store the full certificate chain in cert.cer.