SSL certificate location command line option

I am new to Traefik and I coming from a Docker Flow Proxy background. I am trying to run Traefik 2.0 as a docker swarm service. Here is the command I am using...

docker service create \
--name traefik \
--network swarm-network \
-p 80:80 -p 443:443 -p 8080:8080 \
--mount 'type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock' \
--constraint 'node.role==manager' \
traefik:2.0.0 \
--api.insecure=true \
--providers.docker=true \
--providers.docker.swarmmode=true \ \
--providers.docker.exposedbydefault=false \
--entrypoints.http.address=:80 \
--entrypoints.https.address=:443 \
**--tls.certificates.certFile=/opt/company.cert \

The part in Bold Font doesn't seem to be working. Can that not be added as command line option or am I using the wrong options?

Here is the error I am getting from the Traefik container:

command traefik error: failed to decode configuration from flags: field not found, node: tls

What am I doing wrong?

Or as an alternative, is there a default location I can put the certificates in and it just works automagically? That way I wouldn't have to specifiy the location.

Thanks in advance

It appears that you cannot pass these on the command line.

Traefik configuration is divided to static and dynamic see Configuration Overview

What you pass on the command line is static configuration. Allowed options are documented here. However TLS options are dynamic configuration, not static. It's documented here.

To quote:


In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores).

So it appears, that you are going to have to use the File Provider to pass this configuration.

So I added a traefik.yml file and put it on the top level directory. I added this option to the docker service create command "--providers.file.filename=/traefik.yml". Here are the contents of the traefik.yml file.

    - certFile: /opt/company.cert
      keyFile: /opt/company.key

I get this error in the logs...
command traefik error: invalid node traefik: no child

What else do I need to do?

Well, you cannot use the same file for both dynamic and static configuration. You specified that it's dynamic configuration via --providers.file.filename but traefik is also tries to load it as static configuration because you gave the file the default file name for static configuration. Since this file is not a valid static configuration it fails.

This is another time that I'm confused by the way the Traefik team/docs use English. I want a dynamic configuration - in some environments it would be LetsEncrypt in another environment it would be self-signed. However, that does not seem possible. "Dynamic," in my view, should encapsulate certificate type. But if some certificate types are static only, then that aspect isn't really dynamic, right?

Good spot. I haven't seen a solution using TLS with "lets Encrypt' and "self-signed certificates' together

Let's Encrypt --> define certificate resolver in "static configuration" --> example

      storage: acme.json
        provider: digitalocean

Self-signed certificates --> define certificate resolver in "Dynamic configuration" --> example

    - certFile: /opt/company-01.cert
      keyFile: /opt/company-01.key

    - certFile: /opt/company-02.cert
      keyFile: /opt/company-02.key

    - certFile: /opt/company-03.cert
      keyFile: /opt/company-03.key

Any idea how to work together?

1 Like

Can you file a bug on their GitHub and post back here? Seems easier to get help over there...

Did you manage to do this? I need to use let's encrypt on our staging server and self signed for our local development.

You can use custom TLS and LetsEncrypt without a problem. For certs from file, just load the certs in a dynamic configuration and set TLS=true or TLS: {} on entrypoint or router. For LetsEncrypt set certresolver on entrypoint or router.

You could also use LE for dev, you can use dnsChallenge to get certs for (wildcard) domains that are not available on the Internet, only internal.

Thanks for your answer.

The problem is, I want to be able to switch from one environment variable like LETSENCRYPT_ENABLE=true and fallback on using local cert if false.

I am able to make it work if I delete my dynamic configuration while using letsencrypt, but it is cumbersome to make a volume optional with docker compose, I would need to do an override file.

Also, I thought about using a resolver for my local files so I could use something like TRAEFIK_RESOLVER=letsencrypt and TRAEFIK_RESOLVER=local in my environment but it doesn't look like it's possible.

I would love to see an elegant way to manage this if someone have done it already :slight_smile: