SSL certificate location command line option

I am new to Traefik and I coming from a Docker Flow Proxy background. I am trying to run Traefik 2.0 as a docker swarm service. Here is the command I am using...

docker service create \
--name traefik \
--network swarm-network \
-p 80:80 -p 443:443 -p 8080:8080 \
--mount 'type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock' \
--constraint 'node.role==manager' \
traefik:2.0.0 \
--api.insecure=true \
--providers.docker=true \
--providers.docker.swarmmode=true \
--providers.docker.watch=true \
--providers.docker.exposedbydefault=false \
--entrypoints.http.address=:80 \
--entrypoints.https.address=:443 \
**--tls.certificates.certFile=/opt/company.cert \
--tls.certificates.keyFile=/opt/company.key**

The part in Bold Font doesn't seem to be working. Can that not be added as command line option or am I using the wrong options?

Here is the error I am getting from the Traefik container:

command traefik error: failed to decode configuration from flags: field not found, node: tls

What am I doing wrong?

Or as an alternative, is there a default location I can put the certificates in and it just works automagically? That way I wouldn't have to specifiy the location.

Thanks in advance

It appears that you cannot pass these on the command line.

Traefik configuration is divided to static and dynamic see Configuration Overview

What you pass on the command line is static configuration. Allowed options are documented here. However TLS options are dynamic configuration, not static. It's documented here.

To quote:

Restriction

In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores).

So it appears, that you are going to have to use the File Provider to pass this configuration.

So I added a traefik.yml file and put it on the top level directory. I added this option to the docker service create command "--providers.file.filename=/traefik.yml". Here are the contents of the traefik.yml file.

tls:
  certificates:
    - certFile: /opt/company.cert
      keyFile: /opt/company.key

I get this error in the logs...
command traefik error: invalid node traefik: no child

What else do I need to do?

Well, you cannot use the same file for both dynamic and static configuration. You specified that it's dynamic configuration via --providers.file.filename but traefik is also tries to load it as static configuration because you gave the file the default file name for static configuration. Since this file is not a valid static configuration it fails.

1 Like

This is another time that I'm confused by the way the Traefik team/docs use English. I want a dynamic configuration - in some environments it would be LetsEncrypt in another environment it would be self-signed. However, that does not seem possible. "Dynamic," in my view, should encapsulate certificate type. But if some certificate types are static only, then that aspect isn't really dynamic, right?

Good spot. I haven't seen a solution using TLS with "lets Encrypt' and "self-signed certificates' together

Let's Encrypt --> define certificate resolver in "static configuration" --> example

static.yaml
...
...
certificatesResolvers:
  myresolver:
    acme:
      email: your_email@example.com
      storage: acme.json
      dnsChallenge:
        provider: digitalocean

Self-signed certificates --> define certificate resolver in "Dynamic configuration" --> example

dynamic.yaml
...
...
tls:
  certificates:
    - certFile: /opt/company-01.cert
      keyFile: /opt/company-01.key

    - certFile: /opt/company-02.cert
      keyFile: /opt/company-02.key

    - certFile: /opt/company-03.cert
      keyFile: /opt/company-03.key

Any idea how to work together?
Thanks

1 Like

Can you file a bug on their GitHub and post back here? Seems easier to get help over there...