SSL certificates for non exposed services

Traefik Traefik v2
,
1

Hello!

I am having this issue that is literally blocking all my services since I had to move from nginx-proxy to traefik (due its greater scalability)
I do not manage to have ssl/https on non public exposed (with dns record on cloudflare) services

Is really weird because I have traefik.domain.com that has the padlock, meanwhile whoami.domain.com doesnt! I tried a lot of configs and looked everywhere, correctly configured cloudflare as provider both with zone token, then global api too..

Is literally whole days I am trying to make this work

  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
       proxy:
          ipv4_address: 172.25.0.2
    ports:
      - "80:80"
      - "443:443"
      - "853:853"
      - "25:25"
      - "465:465"
      - "993:993"
      - "4190:4190"
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      #- CF_DNS_API_TOKEN=${CF_API_TOKEN}
      - CF_API_KEY=${CF_API_KEY}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/traefik.yml:/traefik.yml:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/acme.json:/acme.json
      - ${DOCKER_VOLUMES_FOLDER}/traefik/config.yml:/config.yml:ro
      - ${DOCKER_VOLUMES_FOLDER}/traefik/logs:/var/log/traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_AUTH_STR}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.service=api@internal"
  whoami:
    image: "traefik/whoami:latest"
    container_name: "whoami"
    hostname: "whoami"
    user: "1000:1000"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.domain.com`)"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"


    networks:
      proxy:
        ipv4_address: 172.25.0.20

this is my traefik.yml

api:
  dashboard: true
  debug: true

accessLog:
  filePath: "/var/log/access.log"

log:
  level: INFO
  format: json
  filePath: /var/log/traefik/traefik.log

accesslog:
   format: json
   filePath: /var/log/traefik/access.log

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: cloudflare
        domains:
          - main: domain.com # change this to your proxy domain
            sans:
              - '*.domain.com' # change this to your proxy domain

  dot:
    address: ":853"
    
  smtp:
    address: ":25"

  smtp-ssl:
    address: ":465"

  imap-ssl:
    address: ":993"

  sieve:
    address: ":4190"


serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml


certificatesResolvers:
  cloudflare:
    acme:
      email: cfmail@gmail.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

Am I missing something? T_T

If i try to "force" https into the browser url i get NS_ERROR_CONNECTION_REFUSED and the classic page in which you have to click continue that the site is not safe

These are some traefik logs that should state that cloudflare and its api is working

{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Trying to challenge certificate for domain [dns.domain.com] found in HostSNI rule","providerName":"cloudflare.acme","routerName":"adguard-https@docker","rule":"Host(`dns.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Trying to challenge certificate for domain [bachelor.domain.com] found in HostSNI rule","providerName":"cloudflare.acme","routerName":"sorting_visualized_https@docker","rule":"Host(`bachelor.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Trying to challenge certificate for domain [vault.domain.com] found in HostSNI rule","providerName":"cloudflare.acme","routerName":"vaultwarden-https@docker","rule":"Host(`vault.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Looking for provided certificate(s) to validate [\"vault.domain.com\"]...","providerName":"cloudflare.acme","routerName":"vaultwarden-https@docker","rule":"Host(`vault.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Looking for provided certificate(s) to validate [\"dns.domain.com\"]...","providerName":"cloudflare.acme","routerName":"adguard-https@docker","rule":"Host(`dns.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Looking for provided certificate(s) to validate [\"bachelor.domain.com\"]...","providerName":"cloudflare.acme","routerName":"sorting_visualized_https@docker","rule":"Host(`bachelor.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"No ACME certificate generation required for domains [\"vault.domain.com\"].","providerName":"cloudflare.acme","routerName":"vaultwarden-https@docker","rule":"Host(`vault.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"No ACME certificate generation required for domains [\"dns.domain.com\"].","providerName":"cloudflare.acme","routerName":"adguard-https@docker","rule":"Host(`dns.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"No ACME certificate generation required for domains [\"bachelor.domain.com\"].","providerName":"cloudflare.acme","routerName":"sorting_visualized_https@docker","rule":"Host(`bachelor.domain.com`)","time":"2023-09-18T13:16:52Z"}

what buzzes me the most is that traefik.domain.com is https and working great without any public dns record on cloudflare

as internal dns resolver (for dns rewrites) i use adguardhome, quite common usecase and many also use PiHole too

2

Did you create the according sub-domains with correct IP or CNAME in DNS? Not all DNS resolvers support wildcards there.

3

I just set the dns rewrites into adguardhome (pihole-like), nothing else

Shall I add A records on cloudflare that point to my private IP addresses? As I understood there are 3 options
-> DNS rewrites into local dns resovler
-> Add A records that point to container local ips
-> Edit the hosts file and add there the domains
For now I only tried the first one, seen some videos on yt that go for the third one, the second one feels a bit sketchy/wrong but i do not know really

4

Connection refused would indicate the browser is accessing the wrong domain or the returned IP (or port) is not reachable from your client.

You could check the acme.json file for the created Traefik LE certificates.

5

This is all I did as configuration

immagine
immagine1648×705 32.6 KB

and for traefik[dot]domain[dot]com is working great...
The acme has the domain.com and *.domain.com and seems fine to me

6

You always need to use the Traefik IP.

All requests from client need to go to Traefik, which will forward them to the matching service.

1 Like
7

omg I fell so stupid, I was literally bypassing the reverse proxy! Forgot to delete these entries while migrating from nginx

Thank you so much

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.