Hello!
I am having this issue that is literally blocking all my services since I had to move from nginx-proxy to traefik (due its greater scalability)
I do not manage to have ssl/https on non public exposed (with dns record on cloudflare) services
Is really weird because I have traefik.domain.com that has the padlock, meanwhile whoami.domain.com doesnt! I tried a lot of configs and looked everywhere, correctly configured cloudflare as provider both with zone token, then global api too..
Is literally whole days I am trying to make this work
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
ipv4_address: 172.25.0.2
ports:
- "80:80"
- "443:443"
- "853:853"
- "25:25"
- "465:465"
- "993:993"
- "4190:4190"
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
#- CF_DNS_API_TOKEN=${CF_API_TOKEN}
- CF_API_KEY=${CF_API_KEY}
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${DOCKER_VOLUMES_FOLDER}/traefik/traefik.yml:/traefik.yml:ro
- ${DOCKER_VOLUMES_FOLDER}/traefik/acme.json:/acme.json
- ${DOCKER_VOLUMES_FOLDER}/traefik/config.yml:/config.yml:ro
- ${DOCKER_VOLUMES_FOLDER}/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_AUTH_STR}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.service=api@internal"
whoami:
image: "traefik/whoami:latest"
container_name: "whoami"
hostname: "whoami"
user: "1000:1000"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.com`)"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
networks:
proxy:
ipv4_address: 172.25.0.20
this is my traefik.yml
api:
dashboard: true
debug: true
accessLog:
filePath: "/var/log/access.log"
log:
level: INFO
format: json
filePath: /var/log/traefik/traefik.log
accesslog:
format: json
filePath: /var/log/traefik/access.log
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
# HTTPS endpoint, with domain wildcard
https:
address: :443
http:
tls:
# Generate a wildcard domain certificate
certResolver: cloudflare
domains:
- main: domain.com # change this to your proxy domain
sans:
- '*.domain.com' # change this to your proxy domain
dot:
address: ":853"
smtp:
address: ":25"
smtp-ssl:
address: ":465"
imap-ssl:
address: ":993"
sieve:
address: ":4190"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: cfmail@gmail.com
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
Am I missing something? T_T
If i try to "force" https into the browser url i get NS_ERROR_CONNECTION_REFUSED and the classic page in which you have to click continue that the site is not safe
These are some traefik logs that should state that cloudflare and its api is working
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Trying to challenge certificate for domain [dns.domain.com] found in HostSNI rule","providerName":"cloudflare.acme","routerName":"adguard-https@docker","rule":"Host(`dns.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Trying to challenge certificate for domain [bachelor.domain.com] found in HostSNI rule","providerName":"cloudflare.acme","routerName":"sorting_visualized_https@docker","rule":"Host(`bachelor.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Trying to challenge certificate for domain [vault.domain.com] found in HostSNI rule","providerName":"cloudflare.acme","routerName":"vaultwarden-https@docker","rule":"Host(`vault.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Looking for provided certificate(s) to validate [\"vault.domain.com\"]...","providerName":"cloudflare.acme","routerName":"vaultwarden-https@docker","rule":"Host(`vault.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Looking for provided certificate(s) to validate [\"dns.domain.com\"]...","providerName":"cloudflare.acme","routerName":"adguard-https@docker","rule":"Host(`dns.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"Looking for provided certificate(s) to validate [\"bachelor.domain.com\"]...","providerName":"cloudflare.acme","routerName":"sorting_visualized_https@docker","rule":"Host(`bachelor.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"No ACME certificate generation required for domains [\"vault.domain.com\"].","providerName":"cloudflare.acme","routerName":"vaultwarden-https@docker","rule":"Host(`vault.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"No ACME certificate generation required for domains [\"dns.domain.com\"].","providerName":"cloudflare.acme","routerName":"adguard-https@docker","rule":"Host(`dns.domain.com`)","time":"2023-09-18T13:16:52Z"}
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","level":"debug","msg":"No ACME certificate generation required for domains [\"bachelor.domain.com\"].","providerName":"cloudflare.acme","routerName":"sorting_visualized_https@docker","rule":"Host(`bachelor.domain.com`)","time":"2023-09-18T13:16:52Z"}
what buzzes me the most is that traefik.domain.com is https and working great without any public dns record on cloudflare
as internal dns resolver (for dns rewrites) i use adguardhome, quite common usecase and many also use PiHole too