Struggling w/ simplest of DNS01 challanages 'hello world' examples

johntdyer · March 4, 2024, 2:03am

So I am strugging w/ the seemingly simplest of examples...

my compose file is as foillows

Docker Compose

 traefik:
    container_name: traefik
    hostname: traefik.dyer.house
    image: traefik:v3.0
    restart: always
    command:
      - --configFile=/traefik/traefik.yml

    env_file:
      - ./.env

    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - traefik_data:/traefik
      - traefik_cert:/letsencrypt
    
  whoami:
    image: traefik/whoami
    container_name: traefik-whoami
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.tls=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.dyer.house`)
      - traefik.http.routers.mywhoami.entrypoints=websecure,web

Then my traefik.yml file

api:
  insecure: true
  dashboard: true
  debug: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    http:
      tls: true
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxy

    watch: true
log:
  level: DEBUG

certificatesResolvers:
  letsencrypt:
    acme:
      # Staging
      # caserver: https://acme-staging-v02.api.letsencrypt.org/directory
      email: xxxxxx@xxxx.com
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
        delayBeforeCheck: 5s

Startup logs as follows:

gist.github.com

https://gist.github.com/johntdyer/45179dca1599195bfca0631cb9f2c6a2

debug.logs

```
phans ; docker logs traefik -f
traefik
traefik
[+] Running 34/34
 ⠿ Container traefik                           Started                               0.9s
 ⠿ Container dockerproxy                       Running                               0.0s
 ⠿ Container traefik-whoami                    Running                               0.0s
 ⠿ Container cadvisor                          Running                               0.0s
 ⠿ Container mimir                             Running                               0.0s

This file has been truncated. show original

docker-compose.yml

 traefik:
    container_name: traefik
    hostname: traefik.dyer.house
    image: traefik:v3.0
    restart: always
    command:
      - --configFile=/traefik/traefik.yml

    env_file:
      - ./.env

This file has been truncated. show original

traefik.yml

```
api:
  insecure: true
  dashboard: true
  debug: true

entryPoints:
  web:
    address: ":80"
    http:

This file has been truncated. show original

I am never seeing it actually issue a valid cert...

░▒▓    ~ ▓▒░ curl -Lv http://whoami.dyer.house            ░▒▓ 60 ✘  at 20:57:48  ▓▒░
*   Trying 192.168.100.3:80...
* Connected to whoami.dyer.house (192.168.100.3) port 80
> GET / HTTP/1.1
> Host: whoami.dyer.house
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://whoami.dyer.house/
< Date: Mon, 04 Mar 2024 02:02:32 GMT
< Content-Length: 17
<
* Ignoring the response-body
* Connection #0 to host whoami.dyer.house left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://whoami.dyer.house/'
*   Trying 192.168.100.3:443...
* Connected to whoami.dyer.house (192.168.100.3) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
░▒▓    ~ ▓▒░

Unsure how best to proceed... Any help would be appreciated. Thanks

-John

johntdyer · March 4, 2024, 2:05am

I am tried numerous times to delete the acme.json file to get it to issue a cert but it never seemingly issues a value one. At this point I am rate limited and giving up for the night but hoping someone else can spot what I am sure is a stupid error somewhere in my work.. Thanks again

bluepuma77 · March 4, 2024, 5:49am

Where is your network definition in docker-compose.yml?

Use curl -k to access the insecure website and check the response, if it reaches the target service.

You set tls=true, but that only enables custom TLS. You need to assign the certresolver, preferably to entrypoint (or to router).

Check and compare to simple Traefik example.

johntdyer · March 4, 2024, 12:03pm

The network is there, i just didnt include it in my excerpt from the yaml....

Here is the verbose curl... what exactly am i looking for ?

░▒▓    ~ ▓▒░ curl -Lkv http://whoami.dyer.house           ░▒▓ 60 ✘  at 21:02:32  ▓▒░
*   Trying 192.168.100.3:80...
* Connected to whoami.dyer.house (192.168.100.3) port 80
> GET / HTTP/1.1
> Host: whoami.dyer.house
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://whoami.dyer.house/
< Date: Mon, 04 Mar 2024 12:01:43 GMT
< Content-Length: 17
<
* Ignoring the response-body
* Connection #0 to host whoami.dyer.house left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://whoami.dyer.house/'
*   Trying 192.168.100.3:443...
* Connected to whoami.dyer.house (192.168.100.3) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Mar  4 01:57:42 2024 GMT
*  expire date: Mar  4 01:57:42 2025 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://whoami.dyer.house/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: whoami.dyer.house]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: whoami.dyer.house
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< date: Mon, 04 Mar 2024 12:01:43 GMT
< content-length: 372
<
Hostname: e267d3534521
IP: 127.0.0.1
IP: 172.27.0.3
RemoteAddr: 172.27.0.2:60154
GET / HTTP/1.1
Host: whoami.dyer.house
User-Agent: curl/8.4.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 192.168.100.121
X-Forwarded-Host: whoami.dyer.house
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik.dyer.house
X-Real-Ip: 192.168.100.121

* Connection #1 to host whoami.dyer.house left intact
░▒▓    ~ ▓▒░

johntdyer · March 4, 2024, 12:17pm

Updated logs based on your example.... still no valid cert

gist.github.com

https://gist.github.com/johntdyer/deb9274662b71cdc4179c9ed5a785e85

updated.log

/var/log # cat traefik.log
2024-03-04T07:15:22-05:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:101 > Traefik version 3.0.0-rc1 built on 2024-02-13T13:41:20Z version=3.0.0-rc1
2024-03-04T07:15:22-05:00 DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:108 > Static configuration loaded [json] staticConfiguration={"accessLog":{"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"filters":{},"format":"common"},"api":{"dashboard":true},"certificatesResolvers":{"myresolver":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"provider":"cloudflare"},"email":"johntdyer@gmail.com","keyType":"RSA4096","storage":"/letsencrypt/acme.json"}}},"entryPoints":{"web":{"address":":80","forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"permanent":true,"priority":2147483646,"scheme":"https","to":"websecure"}}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}},"websecure":{"address":":443","asDefault":true,"forwardedHeaders":{},"http":{"tls":{"certResolver":"myresolver"}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"filePath":"/var/log/traefik.log","format":"common","level":"DEBUG"},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","network":"proxy","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2024-03-04T07:15:22-05:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:599 >
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2024-03-04T07:15:22-05:00 INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator
2024-03-04T07:15:22-05:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=websecure

This file has been truncated. show original

johntdyer · March 4, 2024, 12:18pm

I stand corrected, the cert is working now.... so now I need to diff and understand what from your example I am overlooking.. Thanks for the example

Topic		Replies	Views
Questions regarding my Traefik 3 configuration Traefik v3 (latest) docker , letsencrypt-acme , cli	2	151	June 6, 2024
Attempt to rewrite minimal Traefik example to use TLS does not work Traefik v2 docker	5	345	August 8, 2022
Lets encrypt for multiple subdomains Traefik v3 (latest) docker	5	1661	March 15, 2024
I don't know how to run CLI commands Traefik v3 (latest) cli	6	52	November 9, 2024
Traefik and configure with namecheap Traefik v3 (latest) docker	3	113	January 20, 2025

Struggling w/ simplest of DNS01 challanages 'hello world' examples

Docker Compose

Related topics