The dashboard is not accessible: bug or wrong code?

Of course, it can’t work with LetsEncrypt. They require a public domain name and that is validated. You can’t get a LE certificate for localhost.

1 Like

I am working on a real server and an existing domain. The strange thing is that it worked in the past.

I have a server at Amazon AWS and two active domains. The first domain is on Freenom (something.ml), the second domain is on Ionos (something.com). This morning I deleted everything from the Amazon server and reloaded the project. I'll tell you what happened:

  1. I wrote something.ml in the browser and noticed that the certificate was missing;
  2. After a few minutes I tried again and the certificate was missing;
  3. I ate a snack, I tried again and the certificate was present (the problem described in the first post of this thread persists);
  4. I deleted everything from the server and uploaded the project related to something.com;
  5. I typed something.com in the browser and noticed that the certificate was missing;
  6. In the log file I find this:
too many certificates (5) already issued for this exact set of domains in the last 168 hours

(On something.com I never got a certificate!)
(On the project I'm testing I have 5 subdomains. Is that too many?)

  1. I opened a new domain on Freenom (something.ga);
  2. I inserted the following string into the project:
traefik.http.routers.dashboard.rule: Host(`www.proxy.${NOME_A_DOMINIO}`)
  1. I deleted everything from the server;
  2. I reloaded a new Docker project with something.ga;
  3. I waited for Docker to finish creating images and containers;
  4. I typed something.ga in the browser and noticed that the certificate was missing;
  5. After a few seconds I tried again and the certificate was missing;
  6. After a few minutes I tried again and the certificate was present;
  7. The problem described in the first post persists;
  8. I inserted the following string into the project as you suggested:
traefik.http.routers.dashboard.rule: Host(`www.proxy.${NOME_A_DOMINIO}`) || Host(`proxy.${NOME_A_DOMINIO}`)
  1. I reloaded the project;
docker compose up -d --force-recreate
  1. I waited for Docker to finish;
  2. I typed something.ga in the browser and noticed that the certificate was missing;
  3. After a few seconds I tried again and the certificate was missing;
  4. After a few minutes I tried again and the certificate was present;
  5. The problem described in the first post persists;

This Traefik has 2 bugs:

  1. The certificate is missing on traefik.something.extension. After entering the credentials, the certificate appears but before it is absent, as described in the first post.

  2. You don't get the certificate after all volumes and containers are created (there is some malfunction). This is not a real problem, after a few minutes it resolves itself. This is just a malfunction.

This proxy has bugs. I'm sorry that the Traefik Team is not interested in this discussion but I am convinced that if they read my code they will find a new bug for Traefik.

This code doesn't work, it has a bug, sorry to say this but it's the truth. Try opening a domain on Freenom, it's free. You will see with your own eyes what I write.

LetsEncrypt has API usage limits, like create 5 certificates for a domain (or exact set of domains) within 168 hours.

You need to make sure that your persistently store the acme.json file to not create a new cert on every Traefik container re-create.

1 Like

I'll try again with the .com domain in a week. The remaining problem is the one described in the first post. I tried to update Traefik version (v.2.9.5). The bug persists.

I also noticed that the acme.json file is empty. Is the following code correct with Traefik 2.9.5?

- ./volumes/data-letsencrypt/:/letsencrypt

If I save the acme.json file on my PC and replace it with the one on the server when I exceed the limits, do I solve it?

If you have a valid acme.json, you can copy it around and have Traefik use it. Be aware the LE certificates expire after around 90 days.

In general you can not use LetsEncrypt with localhost. LE will try to verify your domain name and the IP, and of course it can't reach your localhost to do that.

Here is a workin example docker-compose.yml with Traefik, dashboard, LetsEncrypt, LE certs stored on host, http->https and www redirect - and a service:

#docker-compose.yml
version: '3.9'

services:
  traefik:
    image: traefik:v2.9
    ports:
      - published: 80
        target: 80
        protocol: tcp
        mode: host
      - published: 443
        target: 443
        protocol: tcp
        mode: host
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik-certificates:/traefik-certificates
    command:
      --providers.docker=true
      --providers.docker.network=proxy
      --providers.docker.exposedByDefault=false
      --entryPoints.web.address=:80
      --entryPoints.web.http.redirections.entryPoint.to=websecure
      --entryPoints.web.http.redirections.entryPoint.scheme=https
      --entryPoints.websecure.address=:443
      --entryPoints.websecure.http.tls=true
      --api.debug=true
      --api.dashboard=true
      --log.level=DEBUG
      --accesslog=true
      --certificatesResolvers.myresolver.acme.email=mail@example.com
      --certificatesResolvers.myresolver.acme.tlschallenge=true
      --certificatesResolvers.myresolver.acme.storage=/traefik-certificates/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.entrypoints=websecure
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`) || Host(`www.traefik.example.com`)
      - traefik.http.routers.mydashboard.tls.certresolver=myresolver
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth,mywwwremove
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
      - traefik.http.middlewares.mywwwremove.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwremove.redirectregex.replacement=https://$${1}
      - traefik.http.services.dummy-svc.loadbalancer.server.port=9999

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.entrypoints=websecure
      - traefik.http.routers.mywhoami.rule=Host(`example.com`) || Host(`www.example.com`)
      - traefik.http.routers.mywhoami.tls.certresolver=myresolver
      - traefik.http.routers.mywhoami.middlewares=mywwwremove
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy
    driver: overlay
    attachable: true
  • Note that the rule must include both host names ( example.com, www.example.com )
  • Not sure docker compose will automatically create the network if not in Swarm mode
1 Like

I tried your code and it works the same as mine:

  1. I get the certificate on 'example.com';
  2. I don't get the certificate on 'traefik.example.com';
  3. I get the certificate on 'traefik.example.com' only after entering the credentials on an insecure and interceptable connection.

Now do you believe me when I tell you that Traefik has a bug?

I also answer your question regarding the network. Yes, you need to create the proxy network.
I am sorry that the Traefik team is not interested in my question. It is a thread dated October 17, 2022 with 222 visits and 28 replies. Seems like superficial behavior to me. On the site I can't even find an email to write to the Traefik team.
I also noticed that after running your code it takes some time for the browser to find the certificate. I don't understand why this happens but it's absolutely not a problem to wait a few minutes.

Thanks

Try latest image: traefik:v2.9.6.

I just tested it again, it works for me. If you don't get a LetsEncrypt certificate, than you need to check your Traefik logs for errors. Make sure your DNS ist set for the right (sub-)domains and IPs.

Try changing example.com and traefik.example.com around between the services to see if it makes a difference.

This is a community forum with community support. If you want to create official tickets with Traefik, then you probably have to buy a support package.

1 Like

image: traefik:v2.9.6

I tried again now with 2.9.6 and I get the same result.

The fact that the Team is not even contactable is a sign of superficiality.

I saw that Traefik 3 is also there. Are you sure 2.9.6 is the latest?

My dns is set up correctly:

'' A 3600 ip-server
www A 3600 ip-server
traefik A 3600 ip-server
www.traefik A 3600 ip-server

Can you show me your domain that the script works on?

Can you tell me which dns you use? I use freenom.

Can you tell me which cloud you use? I use Amazon AWS.

Can you show me your dns configuration?

I am using exactly your code. I just can't figure out how it can work on your server and not work on mine. Please use the exact code you posted and try again.

Hi @Milano2022,

you have to recognize that I am just an average Traefik user. I probably spend 1h of my free time with your issue, not being paid. If it does not work, it seems I can not help you.

You seem very demanding, why don't you check things yourself, like the latest release (Github, Docker). And without providing full config and debug logs (grep for error), everyone else who might want to support you is navigating blindly.

Here is my latest docker-compose.yml, I use tlschallenge, moved resolver-assignment to entrypoint (reduces labels) and place acme.json in a Docker volume. The existing network proxy is overlay. This works for me on a plain Docker node, not Swarm member. The only things I replaced was email and domains.

version: '3.9'

services:
  traefik:
    image: traefik:v2.9.6
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certificates:/certificates
    command:
      --providers.docker=true
      --providers.docker.exposedByDefault=false
      --entryPoints.web.address=:80
      --entryPoints.web.http.redirections.entryPoint.to=websecure
      --entryPoints.web.http.redirections.entryPoint.scheme=https
      --entryPoints.websecure.address=:443
      --entryPoints.websecure.http.tls=true
      --entryPoints.websecure.http.tls.certResolver=myresolver
      --api.debug=true
      --api.dashboard=true
      --log.level=DEBUG
      --accesslog=true
      --certificatesResolvers.myresolver.acme.email=mail@example.com
      --certificatesResolvers.myresolver.acme.storage=/certificates/acme.json
      --certificatesresolvers.myresolver.acme.tlschallenge=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.entrypoints=websecure
      - traefik.http.routers.api.rule=Host(`traefik.example.com`)
      - traefik.http.routers.api.service=api@internal
      - traefik.http.routers.api.middlewares=auth
      - 'traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/'

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
      - traefik.http.services.whoami.loadbalancer.server.port=80

  whoami2:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami2.entrypoints=websecure
      - traefik.http.routers.whoami2.rule=Host(`example2.com`) || Host(`whoami.example2.com`)
      - traefik.http.services.whoami2.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy
    external: true

volumes:
  traefik-certificates:
1 Like

PS: It takes some seconds for Traefik to generate a new LE cert, so if you are quick enough after startup you might see at least an error about a wrong certificate in your browser.

1 Like

You are right, sorry for my dislike but I am exasperated with this issue.
I tested your second code and I keep seeing the same problem.
1 - Before entering the credentials, the connection is not secure;
2 - After I have entered the credentials, the connection becomes secure.
I don't think the code you sent me on your server works.
In my opinion, you too have the same problem or you are using a different code than the one you insert in this post.
Can you provide me your URL so I can try your proxy control panel?

1 - Server features

 docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.9.1-docker)
  compose: Docker Compose (Docker Inc., v2.12.2)
  scan: Docker Scan (Docker Inc., v0.21.0)

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: 20.10.21
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: vyrqu3lgn68vvuuy62tadrl2h
  Is Manager: true
  ClusterID: uq28qbgtomc1ekrqhdiud4giq
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 172.31.93.187
  Manager Addresses:
   172.31.93.187:2377
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: a05d175400b1145e5e6a735a6710579d181e7fb0
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.0-1023-aws
 Operating System: Ubuntu 22.04.1 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 1.926GiB
 Name: ip-172-31-93-187
 ID: LZQ7:JFU4:YTJK:LV4U:TKDI:SQLE:O25P:JQP7:QMRF:DIKO:OFGK:D5AH
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

2 - Docker releases

docker version
Client: Docker Engine - Community
 Version:           20.10.21
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        baeda1f
 Built:             Tue Oct 25 18:01:58 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.21
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       3056208
  Built:            Tue Oct 25 17:59:49 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.12
  GitCommit:        a05d175400b1145e5e6a735a6710579d181e7fb0
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

3 - I don't use Github

4 - Log

time="2022-12-10T19:54:12Z" level=debug msg="Authentication failed" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:20Z" level=debug msg="Serving default certificate for request: \"traefik.-----.cf\""
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:21Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:27Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:27Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:27Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:28Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:28Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:28Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:28Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:29Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
time="2022-12-10T19:54:29Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:29Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:30Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:32Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
time="2022-12-10T19:54:37Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker

5 - Certificate

{
  "myresolver": {
    "Account": {
      "Email": "mail@federicogalimberti.tk",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:mail@federicogalimberti.tk"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/865339287"
      },
      "PrivateKey": "...",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "traefik.federicogalimberti.tk"
        },
        "certificate": "...",
        "key": "...",
        "Store": "default"
      },
      {
        "domain": {
          "main": "federicogalimberti.tk"
        },
        "certificate": "...",
        "key": "...",
        "Store": "default"
      }
    ]
  }
}

6 - The code I use to launch the project

version: '3.9'

services:
  traefik:
    image: traefik:v2.9.6
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./volumes/data-letsencrypt/:/certificates
      - ./volumes/data-log/:/data-log
    command:
      --providers.docker=true
      --providers.docker.exposedByDefault=false
      --entryPoints.web.address=:80
      --entryPoints.web.http.redirections.entryPoint.to=websecure
      --entryPoints.web.http.redirections.entryPoint.scheme=https
      --entryPoints.websecure.address=:443
      --entryPoints.websecure.http.tls=true
      --entryPoints.websecure.http.tls.certResolver=myresolver
      --api.debug=true
      --api.dashboard=true
      --log.level=DEBUG
      --log.filePath=/data-log/traefik.log
      --accesslog=true
      --certificatesResolvers.myresolver.acme.email=mail@federicogalimberti.tk
      --certificatesResolvers.myresolver.acme.storage=/certificates/acme.json
      --certificatesresolvers.myresolver.acme.tlschallenge=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.entrypoints=websecure
      - traefik.http.routers.api.rule=Host(`traefik.federicogalimberti.tk`)
      - traefik.http.routers.api.service=api@internal
      - traefik.http.routers.api.middlewares=auth
      - 'traefik.http.middlewares.auth.basicauth.users=test:$$1$$t0sCijNf$$zTvbPuELQC0/wvqNfZ4mc0'

  whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.rule=Host(`federicogalimberti.tk`)
      - traefik.http.services.whoami.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy
    external: true

cd /home/ubuntu/www.federicogalimberti.tk
#
docker swarm leave --force
docker compose down --volumes
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)
docker volume rm $(docker volume ls -q)
docker container prune -f
docker volume prune -f
docker network prune -f
docker image prune -f
docker system prune -f
docker system prune -a -f
#
docker images
docker container ls
docker volume ls
docker network ls
docker node ls
#
sudo rm -rf /home/ubuntu/www.federicogalimberti.tk/volumes/data-log/*
sudo mkdir -p /home/ubuntu/www.federicogalimberti.tk/volumes/data-log/
sudo echo '{}' > /home/ubuntu/www.federicogalimberti.tk/volumes/data-log/traefik.log
sudo chmod 600 /home/ubuntu/www.federicogalimberti.tk/volumes/data-log/traefik.log
#
sudo rm -rf /home/ubuntu/www.federicogalimberti.tk/volumes/data-letsencrypt/*
sudo mkdir -p /home/ubuntu/www.federicogalimberti.tk/volumes/data-letsencrypt/
sudo echo '{}' > /home/ubuntu/www.federicogalimberti.tk/volumes/data-letsencrypt/acme.json
sudo chmod 600 /home/ubuntu/www.federicogalimberti.tk/volumes/data-letsencrypt/acme.json
#
docker swarm init
docker network create --driver overlay --attachable proxy
docker compose up -d --build
#
docker images
docker container ls
docker volume ls
docker node ls
docker network ls
#
sudo chmod 777 /home/ubuntu/www.federicogalimberti.tk/volumes/data-log/traefik.log
sudo chmod 777 /home/ubuntu/www.federicogalimberti.tk/volumes/data-letsencrypt/acme.json

7 - DNS configuration

8 - Errors on the browser (Use 'test' and 'password' to see.)

Sometimes I shut down the server to save money. If you try now you will find everything turned on.

Here you will find all the information and the complete log file.

Password: dh37254dbhjdi72gf1js7856abdh

Wow, that was probably a lot of work. I understand your distress, been there many times, lost many hairs (much hair?) while wondering why Traefik is not doing what I want :wink:

Think about removing or reducing your last post, you have many domains (personal, cupido), your email and dashboard PW in there.

The log is good. Searching for error show some information.

Browser not happy with served cert, it's a custom Traefik default, no LE yet

time="2022-12-10T19:04:46Z" level=debug msg="Serving default certificate for request: \"traefik.fedxyz.tk\""
time="2022-12-10T19:04:46Z" level=debug msg="http: TLS handshake error from 151.44.42.98:11974: remote error: tls: unknown certificate"

LetsEncrypt certificate acquired for domain

time="2022-12-10T19:05:00Z" level=debug msg="legolog: [INFO] [traefik.fedxyz.tk] Server responded with a certificate."
time="2022-12-10T19:05:00Z" level=debug msg="Certificates obtained for domains [traefik.fedxyz.tk]" routerName=api@docker rule="Host(`traefik.fedxyz.tk`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=myresolver.acme

Later, LetsEncrypt certificate already exists and does not need to be renewed

time="2022-12-10T19:05:02Z" level=debug msg="No ACME certificate generation required for domains [\"traefik.fedxyz.tk\"]." routerName=api@docker rule="Host(`traefik.fedxyz.tk`)" providerName=myresolver.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

Currently the server is not reachable. That's too bad because I have the browsers' network tab already open and I expect that I do get a forward and then a TLS/SSL connection when calling 'http://traefik.fedxyz.tk'.

I am a bit suspicious if your browser shows you the real thing. It looks so Windows :wink: Because in reality we are talking about 3 request/response pairs to get to the dashboard:

  1. Request: http://traefik.fedxyz.tk/dashboard/
    Response: move to https
HTTP/1.1 301 Moved Permanently
Location: https://traefik.fedxyz.tk/dashboard/
  1. Request: https://traefik.fedxyz.tk/dashboard/
    Response: needs authentication
HTTP/2 401
content-type: text/plain
www-authenticate: Basic realm="traefik"
  1. Request: https://traefik.fedxyz.tk/dashboard/ (with credentials)
    Response (with page content):
HTTP/2 200

You can check in the browsers' network tab or on the command line with the curl utility:

curl -v http://traefik.fedxyz.tk/dashboard/
curl -v https://traefik.fedxyz.tk/dashboard/
1 Like

I reopened the instance. If you try now it works.
I'm glad you understood the problem.
I removed the information relating to sites that are not mine, the rest can remain.
Anyone who clicks on that link and reads that the connection is not secure thinks that the site is not professional or has dangerous links.
This evening I'll try to see with Linux and Apple if I get the same problem. I use Windows.

As expected, http -> https and TLS/SSL are working fine.

I don't have your password, so I did not do step 3.

1 Like

I never said the redirect was incorrect.
All browsers provide this message:

Your connection to this site is not secure
The site does not have a certificate.
Since the connection is not secure, information (such as passwords or credit cards) will not be sent securely to this site and could be intercepted or viewed by others.

Basically the https protocol, as shown in my previous images, is present but the certificate is missing.
In the post above you will find the credentials to log in, they are written in bold. You have to use 'test' and 'password'.

When I access your https site, it has encryption enabled - even when asking for password.

Before

Your connection to this site is not secure
The site does not have a certificate.
Since the connection is not secure, information (such as passwords or credit cards) will not be sent securely to this site and could be intercepted or viewed by others.

After

La connessione è sicura
Questo sito ha un certificato valido, emesso da un'autorità attendibile.
Le informazioni (ad esempio le password o le carte di credito) verranno inviate in modo sicuro a questo sito e non possono essere intercettate.
Assicurati sempre di essere nel sito desiderato prima di immettere informazioni.​

Maybe you don't see the problem because you hit 'cancel' and you get to the '401 Unauthorized' page. The 401 page has a valid certificate. As you type your credentials the certificate is not valid.

Does your site have this problem too or just mine?

I do not hit cancel. When the password dialog is open, I see working TLS. When I get to the site with user/pass, I see working TLS.

I am using Mac with Firefox. Maybe just switch your browser. I think your browser is just showing sh*# (sorry).

Alternatively you can use tools like Wireshark (open-source) to really look into the TCP/IP traffic going from your PC to your server. It will show you which connections use TLS.

1 Like