iali
November 5, 2023, 1:41am
1
Hi,
EXTERNAL LOAD BALANCER <=> HTTPS <=> TRAEFIK <=> HTTPS <=> APPLICATION
I inserted the following labels:
labels:
- "traefik.enable=true"
- "traefik.http.routers.snipe-it.rule=Host(`asset.company.it`)"
- "traefik.http.routers.snipe-it.entrypoints=websecure"
- "traefik.http.services.snipe-it.loadbalancer.server.port=443"
- "traefik.http.services.snipe-it.loadbalancer.server.scheme=https"
- "traefik.http.routers.snipe-it.tls=true"
- "traefik.http.services.snipe-it.loadbalancer.passhostheader=true"
but I get the following error:{"level": "debug", "msg":"'500 Internal Server Error' caused by: tls: failed to verify certificate: x509: cannot validate certificate for 172.21.0.9 because it doesn't contain any IP SANs", "time": "2023-11-05T01:31:30Z"}
i tried using the option serversTransports.insecureSkipVerify: true both in the static conf and as a label but it doesn't work, how can i make traefik not do this verification on the certificate?
both on the external balancer and on the container there is a wildcard certificate *.company.it
thanks
Share your full Traefik static and dynamic config, and docker-compose.yml if used.
Is your external LB terminating TLS? Is it configured with a cert? What cert to you use between LB and Traefik? What cert do you use between Traefik and app?
iali
November 5, 2023, 11:50am
3
traefik docker-compose.yml
version: '3.9'
services:
traefik:
image: traefik:latest
container_name: Traefik
restart: unless-stopped
ports:
- 80:80
- 443:443
# - 8080:8080 # Porta opzionale per l'interfaccia di amministrazione di Traefik !non usare in prod!
volumes:
- /data/docker/appdata/traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
- /data/docker/logs/traefik:/var/log/traefik
networks:
- Proxy
networks:
Proxy:
external: true
Application docker-compose.yml:
version: '3.9'
services:
snipeit:
build:
context: .
dockerfile: Dockerfile.alpine
container_name: Snipe-IT
volumes:
- /data/docker/logs/snipe-it:/var/www/html/storage/logs
- /data/docker/logs/snipe-it/apache:/var/log/apache2
- /data/docker/appdata/snipe-it/storage:/var/lib/snipeit
- /data/docker/appdata/snipe-it/backups:/var/lib/snipeit/dumps
env_file:
- .env.docker
networks:
- Proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.snipe-it.rule=Host(`beni.company.it`)"
- "traefik.http.routers.snipe-it.entrypoints=websecure"
- "traefik.http.services.snipe-it.loadbalancer.server.port=443"
- "traefik.http.services.snipe-it.loadbalancer.server.scheme=https"
- "traefik.http.routers.snipe-it.tls=true"
- "traefik.http.services.snipe-it.loadbalancer.passhostheader=true"
networks:
Proxy:
external: true
Traefik static conf:
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
# (Optional) Log information
# ---
log:
# Log level
#
# Optional
# Default: "ERROR"
#
level: DEBUG
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
format: json
filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
accesslog:
format: json # common, json, logfmt
filePath: /var/log/traefik/access.log
# (Optional) Enable API and Dashboard
# ---
api:
dashboard: true # true by default
insecure: false # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
web:
address: :80
# (Optional) Redirect to HTTPS
# ---
#http:
# redirections:
# entryPoint:
# to: websecure
websecure:
address: :443
#mysql:
#address: :3306
# Configure your CertificateResolver here...
# ---
#certificatesResolvers:
# staging:
# acme:
# email: webmaster@company
# storage: /etc/traefik/certs/acme.json
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
# httpChallenge:
# entryPoint: web
# production:
# acme:
# email: webmaster@company
# storage: /etc/traefik/certs/acme.json
# caServer: "https://acme-v02.api.letsencrypt.org/directory"
# httpChallenge:
# entryPoint: web
# (Optional) Overwrite Default Certificates
#tls:
# Certificate:
# certFile: /etc/traefik/certs/cert.pem
# keyFile: /etc/traefik/certs/cert-key.pem
# caFile: /etc/traefik/certs/ca.pem
# (Optional) Disable TLS version 1.0 and 1.1
# options:
# default:
# minVersion: VersionTLS12
# cipherSuites:
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
providers:
docker:
exposedByDefault: false
file:
# watch for dynamic configuration changes
directory: /etc/traefik
watch: true
# Dynamic Configuration
http:
routers:
dashboard:
rule: Host(`rproxy.company.it`) #&& (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
service: api@internal
entryPoints:
- web
#tls:
#options: default
middlewares:
- auth
middlewares:
auth:
basicAuth:
usersFile: "/etc/traefik/.htpasswd"
traefik dynamic conf: certificates.yml
tls:
certificates:
- certFile: /etc/traefik/certs/cert.pem
keyFile: /etc/traefik/certs/cert-key.pem
I tried putting in the servertransport suggestions but nothing changed
yes @bluepuma77 the tls is terminated on both the external LB and the container containing the web app, both have a valid, non-selfsigned certificate with cn= *.company.it
thanks
iali
November 6, 2023, 9:01am
4
any news @bluepuma77 ?
thanks
Did you try this in traefik.yml (doc )?
## Static configuration
serversTransport:
insecureSkipVerify: true
Note that this should go into a dynamic.yml file, not into static traefik.yml:
# Dynamic Configuration
http:
routers:
(It probably works because you read traefik.yml again with providers.file)
iali
November 7, 2023, 11:52am
6
worked by inserting the static part and using labels on the container instead of the dynamic part
Labels are "dynamic" config, loaded via providers.docker, not by providers.file
Thank you; saved me from my agony
