Traefik 2.4 cant create a resolver

smrtrock · February 25, 2021, 10:33pm

Attempted to create a certresolver with attached

version: "3.7"
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

services:
  reverse-proxy:
    image: traefik:v2.4
    container_name: traefik
    hostname: traefik
    security_opt:
      - no-new-privileges:true
    command: 
      #- --configFile=/traefikbasic.yml
      - --global.checkNewVersion=true
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --api=true
      - --api.insecure=true 
      - --api.dashboard=true
      - --providers.docker
      - --log=true
      - --log.level=DEBUG
      - --log.filePath=/traefik.event.log
      - --accesslog=true
      - --accesslog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accesslog.filters.statusCodes=400-499
      - --accesslog.filepath=/traefik.access.log
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.${domain}`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
      - --providers.file.watch=true # Only works on top level files in the rules folder
      - --certificatesResolvers.cfresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.cfresolver.acme.email=/run/secrets/cloudflare_email
      - --certificatesResolvers.cfresolver.acme.storage=/acme.json
      - --certificatesResolvers.cfresolver.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.cfresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${docker_dir}\traefik2\traefik.event.log:/traefik.event.log
      - ${docker_dir}\traefik2\traefik.access.log:/traefik.access.log
      - ${docker_dir}\traefik2\rules:/rules
      - ${docker_dir}\shared\.htpasswd:/shared/.htpasswd
      - ${docker_dir}\traefik2\acme\acme.json:/acme.json
    environment: 
      - CF_API_EMAIL_FILE=/run/secret/cloudflare_email
      - CF_API_KEY_FILE=/run/secret/cloudflare_api_key
    networks:
      t2_proxy:
        ipv4_address: 192.168.86.254 # You can specify a static IP
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=websecure"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certresolver=cfresolver" # Comment out this line after first run of traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      
secrets:
  cloudflare_email:
    file: ${mdsrv_dir}\secrets\cloudflare\cloudflare_email
  cloudflare_api_key:
    file: ${mdsrv_dir}\secrets\cloudflare\cloudflare_api_key

.env file corresponding to variables in yml

############ Basics
PUID=1000
PGID=1000
TZ=Americas/New_York
docker_dir=C:\Users\marcus\mdsrv\docker
data_dir=C:\Users\marcus\mdsrv\data
mdsrv_dir=C:\Users\marcus\mdsrv
DOMAINNAME=someexample.com

Log File still says
time="2021-02-25T22:17:17Z" level=debug msg="Adding route for traefik.someexample.com with TLS options default" entryPointName=websecure
time="2021-02-25T22:17:17Z" level=error msg="the router traefik-rtr@docker uses a non-existent resolver: cfresolver"

jakubhajek · February 26, 2021, 9:10am

Hello @smrtrock,

The issue is related to the way how volume is created:

${docker_dir}\traefik2\acme\acme.json:/acme.json
and the location for the file acme.json
--certificatesResolvers.cfresolver.acme.storage=/acme.json

I fixed that by implementing those two simple changes:

${docker_dir}/traefik2/acme/acme.json/:/data/
- --certificatesresolvers.cfresolver.acme.storage=/data/acme.json

I hope that helps,

smrtrock · February 26, 2021, 4:01pm

@jakubhajek tried the recommended fix and I get

today at 10:46 AM time="2021-02-26T15:46:53Z" level=error msg="The ACME resolver "cfresolver" is skipped from the resolvers list because: unable to get ACME account: open /data/acme.json: not a directory"

when I put it back I get the following:

today at 10:58 AM time="2021-02-26T15:58:36Z" level=debug msg="Static configuration loaded {"global":{"checkNewVersion":true},"serversTransport":{"maxIdleConnsPerHost":200},"entryPoints":{"traefik":{"address":":8080","transport":{"lifeCycle":{"graceTimeOut":10000000000},"respondingTimeouts":{"idleTimeout":180000000000}},"forwardedHeaders":{},"http":{}},"web":{"address":":80","transport":{"lifeCycle":{"graceTimeOut":10000000000},"respondingTimeouts":{"idleTimeout":180000000000}},"forwardedHeaders":{},"http":{}},"websecure":{"address":":443","transport":{"lifeCycle":{"graceTimeOut":10000000000},"respondingTimeouts":{"idleTimeout":180000000000}},"forwardedHeaders":{"trustedIPs":["173.245.48.0/20","103.21.244.0/22","103.22.200.0/22","103.31.4.0/22","141.101.64.0/18","108.162.192.0/18","190.93.240.0/20","188.114.96.0/20","197.234.240.0/22","198.41.128.0/17","162.158.0.0/15","104.16.0.0/12","172.64.0.0/13","131.0.72.0/22"]},"http":{}}},"providers":{"providersThrottleDuration":2000000000,"docker":{"watch":true,"endpoint":"unix:///var/run/docker.sock","defaultRule":"Host({{ index .Labels \\\"com.docker.compose.service\\\" }}.docker.localhost)","network":"t2_proxy","swarmModeRefreshSeconds":15000000000},"file":{"directory":"/rules","watch":true}},"api":{"insecure":true,"dashboard":true},"log":{"level":"DEBUG","format":"common"},"accessLog":{"filePath":"/traefik.access.log","format":"common","filters":{"statusCodes":["400-499"]},"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"bufferingSize":100},"certificatesResolvers":{"cfresolver":{"acme":{"email":"/run/secrets/cloudflare_email","caServer":"https://acme-staging-v02.api.letsencrypt.org/directory","storage":"/acme.json","keyType":"RSA4096","dnsChallenge":{"provider":"cloudflare","resolvers":["1.1.1.1:53","1.0.0.1:53"]}}}}}"
today at 10:58 AM time="2021-02-26T15:58:36Z" level=error msg="The ACME resolver "cfresolver" is skipped from the resolvers list because: unable to get ACME account: permissions 777 for /acme.json are too open, please use 600"
today at 10:58 AM time="2021-02-26T15:58:36Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {"Timeout":4000000000}"

I shell into the container and apply chmod 600 acme.json and I get

today at 10:58 AM time="2021-02-26T15:58:36Z" level=error msg="The ACME resolver "cfresolver" is skipped from the resolvers list because: unable to get ACME account: permissions 777 for /acme.json are too open, please use 600"

I am running docker on windows by the way so not sure how to apply chmod to windows if that is the issue.

smrtrock · February 26, 2021, 4:59pm

Something curious as this is permission related I am tried instead of data folder acme folder seems to be doing something closer to success, still have an empty acme.json though

Changed configs to

Volumes: 
    - ${docker_dir}\traefik2\acme\acme.json:/acme/acme.json
Labels:
    - --certificatesResolvers.cfresolver.acme.storage=/acme/acme.json

The logs related to acme are now looking like this

CONTAINERS

 calibre
 dozzle
 heimdall
 hydra
 jackett
 jelly
 lazylibrarian
 pihole
 portainer
 radarr
 sabnzbd
 sonarr
 traefik
 ums
 watchtower
acme

traefik
RUNNING
MEM 25.34 MB
LOAD 0%
today at 11:50 AM  time="2021-02-26T16:50:39Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"calibre\":{\"address\":\":8181\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"dozzle\":{\"address\":\":9999\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"heimdall\":{\"address\":\":81\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"jackett\":{\"address\":\":9117\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"jelly\":{\"address\":\":8097\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"lazylibrarian\":{\"address\":\":5299\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"nzbhydra\":{\"address\":\":5075\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"pihole\":{\"address\":\":82\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"portainer\":{\"address\":\":9000\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"radarr\":{\"address\":\":7878\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"sab\":{\"address\":\":38080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"sonarr\":{\"address\":\":8989\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"ums\":{\"address\":\":9001\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{\"trustedIPs\":[\"173.245.48.0/20\",\"103.21.244.0/22\",\"103.22.200.0/22\",\"103.31.4.0/22\",\"141.101.64.0/18\",\"108.162.192.0/18\",\"190.93.240.0/20\",\"188.114.96.0/20\",\"197.234.240.0/22\",\"198.41.128.0/17\",\"162.158.0.0/15\",\"104.16.0.0/12\",\"172.64.0.0/13\",\"131.0.72.0/22\"]},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ index .Labels \\\"com.docker.compose.service\\\" }}.docker.localhost`)\",\"network\":\"t2_proxy\",\"swarmModeRefreshSeconds\":15000000000},\"file\":{\"directory\":\"/rules\",\"watch\":true}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/traefik.access.log\",\"format\":\"common\",\"filters\":{\"statusCodes\":[\"400-499\"]},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100},\"certificatesResolvers\":{\"cfresolver\":{\"acme\":{\"email\":\"/run/secrets/cloudflare_email\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]}}}}}"
today at 11:50 AM  time="2021-02-26T16:50:39Z" level=info msg="Starting provider *acme.Provider {\"email\":\"/run/secrets/cloudflare_email\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme/acme.json\",\"keyType\":\"RSA4096\",\"dnsChallenge\":{\"provider\":\"cloudflare\",\"resolvers\":[\"1.1.1.1:53\",\"1.0.0.1:53\"]},\"ResolverName\":\"cfresolver\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
today at 11:50 AM  time="2021-02-26T16:50:39Z" level=info msg="Testing certificate renew..." providerName=cfresolver.acme
today at 11:50 AM  time="2021-02-26T16:50:39Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
today at 11:50 AM  time="2021-02-26T16:50:39Z" level=debug msg="Configuration received from provider cfresolver.acme: {\"http\":{},\"tls\":{}}" providerName=cfresolver.acme

smrtrock · March 1, 2021, 4:13am

Ok so I have it almost figured out had some config issues I suspect i have one more

Now with this traefik.yml

api:
  dashboard: true
  insecure: true

certificatesResolvers:
  cloudflare-resolver:
    acme:
      email: smrtrock@outlook.com
      storage: /acme/acme.json
      # LetsEncrypt Staging Server - uncomment when testing
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnschallenge:
        provider: cloudflare
        delayBeforeCheck: 90
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
  le:
    acme:
      email: smrtrock@outlook.com
      storage: /acme/acme.json"
      # LetsEncrypt Staging Server - uncomment when testing
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      httpChallenge:
        entryPoint: web

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
    forwardedheaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
    http:
      middlewares:
        - chain-basic-auth
      tls:
        certResolver: cloudflare-resolver
        domains:
          - main: smrtrock.com
            sans:
              - "*.smrtrock.com"
  traefik:
    address: ":8080"

global:
  checknewversion: true
  # sendanonymoususage: true

log:
  level: DEBUG
  # filepath: /traefik.event.log
  format: json

accesslog:
  filepath: /traefik.access.log
  format: json
  bufferingsize: 100
  filters:
    statusCodes: 400-599

providers:
  docker:
    exposedByDefault: false
    swarmMode: false
  file:
    watch: true
    directory: "/rules"
    
serversTransport:
  insecureSkipVerify: true

Dynamic config app-dashboard.yml

http:
  routers:
    traefik:
      entryPoints: web
      rule: "Host(`traefik.smrtrock.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      service: api@internal
      middlewares:
        - basic-auth@file
      tls:
        certResolver: cloudflare-resolver
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

and the following compose putting it all together

version: "3.8"

networks: 
  t2_proxy:
    external: true
  default:
    driver: bridge

services:
 reverse-proxy:
    # The official v2.0 Traefik docker image
    image: traefik:latest
    container_name: traefik
    # Enables the web UI and tells Traefik to listen to docker
    ports:
      # The HTTP port
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      # The Web UI (enabled by --api.insecure=true)
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${docker_dir}\traefik2\rules:/rules
      - ${docker_dir}\traefik2\acme\acme.json:/acme/acme.json
      - ${docker_dir}\traefik2\traefik.yml:/traefik.yml:ro
      - ${docker_dir}\traefik2\traefik.access.log:/traefik.access.log
      - ${docker_dir}\traefik2\traefik.event.log:/traefik.event.log
      - ${docker_dir}\shared\.htpasswd:/shared/.htpasswd
    networks:
      - t2_proxy
    environment: 
      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
    secrets:
      - cloudflare_email
      - cloudflare_api_key

Now I am having two problems

Resoler does not produce a cert getting the following error

today at 10:57 PM  {"level":"error","msg":"Unable to obtain ACME certificate for domains \"smrtrock.com,*.smrtrock.com\" : unable to generate a certificate for the domains [smrtrock.com *.smrtrock.com]: error: one or more domains had a problem:\n[*.example.com [*.example.com] acme: error presenting token: cloudflare: unexpected response code 'SERVFAIL' for _acme-challenge.smrtrock.com.\n[example.com] [e.coxamplem] acme: error presenting token: cloudflare: unexpected response code 'SERVFAIL' for _acme-challenge.smrtrock.com.\n","providerName":"cloudflare-resolver.acme","time":"2021-03-01T03:57:39Z"}

I do not get prompted for creds even after I remove api.insecure and serverTransport.insecureSkipVerify

jakubhajek · March 1, 2021, 9:12am

I am suggesting you create two routers, the one for Web and the second for Websecure. Then place TLS configuration on Websecure router. Let us know the results of your testing.

smrtrock · March 5, 2021, 7:01pm

Ok, so the issue was the key I was using

originally I was trying with the global API_KEY I added the DNS_API_TOKEN and magic happened.

Topic		Replies	Views
V2.2.1: Router uses a non-existing resolver Traefik v2 letsencrypt-acme	1	1418	June 9, 2020
Traefik v2.2 : default certResolver not used (bug ?) Traefik v2 letsencrypt-acme	2	4765	April 24, 2020
Unable to get Traefix, CloudFlare, Let'sEncrypt setup on Synology NAS Traefik v2 docker , letsencrypt-acme	1	3902	August 30, 2020
Can't Obtain Cert Traefik v2 docker	0	315	May 14, 2021
ERR Router uses a non-existent certificate resolver Traefik v3 (latest) docker , letsencrypt-acme	4	4504	July 13, 2024

Traefik 2.4 cant create a resolver

Related topics