I'm using the following docker-compose.yaml
version: '3.7'
services:
reverse-proxy:
image: traefik:v2.1
ports:
- "80:80"
- "443:443"
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./conf.d/:/etc/traefik/conf.d/:ro
- ./certs/:/etc/ssl/:ro
- ./acme.json:/etc/traefik/acme.json
traefik.yml:
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
providers:
file:
directory: /etc/traefik/conf.d
certificatesResolvers:
lets-encrypt:
acme:
email: example@example.org
storage: /etc/traefik/acme.json
httpChallenge:
# used during the challenge
entryPoint: web
accessLog: {}
Example Domain config (loaded from a file in /etc/traefik/conf.d/)
http:
routers:
exmaple-new:
rule: "Host(`example.org`)"
entryPoints:
- "web"
service: "example-site-new"
middlewares:
- "force-https"
example-new-secure:
rule: "Host(`example.org`)"
entryPoints:
- "web-secure"
service: " example-site-new"
tls:
certResolver: "lets-encrypt"
services:
example-site-new:
loadBalancer:
passHostHeader: true
servers:
- url: "http://endpointip:8000/"
I've been getting emails from lets encrypt saying the certificates used by this instance hadn't been renewed, acme.json hasn't been modified since the 15th Janauary, so I backed it up and create a new blank one, after restarting the container I get the following error for each domain/cert:
reverse-proxy_1 | time="2020-02-19T12:16:03Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: x509: certificate signed by unknown authority" rule="Host(`example.org`)" providerName=lets-encrypt.acme routerName=example-site-secure@file
If I try and use wget to request the url in the container I get this:
docker exec -it traefik_reverse-proxy_1 wget https://acme-v02.api.letsencrypt.org/directory
Connecting to acme-v02.api.letsencrypt.org (172.65.32.248:443)
ssl_client: acme-v02.api.letsencrypt.org: TLS connect failed
wget: error getting response: Connection reset by peer
It works fine if I run the same command on the host machine.