Hi everyone
I have a docker swarm cluster with the managers on one network and the workers on another. The ssl certificates are stored on an nfs server which is on the same network as the worker nodes. There is an overlay network which the services use. File/folder permissions are set correctly and acme.json to 600. All servers can connect to the nfs server and access locations.
When I launch the Traefik stack deploy, only the dashboard gets an ssl certificate from letsencrypt. Whoami and other domains don't. The Traefik instances are running on the manager nodes and whoami on the worker nodes. Not sure where I'm going wrong but any help would be greatly appreciated.
Here is the error I get:
error: one or more domains had a problem:\n[whoami.domain.com] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:tls :: During secondary validation: remote error: tls: unrecognized name
Here is my docker compose file:
services:
traefik:
image: traefik:3.3.6
networks:
- proxyney
ports:
- 80:80
- 443:443
command:
- --api.dashboard=true
- --log.level=DEBUG
- --accesslog=true
- --providers.swarm.endpoint=unix:///var/run/docker.sock
- --providers.swarm=true
- --providers.swarm.network=proxynet
- --providers.swarm.exposedByDefault=false
- --entrypoints.webinsecure.address=:80
- --entrypoints.webinsecure.http.redirections.entrypoint.to=websecure
- --entryPoints.webinsecure.http.redirections.entrypoint.scheme=https
- --entryPoints.webinsecure.http.redirections.entrypoint.permanent=true
- --entrypoints.websecure.address=:443
- --entrypoints.dashboard.address=:8181
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=email@mydomain.com
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.myresolver.acme.tlschallenge=true
# - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
deploy:
mode: global
placement:
constraints:
- node.role==manager
labels:
- traefik.enable=true
- traefik.environment=cloud
- traefik.http.routers.dashboard.entrypoints=websecure
- traefik.http.routers.dashboard.rule=Host(`traefik.mydomain.com`)
- traefik.http.routers.dashboard.service=api@internal
- traefik.http.services.dashboard.loadbalancer.server.port=8181
- traefik.http.routers.dashboard.middlewares=auth
- traefik.http.middlewares.auth.basicauth.users=user:pin
volumes:
- ./traefik/logs:/var/log
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/ssl/acme.json:/letsencrypt/acme.json
whoami:
image: traefik/whoami
networks:
- proxynet
deploy:
mode: global
placement:
constraints:
- "node.role==worker"
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)
- traefik.http.services.whoami.loadbalancer.server.port=80
networks:
proxynet:
external: true