Traefik, Docker-compose and Let'sEncrypt

bluepuma77 · September 19, 2023, 5:58am

What’s the URL you are trying to access?

This seems wrong:

web is always redirecting, you need to use websecure.

soubriquet · September 19, 2023, 2:01pm

I'm using https://mydomain.com

I just updated all lines with entrypoints=web to entrypoints=websecure but am still getting Gateway Timeout.

bluepuma77 · September 19, 2023, 6:44pm

Aha, that’s a different error, make sure all target services are connected to the Docker network.

soubriquet · September 19, 2023, 7:37pm

Thanks. That fixed the Gateway Timeout!

But I'm still getting this error:

Warning: Potential Security Risk Ahead

Firefox Developer Edition detected a potential security threat and did not continue to mydomain.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

mydomain.com uses an invalid security certificate.
 
The certificate is not trusted because it is self-signed.
 
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
 
View Certificate

Here is the traefik.log. Everything in my docker-compose.yaml is the same as above except I added the services to the network.

2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:100 > Traefik version 3.0.0-beta3 built on 2023-06-22T08:58:13Z version=3.0.0-beta3
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107 > Static configuration loaded [json] staticConfiguration={"accessLog":{"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"filePath":"/var/log/traefik-access.log","filters":{},"format":"common"},"api":{"dashboard":true},"certificatesResolvers":{"myresolver":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"hello@mydomain.com","keyType":"RSA4096","storage":"/letsencrypt/acme.json","tlsChallenge":{}}}},"entryPoints":{"web":{"address":":80","forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"permanent":true,"priority":2147483646,"scheme":"https","to":"websecure"}}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}},"websecure":{"address":":443","asDefault":true,"forwardedHeaders":{},"http":{"tls":{"certResolver":"myresolver"}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"filePath":"/var/log/traefik.log","format":"common","level":"DEBUG"},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","network":"proxy","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:656 > 
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:72 > Starting provider aggregator aggregator.ProviderAggregator
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:194 > Starting TCP Server entryPointName=web
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:194 > Starting TCP Server entryPointName=websecure
2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > Starting provider *traefik.Provider
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:204 > *traefik.Provider provider configuration config={}
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:226 > Configuration received config={"http":{"middlewares":{"redirect-web-to-websecure":{"redirectScheme":{"permanent":true,"port":"443","scheme":"https"}}},"models":{"websecure":{"tls":{"certResolver":"myresolver"}}},"routers":{"web-to-websecure":{"entryPoints":["web"],"middlewares":["redirect-web-to-websecure"],"priority":2147483646,"rule":"HostRegexp(`^.+$`)","service":"noop@internal"}},"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"api":{},"dashboard":{},"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > Starting provider *docker.Provider
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:204 > *docker.Provider provider configuration config={"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","network":"proxy","watch":true}
2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > Starting provider *acme.ChallengeTLSALPN
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:204 > *acme.ChallengeTLSALPN provider configuration config={}
2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > Starting provider *acme.Provider
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:204 > *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"myresolver","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"hello@mydomain.com","keyType":"RSA4096","storage":"/letsencrypt/acme.json","store":{},"tlsChallenge":{}}
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:214 > Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
2023-09-19T19:12:33Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:798 > Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:226 > Configuration received config={"http":{},"tcp":{},"tls":{},"udp":{}} providerName=myresolver.acme
2023-09-19T19:12:33Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:89 > Provider connection established with docker 24.0.5 (API 1.43) providerName=docker
2023-09-19T19:12:33Z ERR github.com/traefik/traefik/v3/pkg/provider/docker/config.go:81 > error="service \"oauth2-proxy-backend\" error: port is missing" container=oauth2-proxy-backend-8f1b310505b8ec9f4083dd199b1da5a1f85823090bcb6de879d782306178116c providerName=docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:313 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=web middlewareName=tracing middlewareType=TracingForwarder routerName=web-to-websecure@internal serviceName=noop@internal
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:48 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["websecure"] routerName=mydashboard
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:313 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=web middlewareName=tracing middlewareType=TracingForwarder routerName=web-to-websecure@internal serviceName=noop@internal
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=mydashboard@docker serviceName=api@internal
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:33 > Creating middleware entryPointName=websecure middlewareName=myauth@docker middlewareType=BasicAuth routerName=mydashboard@docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=myauth@docker routerName=mydashboard@docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:256 > Creating load-balancer entryPointName=websecure routerName=upload@docker serviceName=upload@docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:298 > Creating server entryPointName=websecure routerName=upload@docker serverName=1a9667fd9d587fb5 serviceName=upload@docker target=http://<ip>.12:8004
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=upload@docker serviceName=upload
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:29 > Creating middleware entryPointName=websecure middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:49 > Setting up customHeaders/Cors from {map[] map[] true [*] [GET POST OPTIONS] [*] [] [] 0 false [] [] map[] 0 false false false false  false false      false} entryPointName=websecure middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=upload-cors@docker routerName=upload@docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:256 > Creating load-balancer entryPointName=websecure routerName=nginx@docker serviceName=nginx-backend@docker
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:298 > Creating server entryPointName=websecure routerName=nginx@docker serverName=b4b47c3cc264ce8d serviceName=nginx-backend@docker target=http://<ip>.5:80
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=nginx@docker serviceName=nginx-backend
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for monitor.mydomain.com with TLS options default entryPointName=websecure
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for mydomain.com with TLS options default entryPointName=websecure
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [monitor.mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=upload@docker rule="Host(`mydomain.com`) && PathPrefix(`/upload`)"
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["monitor.mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:893 > Domains need ACME certificates generation for domains "monitor.mydomain.com". acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["monitor.mydomain.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:621 > Loading ACME certificates [monitor.mydomain.com]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=upload@docker rule="Host(`mydomain.com`) && PathPrefix(`/upload`)"
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.com"] providerName=myresolver.acme routerName=upload@docker rule="Host(`mydomain.com`) && PathPrefix(`/upload`)"
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=nginx@docker rule=Host(`mydomain.com`)
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=nginx@docker rule=Host(`mydomain.com`)
2023-09-19T19:12:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.com"] providerName=myresolver.acme routerName=nginx@docker rule=Host(`mydomain.com`)
2023-09-19T19:12:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:252 > Building ACME client... providerName=myresolver.acme
2023-09-19T19:12:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:258 > https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
2023-09-19T19:12:49Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:372 > Register... providerName=myresolver.acme
2023-09-19T19:12:49Z DBG github.com/go-acme/lego/v4@v4.12.2/log/logger.go:48 > [INFO] acme: Registering account for hello@mydomain.com lib=lego
2023-09-19T19:12:49Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:332 > Using TLS Challenge provider. providerName=myresolver.acme
2023-09-19T19:12:49Z DBG github.com/go-acme/lego/v4@v4.12.2/log/logger.go:48 > [INFO] [mydomain.com] acme: Obtaining bundled SAN certificate lib=lego
2023-09-19T19:12:49Z DBG github.com/go-acme/lego/v4@v4.12.2/log/logger.go:48 > [INFO] [monitor.mydomain.com] acme: Obtaining bundled SAN certificate lib=lego
2023-09-19T19:12:49Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:397 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [monitor.mydomain.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: monitor.mydomain.com, retry after 2023-09-20T22:29:32Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/" acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["monitor.mydomain.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-19T19:14:20Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "167-99-233-23.l-cdn.com"
2023-09-19T19:14:20Z DBG log/log.go:194 > http: TLS handshake error from <ip>:44095: EOF
2023-09-19T19:15:03Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-19T19:15:03Z DBG log/log.go:194 > http: TLS handshake error from <ip>.234:49250: remote error: tls: bad certificate
2023-09-19T19:15:07Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-19T19:15:07Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:173 > Service selected by WRR: b4b47c3cc264ce8d
2023-09-19T19:15:09Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:38 > Request has been aborted [<ip>.234:34586 - /path-logo.png]: net/http: abort Handler middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-19T19:15:09Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:173 > Service selected by WRR: b4b47c3cc264ce8d
2023-09-19T19:15:12Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-19T19:15:13Z DBG log/log.go:194 > http: TLS handshake error from <ip>.234:6481: remote error: tls: bad certificate
2023-09-19T19:15:13Z DBG log/log.go:194 > http: TLS handshake error from <ip>.234:48960: remote error: tls: bad certificate
2023-09-19T19:15:48Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "167-99-233-23.l-cdn.com"
2023-09-19T19:15:48Z DBG log/log.go:194 > http: TLS handshake error from <ip>:48998: EOF
2023-09-19T19:16:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "thesolvex.com"
2023-09-19T19:19:41Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "167-99-233-23.l-cdn.com"
2023-09-19T19:19:41Z DBG log/log.go:194 > http: TLS handshake error from <ip>:59050: EOF
2023-09-19T19:19:53Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "thesolvex.com"
2023-09-19T19:21:18Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "rigidwiki.com"
2023-09-19T19:23:27Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "167-99-233-23.l-agent.me"
2023-09-19T19:23:27Z DBG log/log.go:194 > http: TLS handshake error from <ip>.11:55881: EOF
2023-09-19T19:23:41Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "thesolvex.com"

bluepuma77 · September 19, 2023, 8:28pm

It’s all in the logs:

Make sure to persist the cert file between container recreates.

soubriquet · September 20, 2023, 1:18am

Ok, nvm I tried again with another domain and I'm able to get the acme.json file for https://mydomain.com, but not for https://monitor.mydomain.com.

Persisting worked by manually creating ./letsencrypt at the root of my project directory/ directory with the docker-compose and removing the named volume in the volumes section.

Finally, is this correct for fixing the tls challenge for my monitor subdomain? Here is the label section for my Traefik service:

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)"
      - "traefik.http.routers.mydashboard.entrypoints=websecure"
      - "traefik.http.routers.mydashboard.tls.certresolver=myresolver"
      - "traefik.http.routers.mydashboard.service=api@internal"
      - "traefik.http.routers.mydashboard.middlewares=myauth"
      - "traefik.http.middlewares.myauth.basicauth.users=admin:admin:$apr1$fIN5.TMI$Q9.C0E8zDNR0ZC0Rt73Uy0"

I would try just running it, but I hit the rate limit again so I just wanna know so I don't burn through tries tomorrow.

bluepuma77 · September 20, 2023, 4:47am

LetsEncrypt has a staging mode (doc) to work around the limits.

Did you create the subdomain DNS entry?

Are you using CNAME? (Doc)

Note that your basicauth seems wrong.

soubriquet · September 20, 2023, 11:47am

Before you replied, I realized I had forgotten to add the subdomain DNS entry, so I fixed that on DigitalOcean by adding an A record for monitor.mydomain.com.

For the Let'sEncrypt staging server, is it a separate service that I place in my docker-compose, like this:

certificatesResolvers:
    myresolver:
        acme:
            # ...
            caServer: https://acme-staging-v02.api.letsencrypt.org/directory

or do I place this under my Traefik service like this?

traefik:
    image: traefik:v3.0
    restart: always
    certificatesResolvers:
        myresolver:
            acme:
                # ...
                caServer: https://acme-staging-v02.api.letsencrypt.org/directory

I also noticed the providers list mentions GoDaddy which is where I got my domain. Is adding the provider required?

What's incorrect with the basicauth?

bluepuma77 · September 20, 2023, 2:41pm

The caserver is Traefik static config, so traefik.yml or command of Traefik service.

Find the error:

soubriquet · September 20, 2023, 3:10pm

Ah my bad. I repeated admin: I copied and pasted that.

Also just checking, for the Traefik command for the caServer, is this what you meant:

# docker-compose.yaml
# ...
traefik:
    image: traefik:v3.0
    restart: always
    command:
        - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
        # ... (other configurations)

bluepuma77 · September 20, 2023, 5:42pm

You add the caserver to the rest of your existing certresolver definition.

soubriquet · September 20, 2023, 9:51pm

I'm trying on my actual domain again and it looks like I got the certs.

I'm using the production server instead of the staging server:

- --certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory

Here is my acme.json:

{
  "myresolver": {
    "Account": {
      "Email": "admin@mydomain.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:admin@mydomain.com"
          ]
        },
        "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456"
      },
      "PrivateKey": "...",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "monitor.mydomain.com"
        },
        "certificate": "...",
        "Store": "default"
      },
      {
        "domain": {
          "main": "mydomain.com"
        },
        "certificate": "...",
        "Store": "default"
      }
    ]
  }
}

But when I visit via browser to https://monitor.mydomain.com, I get that same error:

Warning: Potential Security Risk Ahead

Firefox Developer Edition detected a potential security threat and did not continue to mydomain.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

mydomain.com uses an invalid security certificate.
 
The certificate is not trusted because it is self-signed.
 
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
 
View Certificate

When I browse to https://mydomain.com it works.

Here is my traefik.log:

2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:313 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=web middlewareName=tracing middlewareType=TracingForwarder routerName=web-to-websecure@internal serviceName=noop@internal
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:48 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["websecure"] routerName=mydashboard
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:158 > Adding certificate for domain(s) monitor.mydomain.com
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:158 > Adding certificate for domain(s) mydomain.com
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:313 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=web middlewareName=tracing middlewareType=TracingForwarder routerName=web-to-websecure@internal serviceName=noop@internal
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:29 > Creating middleware entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/redirect/redirect_scheme.go:30 > Setting up redirection to https 443 entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:256 > Creating load-balancer entryPointName=websecure routerName=nginx@docker serviceName=nginx-backend@docker
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:298 > Creating server entryPointName=websecure routerName=nginx@docker serverName=622294d39604d2e9 serviceName=nginx-backend@docker target=http://192.168.144.4:80
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=nginx@docker serviceName=nginx-backend
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=mydashboard@docker serviceName=api@internal
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:33 > Creating middleware entryPointName=websecure middlewareName=myauth@docker middlewareType=BasicAuth routerName=mydashboard@docker
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=myauth@docker routerName=mydashboard@docker
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:256 > Creating load-balancer entryPointName=websecure routerName=upload@docker serviceName=upload@docker
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:298 > Creating server entryPointName=websecure routerName=upload@docker serverName=67cc8bf1477334e0 serviceName=upload@docker target=http://192.168.144.10:8004
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=upload@docker serviceName=upload
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:29 > Creating middleware entryPointName=websecure middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:49 > Setting up customHeaders/Cors from {map[] map[] true [*] [GET POST OPTIONS] [*] [] [] 0 false [] [] map[] 0 false false false false  false false      false} entryPointName=websecure middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=upload-cors@docker routerName=upload@docker
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for monitor.mydomain.com with TLS options default entryPointName=websecure
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for mydomain.com with TLS options default entryPointName=websecure
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=nginx@docker rule=Host(`mydomain.com`)
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [monitor.mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=upload@docker rule="Host(`mydomain.com`) && PathPrefix(`/upload`)"
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=nginx@docker rule=Host(`mydomain.com`)
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.com"] providerName=myresolver.acme routerName=nginx@docker rule=Host(`mydomain.com`)
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["monitor.mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["monitor.mydomain.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=upload@docker rule="Host(`mydomain.com`) && PathPrefix(`/upload`)"
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mydomain.com"] providerName=myresolver.acme routerName=upload@docker rule="Host(`mydomain.com`) && PathPrefix(`/upload`)"
2023-09-21T00:12:52Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
2023-09-21T00:14:38Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "thesolvex.com"
2023-09-21T00:14:39Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:173 > Service selected by WRR: 622294d39604d2e9
2023-09-21T00:14:41Z DBG log/log.go:194 > http: TLS handshake error from <ip>:50626: remote error: tls: unknown certificate authority
2023-09-21T00:14:49Z DBG log/log.go:194 > http: TLS handshake error from <ip>:50633: remote error: tls: unknown certificate authority
2023-09-21T00:14:55Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-21T00:14:56Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "rigidwiki.com"
2023-09-21T00:14:57Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-21T00:16:13Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:173 > Service selected by WRR: 622294d39604d2e9
2023-09-21T00:16:13Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:173 > Service selected by WRR: 22f0fb31815e77d0
2023-09-21T00:16:14Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "thesolvex.com"
2023-09-21T00:16:15Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:173 > Service selected by WRR: 0d987d5a18bcb7d0
2023-09-21T00:17:20Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "rigidwiki.com"
2023-09-21T00:17:35Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "old.rigidwiki.com"
2023-09-21T00:18:22Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "167-99-233-23.l-cdn.com"
2023-09-21T00:18:22Z DBG log/log.go:194 > http: TLS handshake error from 70.105.170.211:54193: EOF

Notably, I don't see a rate limit this time in the logs.

bluepuma77 · September 21, 2023, 5:42am

Share your current Traefik static and dynamic config, and docker-compose.yml if used.

soubriquet · September 21, 2023, 12:10pm

I'm only using docker-compose.yml. Here's my current file:

version: '3'
services:
  upload:
    image: mydomain-upload:v3-staging
    build:
      context: .
      dockerfile: src/services/upload/Dockerfile.upload
    restart: always
    ports:
      - "8004:8004"
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.upload.entrypoints=websecure"
      - "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
      - "traefik.http.services.upload.loadbalancer.server.port=8004"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
      - "traefik.http.routers.upload.middlewares=upload-cors"
    environment:
      - MODE=staging
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
    networks:
      - proxy
    command:
      - --provider=oidc
      - --email-domain=*
      - --oidc-issuer-url=https://accounts.google.com
      - --cookie-secure=false
      - --cookie-secret=COOKIE_SECRET
      - --client-id=CLIENT_ID
      - --client-secret=CLIENT_SECRET
      - --upstream=http://traefik:80
      - --pass-access-token=true
      - --pass-authorization-header=true
      - --set-authorization-header=true
    labels:
      - "traefik.enable=true"
  nginx:
    image: mydomain-nginx:v3-staging
    build:
      context: .
      dockerfile: src/static/Dockerfile.nginx.staging
    restart: always
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
      - "traefik.http.routers.nginx.entrypoints=websecure"
      - "traefik.http.routers.nginx.tls.certresolver=myresolver"
  traefik:
    image: traefik:v3.0
    restart: always
    depends_on:
      - oauth2-proxy
      - nginx
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./letsencrypt:/letsencrypt
      - /var/log:/var/log
    command:
      - --providers.docker.network=proxy
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/var/log/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)"
      - "traefik.http.routers.mydashboard.entrypoints=websecure"
      - "traefik.http.routers.mydashboard.tls.certresolver=myresolver"
      - "traefik.http.routers.mydashboard.service=api@internal"
      - "traefik.http.routers.mydashboard.middlewares=myauth"
      - "traefik.http.middlewares.myauth.basicauth.users=admin:$2y$05$/hJpV/MlsvaKB9bAWe8nDeq416TAjd9qU4bfs56ibkFU9smKP/O0S"

networks:
  proxy:
    name: proxy

bluepuma77 · September 21, 2023, 7:45pm

Something wrong here, only assign once:

soubriquet · September 21, 2023, 8:39pm

OMFG!!!! YESSS!!!!

Just tested on several devices and browsers and everything finally works!

Thank you so much for helping me with all this!

I'm so hype right now!

Not sure which of your replies to mark as the solution since they were all the solution haha.

Thank you again! Omfg haha!!!!

soubriquet · September 26, 2023, 3:48pm

Ah ok so I think I may have celebrated too soon.

I haven't changed anything with my docker-compose. When I complete the Google Auth and get redirected to https://www.mydomain.com/oauth2/redirect..., I get this error:

Warning: Potential Security Risk Ahead

Firefox Developer Edition detected a potential security threat and did not continue to www.mydomain.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

Learn more…

www.mydomain.com uses an invalid security certificate.
 
The certificate is not trusted because it is self-signed.
 
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
 
View Certificate

bluepuma77 · September 26, 2023, 3:54pm

Your oauth2-proxy service/container has the right labels (Host() && PathPrefix()) and is TLS enabled?

soubriquet · September 26, 2023, 4:21pm

Here is my oauth:

oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
    networks:
      - proxy
    command:
      - --provider=oidc
      - --email-domain=*
      - --oidc-issuer-url=https://accounts.google.com
      - --cookie-secure=false
      - --cookie-secret=COOKIE_SECRET
      - --client-id=CLIENT_ID
      - --client-secret=CLIENT_SECRET
      - --upstream=http://traefik:80
      - --pass-access-token=true
      - --pass-authorization-header=true
      - --set-authorization-header=true
    labels:
      - "traefik.enable=true"

Should I add these to the labels:

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.oauth2-proxy.rule=Host(`mydomain.com`) && PathPrefix(`/oauth2`)"
      - "traefik.http.routers.oauth2-proxy.entrypoints=websecure"
      - "traefik.http.routers.oauth2-proxy.tls.certresolver=myresolver"

I just tried this and still get the 404 page not found.

bluepuma77 · September 26, 2023, 5:46pm

Add the labels, add a www. to rule.

You can also use

rule=(Host() || Host()) && PathPrefix()