Traefik does not use a custom certificate

Hello colleagues!

Could you please help with troubleshooting the problem:

The following parameters are specified in the traefik.yml config:
tls:
certificates:
- certFile: /etc/traefik/certs/cvat.crt
keyFile: /etc/traefik/certs/cvat.key

Certificates are uploaded to this directory in docker-compose.yml via volume:
volumes:
- /opt/cvat/certs:/etc/traefik/certs:ro

The traffic container does not issue errors at startup:
docker logs traefik
time="2024-04-02T20:19:39Z" level=info msg="Configuration loaded from flags."

Despite this, the browser issues a self-signed certificate: TRAEFIK DEFAULT CERT

Thank you so much for your help!

That’s one of the top 10 questions

Custom TLS certs are dynamic config, they need to go into a dynamic config file, which is loaded in static config via providers.file.

# Dynamic configuration

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

In the above example, we've used the file provider to handle these definitions. It is the only available method to configure the certificates

Doc

As indicated in the instructions Traefik File Documentation - Traefik the docker-compose file specifies the path to the dynamic configuration file: Configuration Examples / CLI /
--providers.file.directory=/path/to/dynamic/conf:

In our case, this is:
- "--providers.file.directory=/etc/traefik/dynamic_conf"

В данную папку через volume копируется конфиг traefik.yml содержания:

# Dynamic configuration

tls:
certificates:
- certFile: /etc/traefik/certs/cvat.crt
keyFile: /etc/traefik/certs/cvat.key

Do I understand correctly that in this case the ecfuashlund config is accepted as dynamic config file?

Certificates are copied to the container folder /etc/traefik/certs/

The presence of files and config are checked in the container, everything is correct

There are no errors in the container log:

level=info msg="Configuration loaded from flags."

Traefik doesn't use a custom certificate anyway!
Could you please explain what else could be the problem?

Dear colleagues, there may be some options for troubleshooting, it is configured correctly according to the instructions, but custom certificates still do not work

Is this a file or folder?

It's a folder!

/etc/traefik/dynamic_conf

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Use 3 backticks before and after config for correct formatting, in yaml every space counts.

The following files are used: Traefik.zip - Google Drive
docker-compose.yml
docker-compose.override.yml
docker-compose.https.yml

This is not how it works. Readers here don't download ZIPs.

OK, I put the files themselves in a folder: Traefik - Google Drive

This is how it usually works around here:

You post them inline, so everyone, with whatever device they use, can read them.

docker-compose.https.yml

# Copyright (C) 2018-2022 Intel Corporation
#
# SPDX-License-Identifier: MIT

services:
  cvat_server:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
      - traefik.http.routers.cvat.tls=true
#      - traefik.http.routers.cvat.tls.certresolver=lets-encrypt

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
      - traefik.http.routers.cvat-ui.tls=true

#      - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt
#    ports:
#      - 80:80
#      - 3443:3443

  traefik:
    image: traefik:v2.4
    container_name: traefik
    command:
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=cvat"
#      - '--providers.file.directory=/etc/traefik/rules'
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.websecure.address=:443"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
      # - "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
      # - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
      #- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
      # Uncomment to get Traefik dashboard
      # - "--entryPoints.dashboard.address=:8090"
      # - "--api.dashboard=true"
    ports:
      - 80:80
      - 443:443
    volumes:
#      - cvat_letsencrypt:/letsencrypt
#      - /opt/cvat/certs:/cvat/certs:ro
#      - ./dynamic_conf:/opt/cvat/dynamic_conf:ro
#      - ./traefik.yml:/opt/cvat/traefik.yml:ro
#      - /opt/cvat/traefik.yml:/cvat/traefik.yml:ro
#      - /opt/cvat/dynamic_conf.yml:/cvat/dynamic_conf.yml
      - ${SRV_PATH}/certs:/etc/traefik/certs
      - ${SRV_PATH}/traefik.yml:/etc/traefik/dynamic_conf/traefik.yml
#volumes:
#  cvat_letsencrypt:

traefik.yml

# Dynamic configuration

tls:
  certificates:
    - certFile: /etc/traefik/certs/cvat.crt
      keyFile: /etc/traefik/certs/cvat.key

docker-compose.https.yml has not been published yet, the system has issued an alert that it is being checked by a spam filter

It seems you are missing the rule=Host() part in the labels, compare to simple Traefik example.

Custom TLS certs are loaded in a dynamic config file (doc), which you load in static config with providers.file . Then you just enable TLS on entrypoint or router (yaml tls: {} , labels tls=true).

Also note your Traefik version is multiple years old, you should upgrade.

These rules have been added to the main docker-compose.yml that is loaded along with the rest of the compose files

A fragment of the docker-compose.yml code:

  cvat_ui:
    container_name: cvat_ui
    image: ${CI_REGISTRY}/data_platform/${CI_PROJECT_NAME}_cvat_ui:v1.51.0
    restart: always
    depends_on:
      - cvat_server
    labels:
      - traefik.enable=true
      - traefik.http.services.cvat-ui.loadbalancer.server.port=80
      - traefik.http.routers.cvat-ui.rule=Host(`${CVAT_HOST:-localhost}`)
      - traefik.http.routers.cvat-ui.entrypoints=web
    networks:
      - cvat

  traefik:
    image: ${CI_REGISTRY}/data_platform/${CI_PROJECT_NAME}_traefik:v2.9
    container_name: traefik
    restart: always
    command:
      - '--providers.docker.exposedByDefault=false'
      - '--providers.docker.network=cvat'
      - '--entryPoints.web.address=:8080'
      - '--providers.file.directory=/etc/traefik/rules'
      - '--providers.file.directory=/etc/traefik/dynamic_conf'
    # Uncomment to get Traefik dashboard
    #   - "--entryPoints.dashboard.address=:8090"
    #   - "--api.dashboard=true"
    #labels:
    #  - traefik.enable=true
    #  - traefik.http.routers.dashboard.entrypoints=dashboard
    #  - traefik.http.routers.dashboard.service=api@internal
    #  - traefik.http.routers.dashboard.rule=Host(`${CVAT_HOST:-localhost}`)
    ports:
      - 8080:8080
      - 8090:8090
    environment:
      CVAT_HOST: ${CVAT_HOST:-localhost}
      DJANGO_LOG_VIEWER_HOST: grafana
      DJANGO_LOG_VIEWER_PORT: 3000
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${SRV_PATH}/components/analytics/grafana_conf.yml:/etc/traefik/rules/grafana_conf.yml:ro
    networks:
      - cvat

And could you please tell me how to check the version of traefik in the container

Enable debug and it’s printed upon startup to stdout.

Could you please tell me how to enable DEBUG correctly
I tried to include it in docker-compose.yml for Traefik

    environment:
      LOG.LEVEL: DEBUG  

But in the log I see only:
time="2024-04-16T09:21:28Z" level=info msg="Configuration loaded from flags."

This belongs into the top 10 FAQs.

You can only have a single type of static config: traefik.yml, command line or env vars (doc). Decide for one.