Traefik error: failed to decode configuration from flags: field not found, node: tls

HI

i dont't get it to run with my own wildcard cert. I don't want to use a TOML file just docker-compose would be good

Here is my file

version: '3.7'

networks:
 proxy-net:
   external: true
      
version: '3.7'

networks:
 proxy-net:
   external: true
      
services:
    reverse-proxy:
     image: traefik:latest
     command:
      --providers.docker
      --providers.docker.exposedbydefault=false
      --providers.docker.swarmmode=true
      --entryPoints.http.address=":80"
      --entryPoints.https.address=":443"
      --entryPoints.mysql.address=":3306"
      --entryPoints.https.tls.certificates.certFile="/certs/wildcard.bpmspace.net.certificate.crt"
      --entryPoints.https.tls.certificates.keyFile="/certs/wildcard.bpmspace.net.key"
      --accesslog
      --log.level=DEBUG
      --api=true
      --api.dashboard=true
     ports:
       - 80:80
       - 443:443
       - 8080:8080
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/cert:/certs/
     deploy:
        mode: global
        placement:
          constraints:
            - node.role == manager
        labels:
          - traefik.enable=true
          - traefik.http.services.justAdummyService.loadbalancer.server.port=1337
          - traefik.http.routers.traefikRouter.rule=Host(`traefik.bpmspace.net`)
          - traefik.http.routers.traefikRouter.tls=true
          - traefik.http.routers.traefikRouter.service=api@internal
          - traefik.http.routers.traefikRouter.entrypoints=https
          
     networks:
       - proxy-net

Any idea? Thanks
rob

Hello,

--entryPoints.https.tls is not a valid CLI flag CLI | Traefik | v2.1

the tls section is a part of the dynamic configuraiton

Hi Idez
Thanks for the quick answer. obviously I didn't understand everything. does that mean I need a TOML file?
Unfortunately I do not see here (yet) quite clearl. Maybe you can give me a hint beyond the dynamic conf link

Thanks

version: '3.7'

services:
    reverse-proxy:
     image: traefik:v2.1.2
     command:
      --providers.docker
      --providers.docker.exposedbydefault=false
      --providers.docker.swarmmode=true
      --entryPoints.http.address=:80
      --entryPoints.https.address=:443
      --entryPoints.mysql.address=:3306
      --accesslog
      --log.level=INFO
      --api=true
     ports:
       - 80:80
       - 443:443
       - 8080:8080
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/cert:/certs/
       - /var/config:/config/
     deploy:
        mode: global
        placement:
          constraints:
            - node.role == manager
        labels:
          - traefik.enable=true
          - traefik.http.routers.traefikRouter.rule=Host(`traefik.bpmspace.net`)
          - traefik.http.routers.traefikRouter.tls=true
          - traefik.http.routers.traefikRouter.service=api@internal
          - traefik.http.routers.traefikRouter.entrypoints=https
          - traefik.http.services.justAdummyService.loadbalancer.server.port=1337
          
     networks:
       - proxy-net

networks:
 proxy-net:
   external: true

The certificates definition:

tls:
  certificates:
    - certFile: /certs/wildcard.bpmspace.net.certificate.crt
      keyFile: /certs/wildcard.bpmspace.net.key

or

[[tls.certificates]]
  certFile = "/path/to/domain.cert"
  keyFile = "/path/to/domain.key"

https://docs.traefik.io/v2.1/https/tls/#user-defined

Hallo

thank you very much for the support. Unfortunately I still can't get it to work.

I created a file with the name "traefik.toml" (not tls.toml) in the directory /config/ and adapted docker-compose.yml accordingly.

[[tls.certificates]]
  certFile = "/certs/wildcard.bpmspace.net.bundle.crt"
  keyFile = "/certs/wildcard.bpmspace.net.key"

I can "see" the files "in" the container as well as the certificates.

~ # ls /certs/
wildcard.bpmspace.net.bundle.crt         wildcard.bpmspace.net.certificate.crt    wildcard.bpmspace.net.intermediate1.crt  wildcard.bpmspace.net.key
wildcard.bpmspace.net.bundle_2.crt     wildcard.bpmspace.net.csr                      wildcard.bpmspace.net.intermediate2.crt  wildcard.bpmspace.net.root.crt
~ # ls /config/
traefik.toml

NOTE: /certs/wildcard.bpmspace.net.BUNDLE.crt contains root, intermediate1, intermediate2 and certificate

I get

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
------------------
https://traefik.bpmspace.net/dashboard/#/
The certificate is not trusted because it was signed by the issuer himself.
HTTP Strict Transport Security: False
HTTP Public Key Pinning: False
Certificate chain:
-----BEGINNING CERTIFICATE--
MIIDXjCCAkagAwIBAgIRAMCdQDDFoVM6cST4uwqnoFYwDQYJKoZIhvcNAQELBQAw
HzEdMBsGA1UEAxMUVFJBRUZJSyBERUZBVUxUIENFUlQwHhcNMjAwMTE5MDcxNzM3
WhcNMjEwMTE4MDcxNzM3WjAfMR0wGwYDVQQDExRUUkFFRklLIERFRkFVTFQgQ0VS
VDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO61uBmRnp2ZEqU2rIRh
eBcskiYLlkrxFtAhSE+L50BqfpGiEMqVJl4Lsmw5gwbIomRADaESyGRb2n6Aso7L
q/gz3lRY75Zmim7bPbG0tHfHNnnx9byZbmYuYOrDHabF6W0p9zr6yfPkcmQjGK39n
8IlitvJ8eQkG1sHCqVwjN5knnhgLHipkrxyhwc+G9k4XoVvS3kGHsEy/EtN4XSqt
18tBGhcStLI80Nnvox9LhEWJ7BooQcfVKnpEuNJBq/vfsXgRa/xaUR6pTIF4VFk3
Tq4E7DqVVQMj1IO3q3KQWPgnUpq3pGE9mNBtEWdf8fLro7my4/fjLCtro+oS3Kgv
jgcCAwEAAaOBlDCBkTAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDAYDVR0TAQH/BAIwADBcBgNVHREEVTBTglE1ZGI0M2M0ZWRiYjE3ZmJiMzVl
MDQwZDYyyNjBjZWZmYy4zZjlkOTRjNzFjZDViMjMzNDJjZjlkMzBjM2Q5OTg2MC50
cmFlZmlrLmRlZmF1bHQwDQYJKoZIhvcNAQELBQADggEBADS9wA+JF3ejKCM9iFuE
LrGlJWeja4m2x0hlz0N6mUf5x/0T94SsD53P87Htf9Q8jxO292od2V7mb+79fg3s
PTYDuCWMIgpa0wKvdlILjbr2nyXBAJh4Tfyz+4mnkd0+Rd4yAi2cg+E+uNE3dZSm
dKnwV7r+Jh7ZhTZ8+E3jySgsJWZBaOh/wgj91euM68yyyMICAeOtQX0U4VOZWf3Iz
IntN8tVZVk86dgVDCmkhcZn78gfufsZEWYex0uGh/7uLj/w0M7GJQT9JK93HFL5M
RNQwoEvcuiVxTJslFPI1CFb53GmK3/tqN+wwpWwa5kxoMTD3kcixMgtuJmpMN9kQ
f2Y=
---- FINAL CERTIFICATE ----

Output Log File

time="2020-01-19T07:33:22Z" level=debug msg="No default certificate, generating one"

this messages is ongoing ...

Thanks for help
Rob

i chnaged to "/etc/traefik/"

...
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/cert:/certs/
       - /home/rootmessages/BPMspaceCloud/dockerswarm/management/traefik/config:/etc/traefik/
...

and get the error

2020/01/19 07:43:16 command traefik error: no valid configuration found in file: /etc/traefik/traefik.toml

the file lokks like

[[tls.certificates]]
  certFile = "/certs/wildcard.bpmspace.net.bundle.crt"
  keyFile = "/certs/wildcard.bpmspace.net.key"

Nothing more ....
Thanks rob

The etc/traefik/traefik.toml is for the static configuration and in this case you cannot put dynamic configuration in this file.

My example was good, I recommend to clean your browser cache.

ok BACK to
...

• /home/rootmessages/BPMspaceCloud/dockerswarm/management/traefik/config:/config/
  ..
  Rename ... traefik.toml -> tls.toml
  ...
  still have this in the container log
  time="2020-01-19T12:26:18Z" level=debug msg="No default certificate, generating one"

Also tried with 3 Browsers (after deleted cache) same error messages

Websites prove their identity via certificates. Firefox Developer Edition does not trust this site because it uses a certificate that is not valid for traefik.bpmspace.net. The certificate is only valid for 6aafdcbab6a6d35065f4bc49e98f2c0c.7583724d7aa25335c624fb8eb379175d.traefik.default.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Where to i tell TRAEFIK to READ /config/tls.toml or is this done automatically?

https://check-your-website.server-daten.de/?q=traefik.bpmspace.net also tells me

No trusted Certificate

Thanks rob

Traefik read certificates automatically, and the selection of the certificates is based on SNI information in the certificates.

I had the same error and I solved it by moving the two tls.certificates lines from the command section to the labels section.

Are you sure that works? Traefik Docker Configuration Discovery, which reads the labels, does not support tls.certificates, see reference.

Usually it is read with provider.file from a separate file.