Traefik error: failed to decode configuration from flags: field not found, node: tls

HI

i dont't get it to run with my own wildcard cert. I don't want to use a TOML file just docker-compose would be good

Here is my file

version: '3.7'

networks:
 proxy-net:
   external: true
      
version: '3.7'

networks:
 proxy-net:
   external: true
      
services:
    reverse-proxy:
     image: traefik:latest
     command:
      --providers.docker
      --providers.docker.exposedbydefault=false
      --providers.docker.swarmmode=true
      --entryPoints.http.address=":80"
      --entryPoints.https.address=":443"
      --entryPoints.mysql.address=":3306"
      --entryPoints.https.tls.certificates.certFile="/certs/wildcard.bpmspace.net.certificate.crt"
      --entryPoints.https.tls.certificates.keyFile="/certs/wildcard.bpmspace.net.key"
      --accesslog
      --log.level=DEBUG
      --api=true
      --api.dashboard=true
     ports:
       - 80:80
       - 443:443
       - 8080:8080
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/cert:/certs/
     deploy:
        mode: global
        placement:
          constraints:
            - node.role == manager
        labels:
          - traefik.enable=true
          - traefik.http.services.justAdummyService.loadbalancer.server.port=1337
          - traefik.http.routers.traefikRouter.rule=Host(`traefik.bpmspace.net`)
          - traefik.http.routers.traefikRouter.tls=true
          - traefik.http.routers.traefikRouter.service=api@internal
          - traefik.http.routers.traefikRouter.entrypoints=https
          
     networks:
       - proxy-net

Any idea? Thanks
rob

Hello,

--entryPoints.https.tls is not a valid CLI flag https://docs.traefik.io/v2.1/reference/static-configuration/cli/

the tls section is a part of the dynamic configuraiton

https://docs.traefik.io/v2.1/https/tls/

Hi Idez
Thanks for the quick answer. obviously I didn't understand everything. does that mean I need a TOML file?
Unfortunately I do not see here (yet) quite clearl. Maybe you can give me a hint beyond the dynamic conf link

Thanks

docker-compose.yml
version: '3.7'

services:
    reverse-proxy:
     image: traefik:v2.1.2
     command:
      --providers.docker
      --providers.docker.exposedbydefault=false
      --providers.docker.swarmmode=true
      --entryPoints.http.address=:80
      --entryPoints.https.address=:443
      --entryPoints.mysql.address=:3306
      --accesslog
      --log.level=INFO
      --api=true
     ports:
       - 80:80
       - 443:443
       - 8080:8080
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/cert:/certs/
       - /var/config:/config/
     deploy:
        mode: global
        placement:
          constraints:
            - node.role == manager
        labels:
          - traefik.enable=true
          - traefik.http.routers.traefikRouter.rule=Host(`traefik.bpmspace.net`)
          - traefik.http.routers.traefikRouter.tls=true
          - traefik.http.routers.traefikRouter.service=api@internal
          - traefik.http.routers.traefikRouter.entrypoints=https
          - traefik.http.services.justAdummyService.loadbalancer.server.port=1337
          
     networks:
       - proxy-net

networks:
 proxy-net:
   external: true

The certificates definition:

/config/tls.yml
tls:
  certificates:
    - certFile: /certs/wildcard.bpmspace.net.certificate.crt
      keyFile: /certs/wildcard.bpmspace.net.key

or

/config/tls.toml
[[tls.certificates]]
  certFile = "/path/to/domain.cert"
  keyFile = "/path/to/domain.key"

https://docs.traefik.io/v2.1/https/tls/#user-defined

Hallo

thank you very much for the support. Unfortunately I still can't get it to work.

I created a file with the name "traefik.toml" (not tls.toml) in the directory /config/ and adapted docker-compose.yml accordingly.

[[tls.certificates]]
  certFile = "/certs/wildcard.bpmspace.net.bundle.crt"
  keyFile = "/certs/wildcard.bpmspace.net.key"

I can "see" the files "in" the container as well as the certificates.

~ # ls /certs/
wildcard.bpmspace.net.bundle.crt         wildcard.bpmspace.net.certificate.crt    wildcard.bpmspace.net.intermediate1.crt  wildcard.bpmspace.net.key
wildcard.bpmspace.net.bundle_2.crt     wildcard.bpmspace.net.csr                      wildcard.bpmspace.net.intermediate2.crt  wildcard.bpmspace.net.root.crt
~ # ls /config/
traefik.toml

NOTE: /certs/wildcard.bpmspace.net.BUNDLE.crt contains root, intermediate1, intermediate2 and certificate

I get

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
------------------
https://traefik.bpmspace.net/dashboard/#/
The certificate is not trusted because it was signed by the issuer himself.
HTTP Strict Transport Security: False
HTTP Public Key Pinning: False
Certificate chain:
-----BEGINNING CERTIFICATE--
MIIDXjCCAkagAwIBAgIRAMCdQDDFoVM6cST4uwqnoFYwDQYJKoZIhvcNAQELBQAw
HzEdMBsGA1UEAxMUVFJBRUZJSyBERUZBVUxUIENFUlQwHhcNMjAwMTE5MDcxNzM3
WhcNMjEwMTE4MDcxNzM3WjAfMR0wGwYDVQQDExRUUkFFRklLIERFRkFVTFQgQ0VS
VDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO61uBmRnp2ZEqU2rIRh
eBcskiYLlkrxFtAhSE+L50BqfpGiEMqVJl4Lsmw5gwbIomRADaESyGRb2n6Aso7L
q/gz3lRY75Zmim7bPbG0tHfHNnnx9byZbmYuYOrDHabF6W0p9zr6yfPkcmQjGK39n
8IlitvJ8eQkG1sHCqVwjN5knnhgLHipkrxyhwc+G9k4XoVvS3kGHsEy/EtN4XSqt
18tBGhcStLI80Nnvox9LhEWJ7BooQcfVKnpEuNJBq/vfsXgRa/xaUR6pTIF4VFk3
Tq4E7DqVVQMj1IO3q3KQWPgnUpq3pGE9mNBtEWdf8fLro7my4/fjLCtro+oS3Kgv
jgcCAwEAAaOBlDCBkTAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDAYDVR0TAQH/BAIwADBcBgNVHREEVTBTglE1ZGI0M2M0ZWRiYjE3ZmJiMzVl
MDQwZDYyyNjBjZWZmYy4zZjlkOTRjNzFjZDViMjMzNDJjZjlkMzBjM2Q5OTg2MC50
cmFlZmlrLmRlZmF1bHQwDQYJKoZIhvcNAQELBQADggEBADS9wA+JF3ejKCM9iFuE
LrGlJWeja4m2x0hlz0N6mUf5x/0T94SsD53P87Htf9Q8jxO292od2V7mb+79fg3s
PTYDuCWMIgpa0wKvdlILjbr2nyXBAJh4Tfyz+4mnkd0+Rd4yAi2cg+E+uNE3dZSm
dKnwV7r+Jh7ZhTZ8+E3jySgsJWZBaOh/wgj91euM68yyyMICAeOtQX0U4VOZWf3Iz
IntN8tVZVk86dgVDCmkhcZn78gfufsZEWYex0uGh/7uLj/w0M7GJQT9JK93HFL5M
RNQwoEvcuiVxTJslFPI1CFb53GmK3/tqN+wwpWwa5kxoMTD3kcixMgtuJmpMN9kQ
f2Y=
---- FINAL CERTIFICATE ----

Output Log File

time="2020-01-19T07:33:22Z" level=debug msg="No default certificate, generating one"

this messages is ongoing ...

Thanks for help
Rob

i chnaged to "/etc/traefik/"

...
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/cert:/certs/
       - /home/rootmessages/BPMspaceCloud/dockerswarm/management/traefik/config:/etc/traefik/
...

and get the error

2020/01/19 07:43:16 command traefik error: no valid configuration found in file: /etc/traefik/traefik.toml

the file lokks like

[[tls.certificates]]
  certFile = "/certs/wildcard.bpmspace.net.bundle.crt"
  keyFile = "/certs/wildcard.bpmspace.net.key"

Nothing more ....
Thanks rob

The etc/traefik/traefik.toml is for the static configuration and in this case you cannot put dynamic configuration in this file.

My example was good, I recommend to clean your browser cache.

ok BACK to
...

  • /home/rootmessages/BPMspaceCloud/dockerswarm/management/traefik/config:/config/
    ..
    Rename ... traefik.toml -> tls.toml
    ...
    still have this in the container log
    time="2020-01-19T12:26:18Z" level=debug msg="No default certificate, generating one"

Also tried with 3 Browsers (after deleted cache) same error messages

Websites prove their identity via certificates. Firefox Developer Edition does not trust this site because it uses a certificate that is not valid for traefik.bpmspace.net. The certificate is only valid for 6aafdcbab6a6d35065f4bc49e98f2c0c.7583724d7aa25335c624fb8eb379175d.traefik.default.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Where to i tell TRAEFIK to READ /config/tls.toml or is this done automatically?

https://check-your-website.server-daten.de/?q=traefik.bpmspace.net also tells me

No trusted Certificate

Thanks rob

Traefik read certificates automatically, and the selection of the certificates is based on SNI information in the certificates.