Traefik is unable to load provider config when using a tls/secure Entrypoint

dnate-ifs · April 14, 2025, 6:09pm

Hi Everyone,

I'm new to traefik and I'm trying to configure it as a proxy on a nomad cluster. I'm able to get traefik working properly without a secure/tls entrypoint but as soon as I try to add a tls entrypoint I run into the following issues.

The first issue is I get the following errors (repeated) in stdout

2025-04-14T17:33:34Z ERR Loading configuration, retrying in 7.999285545s error="loading configuration: Unexpected response code: 403 (Permission denied)" providerName=nomad-dev
2025-04-14T17:33:35Z ERR Loading configuration, retrying in 2.990902199s error="loading configuration: Unexpected response code: 403 (Permission denied)" providerName=nomad-default

I've confirmed that this is not an issue with the client token for Nomad because, as I mentioned, everything works fine when tls isn't involved. I've also confirmed that my traefik.yml and tls.yml files have 644 permissions on the container.

Secondly it seems that traefik may not be loading/using the provided certificate. When I try to access one of the services traefik should be proxying for I can see that traefik is using it's default cert (not the provided self signed cert I was hoping for).

I hoped that this topic would resolve my issues but sadly it does not.

FWIW I've also tried starting this up in docker but run into the same errors.

Here are my configuration files:

Nomad Job file for Traefik

variable "TRAEFIK_CLIENT_TOKEN" {
  type = string
}
job "traefik" {
  datacenters = ["ifs"]
  type        = "service"

  group "traefik" {
    count = 1

    network {
      port  "http"{
         static = 80
      }
      port "https"{
        static = 443
      }
      port  "admin"{
         static = 8080
      }
    }

    service {
      name = "traefik-https"
      provider = "nomad"
      port = "https"
    }

    volume "tls-certs" {
      type = "host"
      source = "tls-certs" # Match the name from the client config
      read_only = true
    }

    volume "traefik-config" {
      type = "host"
      source = "traefik-config" # Match the name from the client config
      read_only = true
    }

    task "server" {
      driver = "docker"
      config {
        image = "traefik:3"
        ports = ["admin", "http", "https"]
        args = [
          "--api.dashboard=true",
          "--api.insecure=true", ### For Test only, please do not use that in production
          "--configFile=/etc/traefik/traefik.yml",
          "--providers.nomad.endpoint.address=http://${attr.unique.network.ip-address}:4646", ### IP to your nomad server 
          "--log.maxbackups=5"
        ]
      }
      volume_mount {
        volume      = "tls-certs"
        destination = "/etc/ssl/traefik"
        propagation_mode = "private"
      }
      volume_mount {
        volume      = "traefik-config"
        destination = "/etc/traefik"
        read_only   = true
      }
      env {
        NOMAD_TOKEN = var.TRAEFIK_CLIENT_TOKEN
      }
    }
  }
}

traefik.yml

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "https"
          scheme: "https"
          permanent: true
  https:
    address: ":443"
    http:
      tls: {}
  traefik:
    address: ":8080"

providers:
  file:
    directory: "/etc/traefik/config"
    watch: true
  nomad:
    endpoint:
      address: "http://10.30.30.150:4646"
      token: "${NOMAD_TOKEN}"
    namespaces:
      - default
      - dev

api:
  dashboard: true
  insecure: true

log:
  level: ERROR

/etc/trafik/config/tls.yml

tls:
  certificates:
    - certFile: "/etc/ssl/traefik/my-cert.crt"
      keyFile: "/etc/ssl/traefik/my-cert.key"
  options:
    default:
      clientAuth:
        clientAuthType: RequireAndVerifyClientCert
        caFiles:
          - "/etc/ssl/traefik/my-cert-ca.crt"

The command I use to start the job on Nomad is:

nomad job run -namespace dev -var=TRAEFIK_CLIENT_TOKEN=${TRAEFIK_CLIENT_TOKEN} -verbose traefik.nomad.hcl

Any help is appreciated

dnate-ifs · April 15, 2025, 10:34pm

According to the documentation...

There are three different, mutually exclusive (i.e. you can use only one at the same time), ways to define static configuration options in Traefik:

In a configuration file
In the command-line arguments
As environment variables

I had read this before but apparently forgot about it and misunderstood the fact that not only are they mutually exclusive but the static config file is also unable to make use of any environment variable. So if you are going to use a static config file you cannot override or set values with cli arguments or env variables. Furthermore, it seems that the static config file is not capable of reading environment variables of any kind. This means you have to hard code tokens and any other value you wish to be dynamic. I was able to get things working by doing just that, however I don't like the idea of my traefik.yml file containing hard coded tokens so I'm working on adapting it to command line arguments. it almost works but I am now getting a 404 not found when I try to reach my servivce over https.

bluepuma77 · April 16, 2025, 7:02am

Maybe check simple Traefik example.

dnate-ifs · April 16, 2025, 3:26pm

FWIW I was able to get past the 404 error and now everything works as expected. Here is what I ended up with (the condensed version):
Nomad job file for traefik (task section only as nothing changed anywhere else)

task "server" {
      driver = "docker"
      config {
        image = "traefik:3"
        ports = ["admin", "http", "https"]
        args = [
          "--entryPoints.web.address=:${NOMAD_PORT_http}",
          "--entrypoints.web.http.redirections.entrypoint.to=websecure",
          "--entrypoints.web.http.redirections.entrypoint.scheme=https",
          "--entrypoints.web.http.redirections.entrypoint.permanent=true",

          "--entryPoints.websecure.address=:${NOMAD_PORT_https}",
          "--entrypoints.websecure.http.tls=true",

          "--entrypoints.traefik.address=:${NOMAD_PORT_admin}",

          "--providers.file.directory=/etc/traefik/config",
          "--providers.file.watch=true",

          "--providers.nomad.endpoint.address=http://${attr.unique.network.ip-address}:4646", 
          "--providers.nomad.endpoint.token=${ var.TRAEFIK_CLIENT_TOKEN }",
          "--providers.nomad.namespaces=default,dev",

          "--api.dashboard=true",
          "--api.insecure=true",

          "--log.level=ERROR",
          "--log.maxbackups=5",
          # "--log.maxsize=100",
          # "--log.maxage=3",
          # "--log.compress=false"
        ]
      }
      volume_mount {
        volume      = "tls-certs"
        destination = "/etc/ssl/traefik"
        propagation_mode = "private"
      }
      volume_mount {
        volume      = "traefik-config"
        destination = "/etc/traefik"
        read_only   = true
      }
    }

My traefik.yml no longer exists since I can't combine it with the command line flags. I'm not sure but I think the 404 error may have been due to the fact that I originally had --provider.file=true which I think may have caused traefik to ignore the other settings for that provider but that's just a wild guess. In any case it's not necessary to have that flag so I removed it.

system · April 19, 2025, 3:27pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Errors after adding new entrypoint and letsencrypt Traefik v3 (latest) file	7	850	June 12, 2024
Https always responds 404 with docker provider Traefik v2 docker	3	539	November 5, 2019
Unable to use HTTPS on Traefik V1.718 Traefik v1 file	0	566	November 15, 2019
Issue with SSL Certificate and Redirection in Traefik Docker Compose Setup Traefik v2 docker	1	1384	August 26, 2023
Unable to get HTTPS using Traefik as reverse proxy Traefik v2 docker	2	1464	October 26, 2022

Traefik is unable to load provider config when using a tls/secure Entrypoint

Related topics