Traefik, Letsencrypt and Certbot for static web site

Traefik Traefik v2 (latest)
1

I have read the following guide. I was able to understand the code. The setup works perfectly on my VPS. Is there a guide explaining how to add Let's Encrypt to the server and renew it automatically when it expires?

I would like to create a Docker Compose file to publish a static html page reachable through a secure connection for life.

My html file:

<!doctype html>
<html lang="it">
<head><title>Ciao Mondo!</title></head>
<body>
<h1>Ciao Mondo!</h1>
<p>Questa &egrave; una semplice pagina HTML statica servita grazie a Traefik.</p>
</body>
</html>
2

Hello,

Traefik manages automatically Let's Encrypt certificates (creation and renew), so if you have defined a resolver and set TLS on your router, everything will be done automatically.

Note: You don't need Certbot, Traefik internally uses a lib called lego to handle ACME/Let's Encrypt.

Also, Traefik is a reverse proxy and not a web server, so Traefik cannot serve a static file if you don't have a web server.

A quick example:

.
├── docker-compose.yml
├── Dockerfile
├── letsencrypt
└── public
    └── index.html
Dockerfile 
# Dockerfile content
FROM node:alpine3.15

RUN npm install --global http-server

EXPOSE 8080
ENTRYPOINT ["http-server"]
docker-compose.yml 
# docker-compose.yml content
version: "3.9"

services:
  traefik:
    image: traefik:v2.8.0
    command:
      - --log.level=INFO
      - --api.insecure
      - --api.dashboard
      - --providers.docker
      - --providers.docker.exposedbydefault=false

      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certresolver=leresolver

      - --certificatesresolvers.leresolver.acme.tlsChallenge=true
      - --certificatesresolvers.leresolver.acme.email=your_email@example.com
      - --certificatesresolvers.leresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt/:/letsencrypt
    ports:
      - 80:80
      - 443:443

  webserver:
    build: .
    labels:
      traefik.enable: 'true'
      traefik.http.routers.training.rule: Host(`example.localhost`)
      traefik.http.routers.training.entrypoints: websecure

    volumes:
      - ./public/:/public

Then:

docker-compose build
docker-compose up
1 Like
3

Thanks for your answer and your code. You have been very kind. Magnificent!
I have replaced the email and the domain name. The page is reachable but the browser tells me that the certificate is not valid:

http://*****************.tk/> 404 page not found
http://www.*****************.tk/> 404 page not found
https://*****************.tk/> ok but the certificates are not valid
https://www.*****************.tk/> 404 page not found

I get this error:

ubuntu-22-04-lts@webserver:~/Traefik-Static-Page$ cd /home/ubuntu-22-04-lts/Traefik-Static-Page
docker-compose build
docker-compose up
traefik uses an image, skipping
Building webserver
error checking context: 'no permission to read from '/home/ubuntu-22-04-lts/Traefik-Static-Page/letsencrypt/acme.json''.
ERROR: Service 'webserver' failed to build : Build failed
traefik-static-page_traefik_1 is up-to-date
Recreating traefik-static-page_webserver_1 ...
4

Is my DNS configuration right? Do I have to do anything other than launch the 2 commands from the terminal and upload the folder with all the project files to the server?

vvv
vvv1816×804 31.7 KB

5

The following configuration uses the staging of LE (it's the testing env), so the certificates are not valid and it's expected.

- --certificatesresolvers.leresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory

If you want a valid certificate, you just have to remove this line.

The following configuration will handle the HTTP to HTTPS redirection:

docker-compose.yml 
version: "3.9"

services:
  traefik:
    image: traefik:v2.8.0
    command:
      - --log.level=INFO
      - --api.insecure
      - --api.dashboard
      - --providers.docker
      - --providers.docker.exposedbydefault=false

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certresolver=leresolver

      - --certificatesresolvers.leresolver.acme.tlsChallenge=true
      - --certificatesresolvers.leresolver.acme.email=your_email@example.com
      # - --certificatesresolvers.leresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt/:/letsencrypt
    ports:
      - 80:80
      - 443:443

  webserver:
    build: .
    labels:
      traefik.enable: 'true'
      traefik.http.routers.training.rule: Host(`example.localhost`)

    volumes:
      - ./public/:/public
1 Like
6

Ok, thanks, everything works but sometimes the script doesn't start and I get this message:

Building webserver
error checking context: 'no permission to read from '/home/ubuntu-22-04-lts/Traefik-Static-Page/letsencrypt/acme.json''.
ERROR: Service 'webserver' failed to build : Build failed
7

please don't expose the files inside the letsencrypt directory because it contains your private key.

Add the following file (.dockerignore) at the same level as your Dockerfile:

letsencrypt/

.
├── docker-compose.yml
├── Dockerfile
├── letsencrypt
└── public
    └── index.html
1 Like
8

Thanks very kind. Is it better letsencrypt/ or letsencrypt/*?

9

Prefer letsencrypt/

1 Like
10

Thank you very much. Is exposing the dashboard on the production server a security risk? Does it make sense to use these codes or is it enough not to write "8080:8080"?

      - --api.insecure=false
      - --api.dashboard=false

Which of the 2 scripts is the most modern and advisable for a working configuration with future versions of Docker Compose?

- "--api.insecure"

- --api.insecure

11

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.