Traefik not obtaining TLS certificate for dashboard using subdomain

Traefik Traefik v2 (latest)
, ,
1

I have a working traefik proxy for authentik and all my services and want to access the dashboard in a subdomain traefik.domain.dev. Below are the files I created for the service. The authentik server uses the middleware.yml. The problem I have now is that traefik obtains certificates on lets encrypt for all services with these labels in the docker-compose.yml:

      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.service1-rtr.rule=Host(`service1.domain.dev`)"
      - "traefik.http.routers.service1-rtr.entrypoints=websecure"
      - "traefik.http.routers.service1-rtr.tls=true"
      - "traefik.http.routers.service1-rtr.tls.certresolver=le"

But the same codeblock for the traefik container does nothing. I would use the dashboard without TLS if possible, but on .dev domains HSTS is enforced by google.
In the log file traefik adds certificates for all subdomains except the one for the traefik dashboard, e. g.
time="2022-09-22T20:00:00Z" level=debug msg="Adding certificate for domain(s) service1.domain.dev"
But the route is added: time="2022-09-22T20:00:01Z" level=debug msg="Adding route for traefik.domain.dev with TLS options default" entryPointName=websecure

docker-compose.yml

traefik:
    image: traefik:v2.8
    container_name: traefik
    command:
      - '--configFile=/config/traefik.yml'
    ports:
      - 80:80
      - 443:443
    volumes:
      - $DOCKERDIR/apps/traefik:/config
      - $DOCKERDIR/apps/traefik/letsencrypt:/letsencrypt:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      # Dashboard
      - "traefik.http.routers.dashboard.rule=Host(`traefik.domain.dev`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls"

traefik.yml

entryPoints:
  web:
    address: ":80"

  websecure:
    address: ":443"

api:
  dashboard: true
  insecure: false
http:
  routers:
    dashboard:
      rule: Host(`traefik.domain.dev`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
      middlewares:
        - dashboard@file
log:
  level: DEBUG
  filepath: /config/traefik.log

providers:
  docker:
    exposedByDefault: false
  file:
    filename: /config/rules/middleware.yml

certificatesResolvers:
  le:
    acme:
      email: mymail@domain.dev
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

rules/middleware.yml

http:
  middlewares:
    dashboard:
      basicAuth:
        users:
          - "test:pass1"
          - "test2:pass2"
    middlewares-authentik:
      forwardAuth:
        address: http://authentik_server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

I do not understand why the obtainment of the certificate for traefik.domain.dev for the dashboard does not work.

2

Your docker-compose.yml for Traefik is missing the certresolver.

Note that for basicAuth you need hashed passwords, see docs.

3

Thank you that was the problem. Works like a charm.

4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.