Traefik SSL Let's Encrypt invalid certificate

Traefik Traefik v2
,
1
  1. I have docker installed on vps and now trying to configure traefik to run as reverse proxy, I have the main setup, but I have a problem with ssl, traefik creates ssl but when I open the website from browser it gives me that the certificate is invalid and not secure here is my traefik docker compose file

I want to know what is the problem in my configuration here?
to enable the ssl and redirect any http request to https

dd

version: "3.3"
services:
  traefik:
    command:
      - --api.insecure=false
      - --api.dashboard=true
      - --api.debug=true
      - --log.level=DEBUG
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.filename=/dynamic.yaml
      - --providers.docker.network=web
      - --entrypoints.web.address=:80
      - --entrypoints.web-secured.address=:443
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
      - --certificatesresolvers.mytlschallenge.acme.email=tareksalem19982018@gmail.com
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.mytlschallenge.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
    volumes:
      - /var/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/traefik/config.yaml:/dynamic.yaml 
    networks:
      - web
    labels:
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`monitor.dev.zaclouds.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.tls=true"
networks:
  web:
    external: true
2

Hello @tareksalem and thanks for your interest in Traefik,

If I am not missing something in your configuration, you missed configuring the certificate resolver at the router level as explained in the documentation.

The configuration should look like the following (I also removed the redirect middleware configuration as you configured the redirection at the entrypoint level):

version: "3.3"
services:
  traefik:
    command:
      - --api.insecure=false
      - --api.dashboard=true
      - --api.debug=true
      - --log.level=DEBUG
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.filename=/dynamic.yaml
      - --providers.docker.network=web
      - --entrypoints.web.address=:80
      - --entrypoints.web-secured.address=:443
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
      - --certificatesresolvers.mytlschallenge.acme.email=tareksalem19982018@gmail.com
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.mytlschallenge.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
    volumes:
      - /var/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/traefik/config.yaml:/dynamic.yaml 
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`monitor.dev.zaclouds.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.tls.certresolver=mytlschallenge" # <--- configure the certresolver
networks:
  web:
    external: true

Hope this helps!

3

When you want to use LetsEncrypt you need to define the resolver in the static configuration (in your case command) and add it to the router in the dynamic configuration (in your case labels). See docs.

Add

traefik.http.routers.api.tls.certresolver=mytlschallenge

And I think this is not needed, as it's already defined in the static configuration.

  - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
  - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
  - "traefik.http.routers.redirs.entrypoints=web"
  - "traefik.http.routers.redirs.middlewares=redirect-to-https"