Can't get my head round Traefik using ready cert/key files instead of ACME (LE). So my docker-compose.yml
is as follows:
version: "3.9"
services:
# TRAEFIK
traefik:
image: "traefik:v2.10"
container_name: "traefik"
restart: unless-stopped
environment:
- TZ=UTC
labels:
- traefik.enable=true
- traefik.http.middlewares.admin-auth.basicauth.users=admin:HASH
- traefik.http.routers.traefik-public-https.rule=Host(`traefik.MYDOMAIN.COM`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
- traefik.http.routers.traefik-public-https.service=api@internal
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
ports:
- 80:80
- 443:443
deploy:
placement:
constraints:
- node.role==manager
volumes:
- /run/docker.sock:/var/run/docker.sock:ro
- ./certs:/etc/certs
- ./traefik:/etc/traefik
networks:
- default
# ONE OF THE WEB APP CONTAINERS ...
fhfront:
container_name: fhfront
build:
context: ./front
dockerfile: Dockerfile
restart: unless-stopped
env_file:
- .env
expose:
- 8090
labels:
- traefik.enable=true
- traefik.http.routers.fhfront.rule=Host(`MYDOMAIN.COM`,`www.MYDOMAIN.COM`)
- traefik.http.routers.fhfront.entrypoints=https
- traefik.http.middlewares.t-compress.compress=true
- traefik.http.routers.fhfront.middlewares=t-compress
networks:
- default
The certs
folder (mapping to /etc/certs
in Traefik) contains the two certificate files issued by my CA: certificate.pem
and certificate-priv.key
. The certificate is valid for my domain - let's say MYDOMAIN.COM.
The traefik
folder (mapping to /etc/traefik
) contains two Traefik config files:
traefik.yml
################################################################
# API and dashboard configuration
################################################################
api:
# Dashboard
#
#
dashboard: true
insecure: true
################################################################
# Docker configuration backend
################################################################
providers:
file:
filename: "/etc/traefik/dynamic.yml"
watch: true
docker:
watch: true
exposedByDefault: false
swarmMode: false
################################################################
# Traefik Logging
################################################################
log:
level:DEBUG
################################################################
# Entrypoint
################################################################
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
tls: true
dynamic.yml
tls:
options:
default:
minVersion: VersionTLS12
certificates:
- certFile: /etc/certs/certificate.pem
keyFile: /etc/certs/certificate-priv.key
stores:
default:
defaultCertificate:
certFile: /etc/certs/certificate.pem
keyFile: /etc/certs/certificate-priv.key
So in theory, Traefik should substitute its default self-provided certs (LE) for the ones indicated in dynamic.yml
. However, my browser raises the ERR_CERT_COMMON_NAME_INVALID
error:
net::ERR_CERT_COMMON_NAME_INVALID
Subject: TRAEFIK DEFAULT CERT
Issuer: utmcore@A_1771EFFCA7C86E4E_ca
Expires on: ...
Current date: ...
PEM encoded chain: ...
Which kind of says that Traefik uses its own certs and not the one I've provided.