Traefik Uses Self-Signed Certificate Instead of ACME/Letsencrypt One

joernschellhaas · March 21, 2020, 8:52pm

I'm trying to setup Taefik using docker-compose.

I tried a lot of things, but still it seems that my Letsencrypt config is mostly ignored. Can somebody help me with fixing my configuration or finding a way to debug this?

Traefik Config

docker-compose.yml

version: '3'

services:
  traefik:
    # The official v2 Traefik docker image
    image: traefik:v2.1
    container_name: traefik
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./acme.json:/acme.json

networks:
  default:
    external: 
      name: gateway
# Requires command:
#     docker network create \
#     --driver=bridge \
#     --attachable \
#     --internal=false \
#     gateway

traefik.yml

entrypoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    exposedbydefault: false

certificatesresolvers:
  letsencrypt:
    acme:
      email: "js@example.com"
      storage: "/acme.json"
      httpchallenge:
        entrypoint: http
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

api:
  insecure: true 

log:
  level: "DEBUG"
accessLog: {}

ls -l
total 16
-rw------- 1 root root    0 Mar 21 17:16 acme.json
-rw-r--r-- 1 root root  583 Mar 21 21:37 docker-compose.yml
-rw------- 1 root root  434 Mar 21 21:28 traefik.yml

Application Config

version: '3'

services:
  whoami:
    # A container that exposes an API to show its IP address
    image: containous/whoami
    container_name: whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entrypoints=https
      - traefik.http.routers.whoami.rule=Host(`c.srv.example.com`)
      - traefik.http.routers.whoami.tls=true
      - treafik.http.routers.whoami.tls.certresolver=letsencrypt

networks:
  default:
    external: 
      name: gateway

Log

traefik    | time="2020-03-21T20:49:09Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik    | time="2020-03-21T20:49:09Z" level=info msg="Traefik version 2.1.8 built on 2020-03-19T15:08:56Z"
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"accessLog\":{\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}},\"certificatesResolvers\":{\"letsencrypt\":{\"acme\":{\"email\":\"js@example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"http\"}}}}}"
traefik    | time="2020-03-21T20:49:09Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/contributing/data-collection/\n"
traefik    | time="2020-03-21T20:49:09Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Start TCP Server" entryPointName=http
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Start TCP Server" entryPointName=traefik
traefik    | time="2020-03-21T20:49:09Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
traefik    | time="2020-03-21T20:49:09Z" level=info msg="Starting provider *traefik.Provider {}"
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Start TCP Server" entryPointName=https
traefik    | time="2020-03-21T20:49:09Z" level=info msg="Starting provider *acme.Provider {\"email\":\"js@example.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"http\"},\"ResolverName\":\"letsencrypt\",\"store\":{},\"ChallengeStore\":{}}"
traefik    | time="2020-03-21T20:49:09Z" level=info msg="Testing certificate renew..." providerName=letsencrypt.acme
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/[^:\\\\/]+(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}},\"services\":{\"api\":{},\"dashboard\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Configuration received from provider letsencrypt.acme: {\"http\":{},\"tls\":{}}" providerName=letsencrypt.acme
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Provider connection established with docker 19.03.8 (API 1.40)" providerName=docker
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-traefik-5913561dfb36c2bb5af5f103a03723f2962b3de3f3a746c598b67c4b8baae4d7
traefik    | time="2020-03-21T20:49:09Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"https\"],\"service\":\"whoami-whoami\",\"rule\":\"Host(`c.srv.example.com`)\",\"tls\":{}}},\"services\":{\"whoami-whoami\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.28.0.3:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" middlewareType=StripPrefix middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal entryPointName=traefik
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal middlewareName=tracing
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=traefik middlewareName=traefik-internal-recovery
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareType=StripPrefix middlewareName=dashboard_stripprefix@internal
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Setting up redirection from ^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal entryPointName=traefik
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" entryPointName=https routerName=whoami@docker serviceName=whoami-whoami middlewareName=pipelining middlewareType=Pipelining
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=whoami@docker serviceName=whoami-whoami
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating server 0 http://172.28.0.3:80" entryPointName=https routerName=whoami@docker serviceName=whoami-whoami serverName=0
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Added outgoing tracing middleware whoami-whoami" middlewareType=TracingForwarder entryPointName=https routerName=whoami@docker middlewareName=tracing
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="Creating middleware" entryPointName=https middlewareType=Recovery middlewareName=traefik-internal-recovery
traefik    | time="2020-03-21T20:49:10Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-03-21T20:50:19Z" level=debug msg="Serving default certificate for request: \"c.srv.example.com\""
traefik    | time="2020-03-21T20:50:19Z" level=debug msg="http: TLS handshake error from 77.179.39.123:61801: remote error: tls: bad certificate"

joernschellhaas · March 21, 2020, 10:07pm

Oh no, I got it. It was a typo; I had typed treafik instead of traefik in the application config...

Topic		Replies	Views
Problems with Let's Encypt Certificate Generation Traefik v2 letsencrypt-acme	0	462	November 14, 2021
Traefik refuses to use my valid ACME certificate, falls back to self signed Traefik v2 docker , letsencrypt-acme	3	1987	August 4, 2023
Problem with LetsEncrypt certificate generation Traefik v2 letsencrypt-acme	1	1620	September 15, 2021
Traefik can't connect to lets encrypt directory Traefik v2 docker , letsencrypt-acme	1	2583	February 28, 2020
Traefik doesn't write in acme.json on version 2.3.4 Traefik v2 docker , docker-swarm , letsencrypt-acme	6	3928	December 17, 2020

Traefik Uses Self-Signed Certificate Instead of ACME/Letsencrypt One

Related topics