Traefik v2 and docker compose: no default certificate

I am trying to setup traefik as a container and I'm running into two problems. One I have had from the start, the other from the moment I wanted to drop traefik_dynamic.toml for label entries in the docker compose file.

  1. [UPDATE: Solved, see below]
    I can't get any logging to work. I can see very basic logging when I start the container with docker compose up without -d:
root@snape:/srv/docker/traefik# docker compose up --force-recreate
[+] Running 1/0
 ⠿ Container traefik  Recreated                                                                                                                                             0.1s
Attaching to traefik
traefik  | time="2022-10-16T21:10:26Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.toml"

but with -d no logging is written in the log files, whatever I try. It seems that without -d the logging is also not DEBUG, so I wonder if my traefik.toml is correct

  1. I can't get my existing certificates to work. This worked when I had this defined traefik_dynamic.toml but I can't get it working via the labels entry in the docker compose file.

My traefik.toml contains:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "DEBUG"

[accessLog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

My docker-compse YAML contains:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/foo.rna.nl/fullchain.pem:/foo.live.fullchain.pem
      - /etc/letsencrypt/live/foo.rna.nl/privkey.pem:/foo.live.privkey.pem
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    labels:
      # Enable Traefik
      - "traefik.enable=true"
      - "traefik.port=8080"

      # Create middlewares (authentication and redirect)
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:[snip]"

      # Configure web entrypoint rules(":80")
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`foo.rna.nl`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`foo.rna.nl`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.tls.stores.default.defaultCertificate.certFile=/foo.live.fullchain.pem" 
      - "traefik.tls.stores.default.defaultCertificate.keyFile=/foo.live.privkey.pem" 

      # Use Middlewares for basic auth
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

I'd like to know how to get traefik to use the default certificate for any service (either in traefik.toml or in the labels: section of docker-compose.yml). And note: I don't want to use traefik's own letsencrypt integration, it needs to use a cert that is in files somewhere on the system (regardless if it is currently letsencrypt that is providing the cert)

I found the logging problem. The filePath in traefik.toml was /var/log/traefik.log and not /var/log/traefik/traefik.log

In traefik_dynamic.toml this worked:

  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/foo.live.fullchain.pem"
      keyFile  = "/foo.live.privkey.pem"

The answer is: not doable via docker compose labels. I now have some shared dynamic settings in a 'file provider'.

traefik.toml:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "WARN"

[accesslog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true
  debug = true
  insecure = false

# This file provider contains the following settings which are shared across other providers:
# - basic auth
# - default cert
[providers.file]
  watch = true
  filename = "/etc/traefik/shared_providers_dynamic.toml"

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

shared_providers_dynamic.toml:

[http.middlewares.simpleAuth.basicAuth]
  users = [
    "(snip):(snip)"
  ]

[http.middlewares.mylan.ipWhiteList]
  sourceRange = ["(snip)", "(snip)"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/example.live.fullchain.pem"
      keyFile  = "/example.live.privkey.pem"

And docker-compose.yml contains:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/shared_providers_dynamic.toml:/etc/traefik/shared_providers_dynamic.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
      - /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
    ports:
      - "80:80"
      - "443:443"
    labels:
      - "traefik.enable=true"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=simpleAuth@file"
      - "traefik.http.routers.traefik-secure.middlewares=mylan@file"

Static config goes into docker-compose.yml command section of Traefik, dynamic config into labels.

According to https://doc.traefik.io/traefik/getting-started/configuration-overview/:

There are three different, mutually exclusive (i.e. you can use only one at the same time), ways to define static configuration options in Traefik:

  1. In a configuration file
  2. In the command-line arguments
  3. As environment variables

The problem with using commands is it is mutually exclusive with a configuration file.

tls.stores (that defines the default cert) must be defined in the dynamic config, but defining it with labels doesn't work. Hence, I need to use a static config file to load the shared dynamic config file which excludes the use of commands in the compose file.

This is of course based on limited understanding and experience (beginner) so I'd be happy to try a compose label solution that enables me to drop the dynamic config file.

You are right, just tested it, seems you can not add static certificates via labels.

So this won't work:

    labels:
      - traefik.tls.stores.default.defaultCertificate.certFile=/certificates/example.com.pem
      - traefik.tls.stores.default.defaultCertificate.keyFile=/certificates/example.com.key
      - traefik.tls.certificates[0].certFile=/certificates/example.com.pem
      - traefik.tls.certificates[0].keyFile=/certificates/example.com.key

You need to use a provider.file either via command in docker-compose.yml or within a Traefik static configuration file.

Yes I know, that is what I wrote in my own solution above. But it was unexpected (and weird) that the rule that static entries can be given by command and dynamic by label is not always true. Maybe this should be considered a bug? Should I file one?

Good question, there seem to be other settings you can not apply with labels, like #8884.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.