Traefik V2 - No Docker - Router error: Acme challenge is not enabled

PREngineer · December 28, 2021, 6:02pm

Hi all, new to Traefik.

I want to perform SSL termination and reverse proxying for my services Plex, NAS, and WordPress.

I have managed to successfully install Traefik V2 in my raspberry pi (armv6). It is running fine outside of docker and redirecting to the appropriate back-end servers. However, SSL doesn't work. Not sure what I might have configured incorrectly. I'm not used to the way that Traefik's docs are written and I don't understand them well.

I see the following error on the web interface, but I can't find any log files being created in the specified path of the config.

After burning my eyes reading the docs and anything I could find online, I have the following 'traefik.yaml' file:

#################################
# Traefik V2 Static Configuration
#################################

# Global Configurations
global:
  # Check for Update
  checkNewVersion: true

# Configure the transport between Traefik and your servers
serversTransport:
  # Skip the check of server certificates
  insecureSkipVerify: true
  # How manny connections per server
  maxIdleConnsPerHost: 42
  # Define timeouts
  forwardingTimeouts:
    dialTimeout: 42
    responseHeaderTimeout: 42
    idleConnTimeout: 42

# Configure the network entrypoints into Traefik V2. Which port will receive packets and if TCP/UDP
entryPoints:

  # HTTP Entry Point
  web:
    # Listen on TCP port 80  (80/tcp)
    address: ":80"
    # redirect http to https
    http:
      redirections:
        entryPoint:
          # Where to redirect
          to: web-secure
          # Scheme to use
          scheme: https
          # Make it always happen
          permanent: true
    # Specify the timeouts for the transports
    transport:
      # Controls the behavior during the shutdown phase
      lifeCycle:
        requestAcceptGraceTimeout: 42
        graceTimeOut: 42
      # Timeouts for incoming requests to Traefik V2 instance. No effect on UDP.
      respondingTimeouts:
        readTimeout: 42
        writeTimeout: 42
        idleTimeout: 42
    # Define how the Proxy Protocol should behave and what to trust.
    proxyProtocol:
      # Specify IPs for secure mode
      trustedIPs:
      - 10.0.0.1
      - 127.0.0.1
    forwardedHeaders:
      # Specify IPs for secure mode
      trustedIPs:
      - 10.0.0.1
      - 127.0.0.1
  
  # HTTPS Entry Point
  web-secure:
    # Listen on TCP port 443  (443/tcp)
    address: ":443"
    # Define TLS with Let's Encrypt for all
    http:
      tls:
        certResolver: letsencrypt
    # Specify the timeouts for the transports
    transport:
      # Controls the behavior during the shutdown phase
      lifeCycle:
        requestAcceptGraceTimeout: 42
        graceTimeOut: 42
      # Timeouts for incoming requests to Traefik V2 instance. No effect on UDP.
      respondingTimeouts:
        readTimeout: 42
        writeTimeout: 42
        idleTimeout: 42
    # Define how the Proxy Protocol should behave and what to trust.
    proxyProtocol:
      # Specify IPs for secure mode
      trustedIPs:
      - 10.0.0.1
      - 127.0.0.1
    forwardedHeaders:
      # Specify IPs for secure mode
      trustedIPs:
      - 10.0.0.1
      - 127.0.0.1

# Configure the providers
providers:
  providersThrottleDuration: 42
  
  # If using a dynamic file
  file:
    filename: "/etc/traefik/traefik-dynamic.yaml"
    watch: true
    debugLogGeneratedTemplate: true
    
  rest:
    insecure: true

# Traefik's Dashboard located in http://<ip>/dashboard/ (last / necessary)
api:
  # Enable the dashboard
  dashboard: true

# Location of Log files
log:
  # Logging levels are: DEBUG, PANIC, FATAL, ERROR, WARN, INFO
  level: DEBUG
  filePath: "/etc/traefik/traefik.log"

# SSL Certificates
certificatesResolvers:
# Use Let's Encrypt for SSL Certificates
  letsencrypt:
    # Enable ACME (Let's Encrypt automatic SSL)
    acme:
      # E-mail used for registration
      email: <my e-mail>
      # Leave commented for PROD servers uncomment for Non Prod
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      # File or key used for certificates storage.
      storage: acme.json
      # Optional 
      #keyType: RSA4096
      
      # Use HTTP-01 ACME challenge
      httpChallenge:
        entryPoint: web

And the following 'traefik-dynamic.yaml' file:

#################################
# Traefik V2 Dynamic Configuration
#################################

# Definition on how to handle HTTP requests
http:

  # Define the routers
  routers:

    # Map Traefik Dashboard requests to the Service
    Traefik:
      middlewares:
      - BasicAuth
      rule: "Host(`traefik.subdomain.dns1.us`)"
      service: api@internal
      tls:
        certResolver: letsencrypt

    # Map PLEX to the Server
    # No EntryPoints defined so that it listens in all of them
    PLEX:
      rule: "Host(`plex.subdomain.dns1.us`)"
      service: PLEX
      tls:
        certResolver: letsencrypt

  # Define the middlewares
  middlewares:
    # Basic auth for the dashboard
    BasicAuth:
      basicAuth:
        # Specify user and password (generator: https://www.web2generators.com/apache-tools/htpasswd-generator)
        users:
          - "<user>:<password>"

  # Define the services
  services:

    #PLEX Service
    PLEX:
      loadBalancer:
        # Backend URLs
        servers:
        - url: "http://10.0.0.21:32400"
        # Enable sticky sessions
        sticky:
          cookie: {}
        # Pass the client Host header to the server
        passHostHeader: true

Any help will be greatly appreciated.

tommoulard · December 29, 2021, 3:57pm

Can you please provide your logs if possible ?

PREngineer · December 29, 2021, 4:29pm

Hi @tommoulard,

I would love to. However, I don't see the log files being created; which puzzled me. I mentioned it in the question.

Maybe something related to the logs in the config is wrong?

This is where I specified that the logs should be created. I even created the file and it won't write to it.

Can't find a log for it anywhere:

tommoulard · December 29, 2021, 4:47pm

This might be related to another issue since, using your configuration, I can launch traefik, your service and a TLS termination.

I tried to remove the filepath configuration for the log, and it did not show any error.

PREngineer · December 29, 2021, 6:38pm

Thank you sir.

I'm wondering if something is not working properly in the armv6 release then?

tommoulard · December 30, 2021, 8:05am

Is it possible for you to run the binary directly, and do not set to output logs into a file, to see if there is any issue like this.

Thanks in advance

PREngineer · December 30, 2021, 6:55pm

Awesome! Thanks for recommending that. Now I do see some useful information.

However, I did list that resolver. There must be something wrong with my config then.

tommoulard · December 31, 2021, 8:24am

There you go, you have an invalid configuration of your ACME resolver. It might be linked to the content of your acme.json file.

You'll also need to configure a challenge to generate and renew ACME certificates.

PREngineer · December 31, 2021, 7:02pm

OK, error with the "XXX uses a non-existent resolver: letsencrypt" is solved at least.

I get a clean output when I run the executable.

Issue

The acme.json file located in /etc/traefik was blank (only a line that said #Acme) and for some reason Traefik didn't like it.

Solution

Removed the acme.json file and let Traefik recreate it itself.
sudo rm /etc/traefik/acme.json

Still not getting certificates, so I will post an update with the solution once I figure it out.

PREngineer · December 31, 2021, 9:23pm

Finally got HTTPS working!

Here are the updated configuration files ( I simplified it a lot to test ):

/etc/traefik/traefik.yaml

#################################
# Traefik V2 Static Configuration
#################################

# Global Configurations
global:
  # Check for Update
  checkNewVersion: true

# Configure the transport between Traefik and your servers
serversTransport:
  # Skip the check of server certificates
  insecureSkipVerify: true

# Configure the network entrypoints into Traefik V2. Which port will receive packets and if TCP/UDP
entryPoints:

  # HTTP Entry Point
  web:
    # Listen on TCP port 80  (80/tcp)
    address: ":80"
    # redirect http to https
    http:
      redirections:
        entryPoint:
          # Where to redirect
          to: web-secure
          # Scheme to use
          scheme: https
          # Make it always happen
          permanent: true
  
  # HTTPS Entry Point
  web-secure:
    # Listen on TCP port 443  (443/tcp)
    address: ":443"
    # Define TLS with Let's Encrypt for all
    http:
      tls:
        certResolver: letsencrypt

# Configure the providers
providers:
  # If using a dynamic file
  file:
    filename: "/etc/traefik/traefik-dynamic.yaml"
    watch: true
    
  rest:
    insecure: true

# Traefik's Dashboard located in http://<ip>/dashboard/ (last / necessary)
api:
  # Enable the dashboard
  dashboard: true

# Location of Log files
log:
  # Logging levels are: DEBUG, PANIC, FATAL, ERROR, WARN, INFO
  level: ERROR
  filePath: "/etc/traefik/traefik.log"

# SSL Certificates
certificatesResolvers:
# Use Let's Encrypt for SSL Certificates
  letsencrypt:
    # Enable ACME (Let's Encrypt automatic SSL)
    acme:
      # E-mail used for registration
      email: "email@hotmail.com"
      # Leave commented for PROD servers uncomment for Non Prod
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      # File or key used for certificates storage.
      storage: "/etc/traefik/acme.json"
      
      # Use HTTP-01 ACME challenge
      httpChallenge:
        entryPoint: web-secure

/etc/traefik/traefik-dynamic.yaml

#################################
# Traefik V2 Dynamic Configuration
#################################

# Definition on how to handle HTTP requests
http:

  # Define the routers
  routers:

    # Map Traefik Dashboard requests to the Service
    Traefik:
      middlewares:
      - BasicAuth
      rule: "Host(`traefik.subdomain.dns1.us`)"
      service: api@internal
      tls:
        certResolver: letsencrypt

    # Map PLEX to the Server
    # No EntryPoints defined so that it listens in all of them
    PLEX:
      rule: "Host(`plex.subdomain.dns1.us`)"
      service: PLEX
      tls:
        certResolver: letsencrypt

  # Define the middlewares
  middlewares:
    # Basic auth for the dashboard
    BasicAuth:
      basicAuth:
        # Specify user and password (generator: https://www.web2generators.com/apache-tools/htpasswd-generator)
      users:
        - "user:password"

  # Define the services
  services:

    #PLEX Service
    PLEX:
      loadBalancer:
        # Backend URLs
        servers:
        - url: "http://ip:port"

system · January 3, 2022, 9:24pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with Lets Encrypt. ACME Fails Traefik v2 (latest) docker , letsencrypt-acme	3	2553	March 11, 2022
SSL not working Traefik v2 (latest) docker , letsencrypt-acme	1	4774	February 6, 2021
Unable to obtain ACME: timeout during connect Traefik v2 (latest) docker , letsencrypt-acme	6	4054	January 21, 2021
Traefik SSL Let's Encrypt invalid certificate Traefik v2 (latest) docker , letsencrypt-acme	2	506	October 4, 2022
Need Help with my install Traefik v2 (latest) docker	1	425	July 5, 2023

Traefik V2 - No Docker - Router error: Acme challenge is not enabled

Related Topics