Background
I'm trying to setup a Linode Nanode instance that will run Docker on it to self host some of my services. I already have a static IP setup. My DNS is managed by Cloudflare (shown below). And I have a firewall, managed by ufw
, running on the instance (shown below).
I grabbed a free domain from freenom.com (*.tk domain) to test all of this on before I move it over to my real *.com domain. The domain is estysdesu.tk
.
Problem
I'm trying to get to MVP status using traefik
. Right now, I'm trying to access whoami.estysdesu.tk
. Right now I get a 404 page not found
response which makes me think that the DNS routing is setup properly. I checked my acme.json
and that appears to have retrieved a cert from Let's Encrypt properly. So my assumption is something is wrong with my config. But, I followed the docs on setting up Let's Encrypt with a HTTP Challenge. Not sure where my mistakes are.
Configs
Docker
# docker-compose.yml
version: "3.3"
networks:
default:
external:
name: $DOCKER_NETWORK # $DOCKER_NETWORK comes from .env file
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.certresolver.acme.httpchallenge=true"
- "--certificatesresolvers.certresolver.acme.httpchallenge.entrypoint=web"
#- "--certificatesresolvers.certresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.certresolver.acme.email=$EMAIL" # $EMAIL comes from .env file
- "--certificatesresolvers.certresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/data/traefik/letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "whoami"
depends_on:
- traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.$DOMAIN_NAME`)" # $DOMAIN_NAME comes from .env file
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=certresolver"
# docker logs traefik output
time="2020-06-17T20:04:14Z" level=info msg="Configuration loaded from flags."
time="2020-06-17T20:07:22Z" level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik
time="2020-06-17T20:07:22Z" level=error msg="close tcp [::]:8080: use of closed network connection" entryPointName=traefik
time="2020-06-17T20:07:22Z" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=web
time="2020-06-17T20:07:22Z" level=error msg="close tcp [::]:80: use of closed network connection" entryPointName=web
time="2020-06-17T20:07:22Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2020-06-17T20:07:22Z" level=error msg="close tcp [::]:443: use of closed network connection" entryPointName=websecure
time="2020-06-17T20:07:33Z" level=info msg="Configuration loaded from flags."
Cloudflare
DNS settings:
SSL/TLS settings:
I've tried setting my SSL/TLS setting to Flexible. That does provide a https cert, but the cert is issued from Cloudflare not Let's Encrypt. Maybe I need to set to Full, but that seemed to be an issue when I tried last night.
UFW (on Debian 10 Linode Nanode)
# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
8080 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
8080 (v6) ALLOW IN Anywhere (v6)