Unable to get HTTPS to work at all

johntdyer · March 1, 2024, 9:00pm

So I have tried Traefik 2.11 and 3.0rc-1 and I am just unable to get cert issuance working... Havent even worried about redirection yet ...

My config is as follows:

traefik:
    hostname: traefik.xxxxx.xxxxx
    image: traefik:v3.0
    restart: always
    privileged: true
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --accesslog.filepath=/var/log/access.log

      - --api=true
      - --log.level=DEBUG
      - --accesslog=true
      - --api.insecure=true
      - --accesslog.addinternals
      - --api.dashboard=true

      - --accesslog.filters.statuscodes=200,300-399,500-599
      - --accessLog.bufferingSize=100

      - --entrypoints.web.http.redirections.entryPoint.to=websecure # Redirect http to https
      - --entrypoints.web.http.redirections.entryPoint.scheme=https

      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=5
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

      # ## Routers Rules
      # - traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)
      # - traefik.http.routers.traefik-rtr.tls=true
      # - traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt


      # !IMPORTANT - COMMENT OUT THE FOLLOWING LINE IN PRODUCTION!
      # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --providers.docker.network=public
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false

    env_file:
      - ./.env

    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik-secure.tls.domains[0].main=xxxxx.xxxx
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.xxxx.xxxx
      - traefik.http.routers.traefik.rule=Host(`${HOST_NAME}`)
      - traefik.http.routers.traefik.entrypoints=websecure,web
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=letsencrypt

      # enable https for api/dashboard
      - traefik.http.routers.api.tls.certresolver=letsencrypt
      - traefik.http.routers.api.entrypoints=websecure
      - traefik.http.routers.api.rule=Host(`traefik.xxxxx.xxxxx`)
    networks:
      - public
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_data:/letsencrypt
      - /mnt/pve/proxmox_nfs/shared-configs/log:/var/log


  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    hostname: whoami
    networks:
      - public
    ports:
      - 9992:80
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.xxxxx.xxxxx`)
      - traefik.http.routers.whoami.entrypoints=web, websecure
      - traefik.http.routers.whoami.tls.certresolver=letsencrypt

There is almost certainly some cargo culting here with various bits I've found in various sources over the internet so dont judge to much

I assume I am doing something really stupid and would love a second set of eyes...

Startup logs in debug

I had to put the logs in a gist becaue it was to large for the post

gist.github.com

https://gist.github.com/johntdyer/9ad0149a2705fd84e9278bea4cfe50e7

gistfile1.txt

                                                                                                                        0.0s2024-03-01T15:49:15-05:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:101 > Traefik version 3.0.0-rc1 built on 2024-02-13T13:41:20Z version=3.0.0-rc1
2024-03-01T15:49:15-05:00 DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:108 > Static configuration loaded [json] staticConfiguration={"accessLog":{"addInternals":true,"bufferingSize":100,"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"filePath":"/var/log/access.log","filters":{"statusCodes":["200","300-399","500-599"]},"format":"common"},"api":{"dashboard":true,"insecure":true},"certificatesResolvers":{"letsencrypt":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"delayBeforeCheck":"5s","provider":"cloudflare","resolvers":["1.1.1.1:53","8.8.8.8:53"]},"keyType":"RSA4096","storage":"/letsencrypt/acme.json"}}},"entryPoints":{"traefik":{"address":":8080","forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}},"web":{"address":":80","forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"permanent":true,"priority":2147483646,"scheme":"https","to":"websecure"}}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}},"websecure":{"address":":443","forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"format":"common","level":"DEBUG"},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","network":"public","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2024-03-01T15:49:15-05:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:599 >
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2024-03-01T15:49:15-05:00 INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator
2024-03-01T15:49:15-05:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=traefik
2024-03-01T15:49:15-05:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=web

This file has been truncated. show original

Thanks for any help anyone can provide

bluepuma77 · March 2, 2024, 8:48am

What’s your issue? It seems a TLS cert is created, check acme.json content, make sure it’s persisted with bind mount or volume.

Check and compare to simple Traefik example.

Why use privileged: true, that’s not best practice.

johntdyer · March 2, 2024, 2:29pm

So So annoyed by this..... Turns out k3s was running w/ Traefik running and turns out an iptables rule was sending 443 and 80 to k3s and not my standalone test run of Traefik in Docker... This is why nothing else showed up listening on 80 or 443 when I ran netstat / lsof, which was my logical course of action when I could not get any indications of a request hitting my test instance of Traefik but I was getting 404's back from something.... Drove me nuts all day until I figured it out

TLDR..... User error

Topic		Replies	Views
SSL Certs does not work Traefik v2 docker , letsencrypt-acme	5	656	September 18, 2020
Redirect to https not working Traefik v2 docker , letsencrypt-acme , middleware	3	2107	December 6, 2019
Traefik + Docker + Let's Encrypt Traefik v2 docker , letsencrypt-acme	4	761	April 6, 2021
Issue requesting SSL using ACME Traefik v3 (latest) docker , letsencrypt-acme	0	32	September 18, 2024
Problem with LetsEncrypt certificate generation Traefik v2 letsencrypt-acme	1	1587	September 15, 2021

Unable to get HTTPS to work at all

Related topics