Unable to get HTTPS to work at all

johntdyer · March 1, 2024, 9:00pm

So I have tried Traefik 2.11 and 3.0rc-1 and I am just unable to get cert issuance working... Havent even worried about redirection yet ...

My config is as follows:

traefik:
    hostname: traefik.xxxxx.xxxxx
    image: traefik:v3.0
    restart: always
    privileged: true
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --accesslog.filepath=/var/log/access.log

      - --api=true
      - --log.level=DEBUG
      - --accesslog=true
      - --api.insecure=true
      - --accesslog.addinternals
      - --api.dashboard=true

      - --accesslog.filters.statuscodes=200,300-399,500-599
      - --accessLog.bufferingSize=100

      - --entrypoints.web.http.redirections.entryPoint.to=websecure # Redirect http to https
      - --entrypoints.web.http.redirections.entryPoint.scheme=https

      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=5
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

      # ## Routers Rules
      # - traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)
      # - traefik.http.routers.traefik-rtr.tls=true
      # - traefik.http.routers.traefik-rtr.tls.certresolver=letsencrypt


      # !IMPORTANT - COMMENT OUT THE FOLLOWING LINE IN PRODUCTION!
      # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --providers.docker.network=public
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false

    env_file:
      - ./.env

    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik-secure.tls.domains[0].main=xxxxx.xxxx
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.xxxx.xxxx
      - traefik.http.routers.traefik.rule=Host(`${HOST_NAME}`)
      - traefik.http.routers.traefik.entrypoints=websecure,web
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=letsencrypt

      # enable https for api/dashboard
      - traefik.http.routers.api.tls.certresolver=letsencrypt
      - traefik.http.routers.api.entrypoints=websecure
      - traefik.http.routers.api.rule=Host(`traefik.xxxxx.xxxxx`)
    networks:
      - public
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_data:/letsencrypt
      - /mnt/pve/proxmox_nfs/shared-configs/log:/var/log


  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    hostname: whoami
    networks:
      - public
    ports:
      - 9992:80
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.xxxxx.xxxxx`)
      - traefik.http.routers.whoami.entrypoints=web, websecure
      - traefik.http.routers.whoami.tls.certresolver=letsencrypt

There is almost certainly some cargo culting here with various bits I've found in various sources over the internet so dont judge to much

I assume I am doing something really stupid and would love a second set of eyes...

Startup logs in debug

I had to put the logs in a gist becaue it was to large for the post

gist.github.com

https://gist.github.com/johntdyer/9ad0149a2705fd84e9278bea4cfe50e7

gistfile1.txt

                                                                                                                        0.0s2024-03-01T15:49:15-05:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:101 > Traefik version 3.0.0-rc1 built on 2024-02-13T13:41:20Z version=3.0.0-rc1
2024-03-01T15:49:15-05:00 DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:108 > Static configuration loaded [json] staticConfiguration={"accessLog":{"addInternals":true,"bufferingSize":100,"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"filePath":"/var/log/access.log","filters":{"statusCodes":["200","300-399","500-599"]},"format":"common"},"api":{"dashboard":true,"insecure":true},"certificatesResolvers":{"letsencrypt":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"delayBeforeCheck":"5s","provider":"cloudflare","resolvers":["1.1.1.1:53","8.8.8.8:53"]},"keyType":"RSA4096","storage":"/letsencrypt/acme.json"}}},"entryPoints":{"traefik":{"address":":8080","forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}},"web":{"address":":80","forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"permanent":true,"priority":2147483646,"scheme":"https","to":"websecure"}}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}},"websecure":{"address":":443","forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"format":"common","level":"DEBUG"},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"unix:///var/run/docker.sock","network":"public","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
2024-03-01T15:49:15-05:00 INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:599 >
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://doc.traefik.io/traefik/contributing/data-collection/

2024-03-01T15:49:15-05:00 INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator
2024-03-01T15:49:15-05:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=traefik
2024-03-01T15:49:15-05:00 DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=web

This file has been truncated. show original

Thanks for any help anyone can provide

bluepuma77 · March 2, 2024, 8:48am

What’s your issue? It seems a TLS cert is created, check acme.json content, make sure it’s persisted with bind mount or volume.

Check and compare to simple Traefik example.

Why use privileged: true, that’s not best practice.

johntdyer · March 2, 2024, 2:29pm

So So annoyed by this..... Turns out k3s was running w/ Traefik running and turns out an iptables rule was sending 443 and 80 to k3s and not my standalone test run of Traefik in Docker... This is why nothing else showed up listening on 80 or 443 when I ran netstat / lsof, which was my logical course of action when I could not get any indications of a request hitting my test instance of Traefik but I was getting 404's back from something.... Drove me nuts all day until I figured it out

TLDR..... User error

Topic		Replies	Views
SSL Certs does not work Traefik v2 (latest) docker , letsencrypt-acme	5	600	September 18, 2020
Traefik + Docker + Let's Encrypt Traefik v2 (latest) docker , letsencrypt-acme	4	551	April 6, 2021
Problem with LetsEncrypt certificate generation Traefik v2 (latest) letsencrypt-acme	1	1353	September 15, 2021
HTTPS let's encrypt not working Traefik v2 (latest) docker , letsencrypt-acme	2	4210	November 15, 2019
Cannot get https to work through cloudflare? Traefik v2 (latest) docker , letsencrypt-acme	3	741	January 2, 2023

Unable to get HTTPS to work at all

Related Topics