Unable to get SSL working

There does not seem to be away to assign a certificate to a service, route or entrypoint and no way to debug why Traefik is assigning the default instead of the provided certificate.

The certificate in the default store is a wildcard cert generated outside of traefik.

When I hit api.example.com I get the default certificate generated by Traefik instead of the one provided.

TLS config in config.toml

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/certs/_.example.com-chain.pem"
      keyFile = "/certs/_.example.com-key.pem"

I have also tried

[[tls.certificates]]
  certFile = "/certs/_.example.com-chain.pem"
  keyFile = "/certs/_.example.com-key.pem"

docker container labels

traefik.enable=true
traefik.http.routers.gateway.entrypoints=https,httpLocal
traefik.http.routers.gateway.rule=Host(`api.example.com`)
traefik.http.routers.gateway.tls=true
traefik.http.services.gateway.loadbalancer.server.port=8080

//I have also tried with & without these two labels, same result
traefik.http.routers.gateway.tls.domains[0].main=example.com
traefik.http.routers.gateway.tls.domains[0].sans=*.example.com

logs

time="2019-09-14T22:19:44Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.toml"
time="2019-09-14T22:19:44Z" level=info msg="Traefik version 2.0.0-rc4 built on 2019-09-13T20:12:46Z"
time="2019-09-14T22:19:44Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":81\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"httpLocal\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"https\":{\"address\":\":444\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true,\"debug\":true},\"ping\":{\"entryPoint\":\"traefik\"},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"accessLog\":{\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}}}"
time="2019-09-14T22:19:44Z" level=info msg="\nStats collection is enabled.\nMany thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.\nHelp us improve Traefik by leaving this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
time="2019-09-14T22:19:44Z" level=debug msg="No default certificate, generating one"
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=https
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=http
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=httpLocal
time="2019-09-14T22:19:44Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2019-09-14T22:19:44Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2019-09-14T22:19:44Z" level=debug msg="Provider connection established with docker 19.03.1-ce (API 1.40)" providerName=docker
time="2019-09-14T22:19:44Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"gateway\":{\"entryPoints\":[\"https\",\"httpLocal\"],\"service\":\"gateway\",\"rule\":\"Host(`api.example.com`)\",\"tls\":{}},\"s3\":{\"entryPoints\":[\"https\",\"httpLocal\"],\"service\":\"s3\",\"rule\":\"Host(`s3.example.com`)\",\"tls\":{\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}}},\"services\":{\"gateway\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.131.0.4:8080\"}],\"passHostHeader\":true}},\"s3\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.125.0.8:9000\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" entryPointName=https routerName=s3@docker serviceName=s3 middlewareType=Pipelining middlewareName=pipelining
time="2019-09-14T22:19:44Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=s3@docker serviceName=s3
time="2019-09-14T22:19:44Z" level=debug msg="Creating server 0 http://10.125.0.8:9000" entryPointName=https routerName=s3@docker serviceName=s3 serverName=0
time="2019-09-14T22:19:44Z" level=debug msg="Added outgoing tracing middleware s3" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=s3@docker
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" serviceName=gateway middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=gateway@docker
time="2019-09-14T22:19:44Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=gateway@docker serviceName=gateway
time="2019-09-14T22:19:44Z" level=debug msg="Creating server 0 http://10.131.0.4:8080" routerName=gateway@docker serviceName=gateway serverName=0 entryPointName=https
time="2019-09-14T22:19:44Z" level=debug msg="Added outgoing tracing middleware gateway" routerName=gateway@docker middlewareType=TracingForwarder middlewareName=tracing entryPointName=https
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" entryPointName=https middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=httpLocal
time="2019-09-14T22:19:44Z" level=debug msg="No default certificate, generating one"
time="2019-09-14T22:19:56Z" level=debug msg="Serving default certificate for request: \"s3.example.com\""
time="2019-09-14T22:19:56Z" level=debug msg="http: TLS handshake error from localhost:57891: remote error: tls: unknown certificate"
time="2019-09-14T22:20:01Z" level=debug msg="Serving default certificate for request: \"s3.example.com\""
time="2019-09-14T22:20:01Z" level=debug msg="http: TLS handshake error from localhost:57896: remote error: tls: unknown certificate"
time="2019-09-14T22:20:34Z" level=debug msg="Serving default certificate for request: \"s3.example.com\""
time="2019-09-14T22:20:34Z" level=debug msg="http: TLS handshake error from localhost:57914: remote error: tls: unknown certificate"
time="2019-09-14T22:20:50Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:20:50Z" level=debug msg="http: TLS handshake error from localhost:57923: remote error: tls: unknown certificate"
time="2019-09-14T22:20:54Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:20:54Z" level=debug msg="http: TLS handshake error from localhost:57926: remote error: tls: unknown certificate"
time="2019-09-14T22:20:56Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:20:56Z" level=debug msg="http: TLS handshake error from localhost:57928: remote error: tls: unknown certificate"
time="2019-09-14T22:21:04Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:21:04Z" level=debug msg="http: TLS handshake error from localhost:57932: remote error: tls: unknown certificate"

I solved it.

I did not understand that some configuration items can no longer go in the main config.toml file.

 [providers.File]
    filename = "/etc/traefik/traefik-2.0-dynamic.toml"

Adding a file provider where I then stuck the above [tls.certificates] resolved the issue.

If anyone from traefik reads this...
Key bits of documentation that were difficult to absorb:

https://docs.traefik.io/v2.0/providers/overview/

This did not really click that if you have a main config file that some parts of its config cannot be held in a single config file.

https://docs.traefik.io/v2.0/providers/file/

When I first read this I did not understand this might be necessary as I already had a config file I was filing out as it is in 1.7

In the v2 the static configuration and the dynamic configuration cannot be mixed by default: you have to create 2 files.

The dynamic configuration:

The static configuration:

1 Like