Unable to get SSL working

stack · September 14, 2019, 9:51pm

There does not seem to be away to assign a certificate to a service, route or entrypoint and no way to debug why Traefik is assigning the default instead of the provided certificate.

The certificate in the default store is a wildcard cert generated outside of traefik.

When I hit api.example.com I get the default certificate generated by Traefik instead of the one provided.

TLS config in config.toml

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/certs/_.example.com-chain.pem"
      keyFile = "/certs/_.example.com-key.pem"

I have also tried

[[tls.certificates]]
  certFile = "/certs/_.example.com-chain.pem"
  keyFile = "/certs/_.example.com-key.pem"

docker container labels

traefik.enable=true
traefik.http.routers.gateway.entrypoints=https,httpLocal
traefik.http.routers.gateway.rule=Host(`api.example.com`)
traefik.http.routers.gateway.tls=true
traefik.http.services.gateway.loadbalancer.server.port=8080

//I have also tried with & without these two labels, same result
traefik.http.routers.gateway.tls.domains[0].main=example.com
traefik.http.routers.gateway.tls.domains[0].sans=*.example.com

logs

time="2019-09-14T22:19:44Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.toml"
time="2019-09-14T22:19:44Z" level=info msg="Traefik version 2.0.0-rc4 built on 2019-09-13T20:12:46Z"
time="2019-09-14T22:19:44Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":81\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"httpLocal\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"https\":{\"address\":\":444\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true,\"debug\":true},\"ping\":{\"entryPoint\":\"traefik\"},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"accessLog\":{\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}}}"
time="2019-09-14T22:19:44Z" level=info msg="\nStats collection is enabled.\nMany thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.\nHelp us improve Traefik by leaving this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
time="2019-09-14T22:19:44Z" level=debug msg="No default certificate, generating one"
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=https
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=http
time="2019-09-14T22:19:44Z" level=debug msg="Start TCP Server" entryPointName=httpLocal
time="2019-09-14T22:19:44Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2019-09-14T22:19:44Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
time="2019-09-14T22:19:44Z" level=debug msg="Provider connection established with docker 19.03.1-ce (API 1.40)" providerName=docker
time="2019-09-14T22:19:44Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"gateway\":{\"entryPoints\":[\"https\",\"httpLocal\"],\"service\":\"gateway\",\"rule\":\"Host(`api.example.com`)\",\"tls\":{}},\"s3\":{\"entryPoints\":[\"https\",\"httpLocal\"],\"service\":\"s3\",\"rule\":\"Host(`s3.example.com`)\",\"tls\":{\"domains\":[{\"main\":\"example.com\",\"sans\":[\"*.example.com\"]}]}}},\"services\":{\"gateway\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.131.0.4:8080\"}],\"passHostHeader\":true}},\"s3\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.125.0.8:9000\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" entryPointName=https routerName=s3@docker serviceName=s3 middlewareType=Pipelining middlewareName=pipelining
time="2019-09-14T22:19:44Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=s3@docker serviceName=s3
time="2019-09-14T22:19:44Z" level=debug msg="Creating server 0 http://10.125.0.8:9000" entryPointName=https routerName=s3@docker serviceName=s3 serverName=0
time="2019-09-14T22:19:44Z" level=debug msg="Added outgoing tracing middleware s3" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=s3@docker
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" serviceName=gateway middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=gateway@docker
time="2019-09-14T22:19:44Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=gateway@docker serviceName=gateway
time="2019-09-14T22:19:44Z" level=debug msg="Creating server 0 http://10.131.0.4:8080" routerName=gateway@docker serviceName=gateway serverName=0 entryPointName=https
time="2019-09-14T22:19:44Z" level=debug msg="Added outgoing tracing middleware gateway" routerName=gateway@docker middlewareType=TracingForwarder middlewareName=tracing entryPointName=https
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" entryPointName=https middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2019-09-14T22:19:44Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=httpLocal
time="2019-09-14T22:19:44Z" level=debug msg="No default certificate, generating one"
time="2019-09-14T22:19:56Z" level=debug msg="Serving default certificate for request: \"s3.example.com\""
time="2019-09-14T22:19:56Z" level=debug msg="http: TLS handshake error from localhost:57891: remote error: tls: unknown certificate"
time="2019-09-14T22:20:01Z" level=debug msg="Serving default certificate for request: \"s3.example.com\""
time="2019-09-14T22:20:01Z" level=debug msg="http: TLS handshake error from localhost:57896: remote error: tls: unknown certificate"
time="2019-09-14T22:20:34Z" level=debug msg="Serving default certificate for request: \"s3.example.com\""
time="2019-09-14T22:20:34Z" level=debug msg="http: TLS handshake error from localhost:57914: remote error: tls: unknown certificate"
time="2019-09-14T22:20:50Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:20:50Z" level=debug msg="http: TLS handshake error from localhost:57923: remote error: tls: unknown certificate"
time="2019-09-14T22:20:54Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:20:54Z" level=debug msg="http: TLS handshake error from localhost:57926: remote error: tls: unknown certificate"
time="2019-09-14T22:20:56Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:20:56Z" level=debug msg="http: TLS handshake error from localhost:57928: remote error: tls: unknown certificate"
time="2019-09-14T22:21:04Z" level=debug msg="Serving default certificate for request: \"api.example.com\""
time="2019-09-14T22:21:04Z" level=debug msg="http: TLS handshake error from localhost:57932: remote error: tls: unknown certificate"

stack · September 14, 2019, 10:51pm

I solved it.

I did not understand that some configuration items can no longer go in the main config.toml file.

 [providers.File]
    filename = "/etc/traefik/traefik-2.0-dynamic.toml"

Adding a file provider where I then stuck the above [tls.certificates] resolved the issue.

If anyone from traefik reads this...
Key bits of documentation that were difficult to absorb:

https://docs.traefik.io/v2.0/providers/overview/

This did not really click that if you have a main config file that some parts of its config cannot be held in a single config file.

https://docs.traefik.io/v2.0/providers/file/

When I first read this I did not understand this might be necessary as I already had a config file I was filing out as it is in 1.7

ldez · September 15, 2019, 12:10am

In the v2 the static configuration and the dynamic configuration cannot be mixed by default: you have to create 2 files.

The dynamic configuration:

The static configuration:

Topic		Replies	Views
Default Certificate not working Traefik v2 (latest) docker	8	14049	January 3, 2022
Docker, Traefik v2, SSL cannot set default cert Traefik v2 (latest) docker	2	566	October 15, 2019
Issues with TLS configuration in v2 Traefik v2 (latest) docker	12	5050	December 24, 2019
Traefik v2.10 Configuration Issue with Custom SSL Certificate and Docker Traefik v2 (latest) docker	1	311	December 24, 2023
Docker SSL Certificates Traefik v2 (latest) docker	6	4761	September 24, 2019

Unable to get SSL working

Related Topics