Hi.
We are starting to use swarm in our company.
We are currently trying to use Traefik with our own certificates (our sites are not open to the outside and we have our own PKI).
We would like to be able to store Traefik's configuration in Consul.
Unfortunately, we are unable to stabilize our platform.
Sometimes you can get a result but only with the default wildcard certificate. If we add a new certificate for a specific site in consul (traefik/entrypoints/https/tls/certificates/1/certfile and keyfile),it is not used.
We notice that traefik always tries to generate a certificate with Let's encrypt, and ends up proposing the default certificate (the one we declare in our yaml file).
If we remove references to ACME in the commands when executing the "traefik init" service that runs the storeconfig command, all our sites become unreachable with a 404 error. We have this error in log : Cannot list keys under "traefik/tls/" key not found in store"
We also have the impression that traefik eventually no longer consults his configuration in consul. (If you change the log level, for example, it is not applied)
Here is our stack
version: '3.3'
services:
consul-leader:
image: consul:1.6.0
command: agent -server -client=0.0.0.0 -bootstrap -ui
volumes:
- VOL_VMW_CONSUL_LEAD:/consul/data
environment:
- CONSUL_BIND_INTERFACE=eth0
- 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true}'
networks:
- default
- NET_OVE_TRAEFIK_PUBLIC
deploy:
labels:
- traefik.frontend.rule=Host:consul.inf.nop.${DOMAIN?Variable DOMAIN not set}
- traefik.enable=true
- traefik.port=8500
- traefik.tags=${TRAEFIK_PUBLIC_TAG:-NET_OVE_TRAEFIK_PUBLIC}
- traefik.docker.network=NET_OVE_TRAEFIK_PUBLIC
# Traefik service that listens to HTTP
- traefik.redirectorservice.frontend.entryPoints=http
- traefik.redirectorservice.frontend.redirect.entryPoint=https
# Traefik service that listens to HTTPS
- traefik.webservice.frontend.entryPoints=https
- traefik.frontend.auth.basic.users=${USERNAME?Variable USERNAME not set}:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}
traefik_init:
image: traefik:v1.7.14
command: >
storeconfig
--docker
--docker.swarmmode
--docker.watch
--docker.exposedbydefault=false
--constraints=tag==NET_OVE_TRAEFIK_PUBLIC
--entrypoints='Name:http Address::80'
--entrypoints='Name:https Address::443 TLS:/etc/ofi/nop/inf/nop_inf.cer,/etc/ofi/nop/inf/nop_inf.key'
--consul
--consul.endpoint="consul-leader:8500"
--logLevel=INFO
--accessLog
--api
--acme
--acme.email=${EMAIL?Variable EMAIL not set}
--acme.storage="traefik/acme/account"
--acme.entryPoint=https
--acme.httpChallenge.entryPoint=http
--acme.onhostrule=true
--acme.acmelogging=true
networks:
- default
deploy:
restart_policy:
condition: on-failure
depends_on:
- consul-leader
logging:
driver: splunk
options:
tag: "{{.Name}}/{{.FullID}}"
splunk-format: json
splunk-token: "01dkkkkkkkkkkkkkkkkkkk"
splunk-url: "https://prdsplhfw503.ofivalmo.fr:8088"
splunk-insecureskipverify: "true"
traefik:
image: traefik:v1.7.14
ports:
- 80:80
- 443:443
deploy:
replicas: ${TRAEFIK_REPLICAS:-3}
placement:
constraints:
- node.role == manager
preferences:
- spread: node.id
labels:
- traefik.frontend.rule=Host:traefik.inf.nop.${DOMAIN?Variable DOMAIN not set}
- traefik.enable=true
- traefik.port=8080
- traefik.tags=NET_OVE_TRAEFIK_PUBLIC
- traefik.docker.network=NET_OVE_TRAEFIK_PUBLIC
# Traefik service that listens to HTTP
- traefik.redirectorservice.frontend.entryPoints=http
- traefik.redirectorservice.frontend.redirect.entryPoint=https
# Traefik service that listens to HTTPS
- traefik.webservice.frontend.entryPoints=https
- traefik.frontend.auth.basic.users=${USERNAME?Variable USERNAME not set}:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- VOL_NFS_CERTIF_RO:/etc/ofi:ro
command: >
--consul
--consul.endpoint="consul-leader:8500"
--consul.prefix=traefik
networks:
- default
- NET_OVE_TRAEFIK_PUBLIC
depends_on:
- consul-leader
volumes:
VOL_VMW_CONSUL_LEAD:
driver: vsphere
driver_opts:
size: 5Gb
VOL_NFS_CERTIF_RO:
external: true
networks:
NET_OVE_TRAEFIK_PUBLIC:
external: true
So I'm interested in some help:) Thanks