Hi,
I'm able to have a great set up using Traefik V2 and ACME. Now, I want to use my own certificats that I generated using the projet docker-letencrypt-dns.
Custom certificats
docker-letencrypt-dns
generates four files:
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
I concluded that I need to use those two certs with Traefik:
certFile: /letsencrypt/live/devkiwi.club/fullchain.pem
keyFile: /letsencrypt/live/devkiwi.club/privkey.pem
Issue
Why Traefik do not see my configurations?
Traefik logs
time="2020-01-29T22:58:49-05:00" level=debug msg="No default certificate, generating one"
time="2020-01-29T22:59:32-05:00" level=debug msg="Serving default certificate for request: \"devkiwi.club\""
time="2020-01-29T22:59:32-05:00" level=debug msg="http: TLS handshake error from 54.219.120.51:52784: remote error: tls: bad certificate"
compose-traefik.yml
./compose-traefik.yml
version: "3.7"
services:
traefik:
image: traefik:v2.1.3
ports:
- 80:80
- 443:443
volumes:
- ./traefik.yml:/traefik.yml:ro #<== static configs / traefik load them directly
- ./conf.d:/conf.d:ro #<== dynamic configs / we must specify this directory in the static configs as well
- /user/data/traefik/log/:/var/log/ #<== logs
- /user/data/letsencrypt/live:/live #<== acme certs
labels:
#___ core configs
- traefik.enable=true
#___ set traefik dashboard + API. The API is available at: mydomain.club/api/http/routers & mydomain.club/api/rawdata
- "traefik.http.routers.traefik.rule=Host(`devkiwi.club`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"
- "traefik.http.routers.traefik.service=api@internal"
#___ set TLS (https)
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.ping.service=ping@internal"
- "traefik.http.routers.ping.tls=true"
#___ specific middleware for traefik (it enables the dashboard at mydomain.com/traefik)
- "traefik.http.middlewares.traefik-strip.stripprefix.prefixes=/traefik"
socketproxy:
image: tecnativa/docker-socket-proxy
container_name: socketproxy
hostname: socketproxy
restart: unless-stopped
healthcheck:
disable: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
CONTAINERS: 1
compose-home.yml (webapp)
version: "3.7"
services:
home:
image: nginx:1.17-alpine
container_name: home
hostname: home
restart: unless-stopped
healthcheck:
disable: true
volumes:
- ./config/static-home/index.html:/usr/share/nginx/html/index.html
labels:
#### core configs
- "traefik.enable=true"
- "traefik.http.routers.home.rule=Host(`devkiwi.club`)"
- "traefik.http.services.home.loadbalancer.server.port=80"
#### set TLS (https)
- "traefik.http.routers.home.entrypoints=websecure"
- "traefik.http.routers.home.tls=true"
- "traefik.http.routers.home.tls.option=myTLSOptions"
#### Apply rules (middlewares)
- "traefik.http.routers.home.middlewares=RuleGrpMain"
traefik.yml (static)
./traefik.yml
# STATIC CONFIGS
providers:
docker:
endpoint: "tcp://socketproxy:2375"
exposedByDefault: false
file:
directory: /conf.d #<== loads dynamic config
watch: true
certificates.yml (dynamic)
./conf.d/certificates.yml
I did check within Traefik container and the certs are there.
I'm not sure about this config, but it's the best I could conclude from the docs.
If I provide 50 certs, I understand that Traefik will find the appropriate one right?
# DYNAMIC CONFIGS
tls:
stores:
default:
defaultCertificate:
- certFile: /live/devkiwi.club/fullchain.pem
keyFile: /live/devkiwi.club/privkey.pem
certificates:
- certFile: /live/blue.club/fullchain.pem
keyFile: /live/blue.club/privkey.pem
certificates:
- certFile: /live/green.club/fullchain.pem
keyFile: /live/green.club/privkey.pem
options:
myTLSOptions:
minVersion: VersionTLS13
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# When dealing with an HTTPS route, Traefik goes through your default certificate store to find a matching certificate.
# https://containo.us/blog/traefik-2-tls-101-23b4fbee81f1/
When I go on the website, I see that a generic cert was generated.
Thanks in advance!