I have traefik running in docker swarm. Here is my stack:
version: '3'
services:
traefik:
# The latest official supported Traefik docker image
image: traefik:v2.9
# Enables the Traefik Dashboard and tells Traefik to listen to docker
# enable --log.level=INFO so we can see what Traefik is doing in the log files
deploy:
placement:
constraints:
- node.role==manager
ports:
# Exposes port 80 for incomming web requests
- "80:80"
- "443:443"
# The Web UI port http://0.0.0.0:8080 (enabled by --api.insecure=true)
- "8080:8080"
networks:
- public
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- /home/robo/docker-volumes/traefik/traefik-yaml/traefik.yml:/etc/traefik/traefik.yml
- /home/robo/docker-volumes/cert:/etc/certs/
networks:
public:
external: true
I am useing a root certificate unord.dk (files: '.unord.crt', '.unord.key') for my web-app sendsms.unord.dk. But when I access the website https://sendsms.unord.dk which only runs localy it uses self signede certificates from traefik instead. I am getting no errors from traefik.
You need to setup your custom certificates in a dynamic config file, which you load in static config via provider.file. And, as you did, enable TLS on the router labels with .tls=true or globally on the websecure entrypoint.
If you use Docker Swarm, you can place the certs in a Docker Swarm config or secret, which is automatically available on all nodes. But the update (every year) is more complicated, we usually re-create the whole stack for that. But you can also just simply mount them from the hosts.
Still not working and I am not getting any errors from traefik. I have ssh in to the traefik container and it can find the .crt file and .key.file. It also loads the traefik file when looking at debug. i have restartede traefik containr and my web-app container. It is still issueing self signed certificates.
I assume your custom certs are paid and contain the domain name. Check in the Traefik container (via cat <file>) and the logs that Traefik can read /etc/traefik/dynamic_conf.yml, /etc/certs/_.unord.dk.crt and /etc/certs/_.unord.dk.key. Config works for me.
version: '3'
services:
traefik:
# The latest official supported Traefik docker image
image: traefik:v2.9
# Enables the Traefik Dashboard and tells Traefik to listen to docker
# enable --log.level=INFO so we can see what Traefik is doing in the log files
deploy:
placement:
constraints:
- node.role==manager
ports:
# Exposes port 80 for incomming web requests
- "80:80"
- "443:443"
# The Web UI port http://0.0.0.0:8080 (enabled by --api.insecure=true)
- "8080:8080"
networks:
- public
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- /home/robo/docker-volumes/traefik/traefik-yaml/traefik.yml:/etc/traefik/traefik.yml
- /home/robo/docker-volumes/traefik/traefik-yaml/traefik.yml:/etc/traefik/dynamic_conf.yml
- /home/robo/docker-volumes/cert:/etc/certs/
networks:
public:
external: true
You mount a certs folder for your webapp, does it itself have a TLS-encrypted port 8000? I would recommend to go into your Traefik container and try a wget http and wget https to the IPs from (fresh) error messages.
The deploy section for your webapp is missing the replicas count, will those containers even be created?
Also check the Traefik dashboard at http://sendsms.unord.dk:8080/dashboard/. Note that this is currently set to public with insecure and no user/pass.
Remove all lines below # certificates in traefik.yml.