Hello, I have a little problem. I tried to use Traefik with a Tnas and ACME and Cloudflare, but i don't know why it's locked at : acme: Waiting for DNS record propagation. Can someone help me please ? I never used Traefik or ACME before. I can send you my traefik.yml if you want to. I'll just remove the email from it.
In general I recommend to enable Traefik debug logs and access logs, furthermore check the Traefik dashboard to see the current configuration.
It helps if you post your full Traefik static and dynamic configuration, and docker-compose.yml if used.
Hello back, so, i did what you asked me to do, i added debug logs and access logs, even if i think that i don't have made the last one properly, i don't have any docker-compose.yml because i don't know how it works, but here is my traefik.yml file
log:
level: DEBUG
accessLog: {}
# enable traefik web dashboard
api:
dashboard: true
# configure letsecrypt certificate resolver.
certificatesResolvers:
myresolver:
acme:
email: mymail (i replaced it because I don't want to leak my email)
storage: /etc/traefik/acme.json
dnsChallenge:
provider: cloudflare # see https://go-acme.github.io/lego/dns/ for a list of providers
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
# instruct traefik to look at the 'static' file services.yml for the services configuration and enable watch mode so that you can edit the file directly from the terramaster text editor and traefik will update the configuration
providers:
file:
filename: /etc/traefik/services.yml
watch: true
# configure traefik to listen on port 80 and 443 and force redirection from http to https
entryPoints:
web:
# redirect all http traffic to https for security
address: ":8000"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":8443"
Here is my services.yml
http:
routers:
# example: configure https://traefik.mydomain.com to traefik dashboard
api:
entryPoints:
- "web"
- "websecure"
rule: "Host(`traefik.mydomain.com`)"
service: "api@internal" # special internal traefik service
tls:
certResolver: "myresolver"
# example: configure https://nas.mydomain.com to point to terramaster nas web interface
nas:
entryPoints:
- "web"
- "websecure"
rule: "Host(`nas.mydomain.com`)"
service: "nas" # service "nas" must be defined in the services section later in the file
tls:
certResolver: "myresolver"
services:
nas:
loadBalancer:
servers:
- url: "http://localhost:8181"
And for cloudflare, i just added a site called mydomain.com and i didn't change anything except the IP wich i set to my public ip adress by searching my ip into google.
And finnaly for the panel, i don't know how to go into it.
And a new thing appeared in the log of docker
[nas.mydomain.com] time limit exceeded: last error: NS ns3.mydomain.com. returned NXDOMAIN for _acme-challenge.nas.mydomain.com. e[31mproviderNamee[0m=myresolver.acme e[31mrouterNamee[0m=nas@file e[31mrulee[0m="Host(`nas.mydomain.com`)" e[31mACME CAe[0m="https://acme-v02.api.letsencrypt.org/directory"
If you use port 80, you can just use LetsEncrypt with httpchallenge, all you need is your IP in your DNS. Using standard LetsEncrypt TLS/SSL works with your CloudFlare DNS.
certificatesResolvers:
myresolver:
acme:
email: email@example.com
storage: /etc/traefik/acme.json
httpchallenge:
entrypoint: web
If you explicitly want to use CloudFlare TLS/SSL, then you probably have to supply your credentials, see docs and docs.
CF_API_EMAIL,CF_API_KEYorCF_DNS_API_TOKEN
I would recommend to only use 1.1.1.1 from CloudFlare, as 8.8.8.8 belongs to Google and data propagation to it might take longer due to caching.
I wan't to setup somthing that works with HTTPS for a docker instance in the same NAS. So will it work if i do it like you said ?
I already set the CF_API_EMAIL and the CF_API_KEY in my environment in a docker GUI.
Remove 8.8.8.8, go into your Traefik container and check if the ENV vars are set, check debug log again.
If you still need support, you should describe your architecture (servers, network, services, etc) and your desired outcome.
Is it possible to just avoid CloudFlare and make a reverse proxy without it ?
You need a DNS service and you can just use CloudFlare for it (to resolve your domain to an IP address).
For TLS/SSL certificates you can use LetsEncrypt with httpchallenge (like example myresolver) - but you need an entrypoint on port 80.
Make sure you have your storage location on your server (with Docker in a mounted directory or volume), as LetsEncrypt has API limits and will hit those when you restart often - therefore enable your certificates to be kept in the acme file during container re-creation.
Hello, so i just did what you said (i think) but i still have errors and it still don't work. Here are my files
traefik.yml
log:
level: DEBUG
# enable traefik web dashboard
api:
dashboard: true
# configure letsecrypt certificate resolver.
certificatesResolvers:
myresolver:
acme:
email: mymail
storage: /etc/traefik/acme.json
httpchallenge:
entrypoint: web
# instruct traefik to look at the 'static' file services.yml for the services configuration and enable watch mode so that you can edit the file directly from the terramaster text editor and traefik will update the configuration
providers:
file:
filename: /etc/traefik/services.yml
watch: true
# configure traefik to listen on port 80 and 443 and force redirection from http to https
entryPoints:
web:
# redirect all http traffic to https for security
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
services.yml
http:
routers:
# example: configure https://traefik.mydomain.com to traefik dashboard
api:
entryPoints:
- "web"
- "websecure"
rule: "Host(`traefik.mydomain.com`)"
service: "api@internal" # special internal traefik service
tls:
certResolver: "myresolver"
# example: configure https://nas.mydomain.com to point to terramaster nas web interface
nas:
entryPoints:
- "web"
- "websecure"
rule: "Host(`nas.mydomain.com`)"
service: "nas" # service "nas" must be defined in the services section later in the file
tls:
certResolver: "myresolver"
services:
nas:
loadBalancer:
servers:
- url: "http://localhost:8181"
Here are my logs : Pastebin
You log shows ChallengeTLSALPN and tls-alpn-01, which is not intended and which uses entrypoint websecure. Check capitalization of the words.
certificatesResolvers:
myresolver:
acme:
# ...
httpChallenge:
entryPoint: web
If you just grep/search your log for "error", then you see that something with your DNS seems to be not working. Have you set an IPv6 AAAA entry? Is it set correctly?
Enable access log to see requests for the httpChallenge. Try curl http://traefik.mydomain.com to see if requests get to Traefik. Try ping traefik.mydomain.com to check the IP.
You can remove web from your routers, as you redirect everything to websecure anyways. (The httpChallenge still works despite the overall redirect.)
Hello,
inside your log:
DNS problem: NXDOMAIN looking up A for nas.mydomain.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for nas.mydomain.com
The A or AAAA record for your domain nas.mydomain.com is missing.
You just have to add an A record for the domain nas.mydomain.com that point to the IP of your Traefik.
It's not a Traefik configuration problem, it's just a DNS configuration problem.
@bluepuma77 It's better to use the TLS challenge over the HTTP challenge but in this case, the DNS challenge will work, it's just a problem with the DNS configuration.
Using multiple resolvers is a good practice.
The pretty small difference between 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google), in the context of a DNS challenge, has no impact because the resolvers are not used for the validation of the challenge but just for waiting for the propagation before asking to Let's Encrypt to check the TXT records for the challenge.
And Let's Encrypt uses its own targeted DNS servers (not related to resolvers and Let's Encrypt doesn't provide any information about those DNS servers).
So technically is better to use the slowest instead of the fastest.
What is an IPv6 AAAA entry ?
It's kind of A record dedicated to ipv6.
A record -> IPv4
AAAA record -> IPv6
In your context, you just need an A record with your IPv4 for the domain nas.mydomain.com
And is it possible to explain how to setup that ?
@ldez Will the TLS challenge interrupt my highly frequented service when a certificate needs to be renewed? (Changing to a validation certificate for a short time?)
With the HTTP challenge I am sure that it does not interfere with my running services and ongoing requests.
You bought your domain name somewhere. With that DNS provider you set your A record of the domain (and if required of the www sub-domain) to the IP of your server.
This is how the Internet works. In the Domain-Name-System your domain name example.com points the the IP address of your server.
no, because the challenge is handled by a call with a specific TLS extension (ALPN), and when Traefik renews a certificate, the certificate is still valid.
1 Like
Okay so i managed to create a docker-compose.yml. The problem is that i can connect to my vaultwarden but it is not https. Here are my files of traefik
version: '3'
services:
traefik:
container_name: Traefik
image: traefik:latest
restart: unless-stopped
networks:
- default
- proxy
command:
--api.insecure=true
--providers.docker=true
--providers.docker.exposedbydefault=false
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
--certificatesresolvers.myresolver.acme.dnschallenge=true
--certificatesresolvers.myresolver.acme.dnschallenge.provider=duckdns
--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
--certificatesresolvers.myresolver.acme.email=dalmatheo@gmail.com
--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
--certificatesresolvers.myresolver.acme.keytype=EC256
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- DUCKDNS_TOKEN=2ec112a1-0087-4bfa-8601-3e198603cb4f
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`dalmatheo.duckdns.org`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=myresolver"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
networks:
proxy:
external:
name: proxy
default:
driver: bridge
Here are my vaultwarden one
version: '3.7'
services:
bitwarden:
image: vaultwarden/server:latest
container_name: bitwarden
restart: always
volumes:
- ./bw-data:/data
environment:
- ADMIN_TOKEN=
- WEBSOCKET_ENABLED=true
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
# Entry Point for https
- "traefik.http.routers.bitwarden-secure.entrypoints=web"
- "traefik.http.routers.bitwarden-secure.rule=Host(`bw.dalmatheo.duckdns.org`)"
- "traefik.http.routers.bitwarden-secure.service=bitwarden-service"
- "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
# websocket
- "traefik.http.routers.bitwarden-ws.entrypoints=websecure"
- "traefik.http.routers.bitwarden-ws.rule=Host(`bw.dalmatheo.duckdns.org`)"
- "traefik.http.middlewares.bitwarden-ws=bw-stripPrefix@file"
- "traefik.http.routers.bitwarden-ws.service=bitwarden-websocket"
- "traefik.http.services.bitwarden-websocket.loadbalancer.server.port=443"
networks:
proxy:
external: true