What's wrong with my configuration

AngryGrizzly · January 29, 2023, 3:03pm

Disclaimer: Traefik noob here

If I use my domain name, such as: portainer.domain.tld, I got a 526 SSL invalid certificate error or connection timed out, depending of what useless things I'm configuring.

So I tried with local domain name, but I got a ERR_CONNECTION_REFUSED error.

I tried several configurations, none of them worked. Here's my last attempt.

portainer.yml, running without problem:

version: "3.9"

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    ports:
      - "50000:9443"
    volumes:
      - /volume1/docker/portainer/:/data/
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.mydomain.tld`)"
      - "traefik.http.routers.portainer.tls=true"
      - "traefik.docker.network=portainer-network"
    networks:
      - portainer-network

networks:
  portainer-network:
    name: portainer-network
    driver: bridge

My traefik.yml (not the configuration file), no apparent error in logs:

version: "3.9"

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    read_only: true
    security_opt:
      - no-new-privileges:true
    ports:
      - "44300:443"
      - "25100:8080"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik/traefik.yml:/traefik.yml:ro
      - /volume1/docker/_certs/:/certs/:ro
    networks:
      - traefik-network

networks:
  traefik-network:
    name: traefik-network
    driver: bridge

Finally, my treafik.yml (config file)

api:
  dashboard: true
  insecure: true

entryPoints:
  http:
    address: ":443"

tls:
  certificates:
    - certFile: /certs/cert.pem
      keyFile: /certs/key.pem

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

If you need anything else, please, let me know.

Thanks to those who could help me

AngryGrizzly · January 29, 2023, 4:22pm

Okay, as It's very complicated for me, I made a more simple example, that still does not work

I set up a whoami container:

version: "3.9"

services:
  whoami:
    image: traefik/whoami
    name: whoami
    network_mode: bridge
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=http"
      - "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"

I simplified the Traefik too.

version: "3.9"

services:
  portainer:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    read_only: true
    ports:
      - "49870:80"
      - "25100:8080"
    network_mode: bridge
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik/traefik.yml:/traefik.yml:ro
      - /volume1/docker/_certs/:/certs/:ro

The YAML config file:

api:
  dashboard: true
  insecure: true

entryPoints:
  http:
    address: ":80"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    useBindPortIP: true

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /certs/domain.tld.cert.pem
        keyFile: /certs/domain.tld.key.pem

My router port forward from 80 to 49870 internal to try to reach Traefik.
I can make: curl -H Host:whoami.domain.tld http://192.168.1.200:49870 (192.168.1.200 is the server where Traefik is)

Hostname: c963bf79bea3
IP: 127.0.0.1
IP: 172.17.0.2
RemoteAddr: 172.17.0.3:39448
GET / HTTP/1.1
Host: whoami.domain.tld
User-Agent: curl/7.83.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.17.0.1
X-Forwarded-Host: whoami.domain.tld
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 94e90790ccba
X-Real-Ip: 172.17.0.1

But I can't, write whoami.domain.tld in a browser and not having an error

bluepuma77 · January 29, 2023, 5:57pm

Whatever container Traefik should forward requests to, both should be placed within the same Docker network.

If the target service has multiple networks, set docker.network in static provider or dynamic router config.

AngryGrizzly · January 30, 2023, 10:39pm

Thanks for your reply.

The final version of my Traefik configuration will need to be able to cope with different Docker networks. For security first, and because I don't want to edit all my services to put them in a single network. No way.

For now, I just try to make Traefik work outside of my network (from a web browser typically).
I don't know what's wrong from this side. I use the same method as for Nginx, when my IP gets a request on port 443, It redirects it to my server, and then, the container takes care of the rest.

Here, Traefik doesn't seem to make anything.

bluepuma77 · January 31, 2023, 6:53am

You can have a different Docker network for every service, but Traefik needs to be part of it. Then use labels on your service to set according traefik.docker.network.

Make sure your domain whoami.domain.tld is set in DNS to resolve to the IP, either in Internet with a paid provider, in your Internet router or in your local hosts file.

It’s very confusing that you name your Traefik service „portainer“.

AngryGrizzly · February 4, 2023, 10:04pm

Shouldn't name my Traefik service "portainer"? In Traefik, It is showed as portainer@docker.

I don't understand why Traefik is capable of routing a request to a container while Nginx does (to a local IP + port) without problem.

I don't know what blocks Traefik.

bluepuma77 · February 5, 2023, 4:30pm

Just stated that this was confusing to me, when I scanned over the config.

AngryGrizzly · February 11, 2023, 9:43pm

Help? :`|

Even on trying on another machine, It does not work. I don't understand. Requests come because if I switch to 443, I have SSL invalid certificate error but on 80, It just loads. I tried with curl and I got a 301 error.

I think I'm ready to pay 5$ on PayPal to solve this shit, It's enough.

bluepuma77 · February 12, 2023, 6:38am

Looking again at your original post: not sure how portainer should work via Traefik, because they don’t share the same Docker network. Did you access it directly via the exposed port?

Traefik TLS files need to be configured in a “dynamic configuration”, so you need something like traefik-dynamic.yml which you load in traefik.yml with a provider.file (next to provider.docker). TLS docs, file docs.

And if you try accessing your app with curl and http and https, you should expose the default ports 80 and 443 or add the ports to you curl request.

AngryGrizzly · February 12, 2023, 10:45am

Okay, I found the answer ...
DNS record had a wrong address... because my ISP has dynamic IP...

system · February 15, 2023, 10:46am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help me to configure custom SSL certificate for a domain Traefik v2 (latest) docker , file	1	1198	October 31, 2019
Traefik issues self signed certificates Traefik v2 (latest) docker , file	6	692	June 23, 2023
Tls no certificates configured Traefik v2 (latest) docker , letsencrypt-acme	2	31	April 23, 2024
SSL connection refused Traefik v2 (latest) docker , docker-swarm , letsencrypt-acme	0	2156	October 29, 2020
Traefik dns challenge with duckdns Traefik v2 (latest) docker	5	4855	March 8, 2023

What's wrong with my configuration

Related Topics