Hello,
I have a quite simple configuration : 2 entrypoints :
- one public (https-public)
- one private (https-admin)
the two of them must serve multiple domains each with his own certificate.
When I deploy a new stack my certificate is added :
time="2019-10-13T21:01:14Z" level=debug msg="Configuration received from provider file: {"http":{},"tcp":{},"tls":{"stores":{"default":{"defaultCertificate":{"certFile":"/certs/registry.docker.crt","keyFile":"/certs/registry.docker.key"}}}}}" providerName=file
time="2019-10-13T21:01:57Z" level=debug msg="Adding certificate for domain(s) registry.docker.datalake.preprod"
But traefik serve the default certificate :
time="2019-10-13T21:02:04Z" level=debug msg="Serving default certificate for request: "registry.docker.datalake.preprod""
The error message when ansible try to log on the registry :
"Logging into registry.docker.datalake.preprod:22443 for user admin failed - 500 Server Error: Internal Server Error ("Get https://registry.docker.datalake.preprod:22443/v2/: x509: certificate is valid for f3c126e80e3f99f9788e4f15bd6925ef.51ec44adc23973f64ef2823c10525732.traefik.default, not registry.docker.datalake.preprod")"}
I'm not sure if I've made a mistake or if there's a bug but I'm definitively turning mad after 2 days of searching...
traefik version
Version: 2.0.2
Codename: montdor
Go version: go1.13.1
Built: 2019-10-09T19:26:05Z
OS/Arch: linux/amd64
static configuration
cat traefik.toml
[entrypoints]
[entrypoints.https-public]
address = ":443"
[entrypoints.https-admin]
address = ":22443"
[providers.file]
directory = "/etc/traefik/dynamic_config/"
watch = true
[providers.docker]
swarmMode = true
endpoint = "unix:///var/run/docker.sock"
exposedbydefault = false
[api]
insecure = true
dashboard = true
[log]
level = "DEBUG"
filePath = "/var/log/traefik/traefik.log"
[accessLog]
filePath = "/var/log/traefik/access.log"
dynamic configuration
$ ls dynamic_config/
docker-registry-tls.tomltraefik-tls.toml
$ cat dynamic_config/docker-registry-tls.toml
[[tls.certificates]]
certFile = "/certs/registry.docker.crt"
keyFile = "/certs/registry.docker.key"
$ cat dynamic_config/traefik-tls.toml
[[tls.certificates]]
certFile = "/certs/traefik.crt"
keyFile = "/certs/traefik.key"
docker compose for traefik
version: "3.6"
services:
traefik:
# image: traefik:latest
image: traefik:latest
command: --api.dashboard=true --api.insecure=true
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/docker/traefik-data/traefik.toml:/traefik.toml
- /srv/docker/traefik-data/logs:/var/log/traefik
- /srv/docker/traefik-data/dynamic_config:/etc/traefik/dynamic_config
- /srv/docker/traefik-data/tls-certs:/certs
- /srv/docker/traefik-data/htpasswd:/etc/traefik/htpasswd
networks:
- traefik-net
ports:
- 80:80
- 443:443
- 8080:8080
- 22443:22443
deploy:
mode: global
placement:
constraints:
- node.role == manager
labels:
# Traefik docker overlay network
- "traefik.docker.network=traefik-net"
networks:
traefik-net:
driver: overlay
external: true
docker-compose for registry
version: "3.6"
services:
registry:
image: registry:2
volumes:
- /srv/docker/docker-registry-data/data:/var/lib/registry
- /srv/docker/docker-registry-data/registry-config.yaml:/etc/docker/registry/config.yml
networks:
- traefik-net
hostname: registry.docker.datalake.preprod
deploy:
replicas: 1
placement:
constraints:
- node.role == worker
labels:
# Enable traefik rules on container
- "traefik.enable=true"
# Rule
- "traefik.http.routers.registry.rule=Host(`registry.docker.datalake.preprod`)"
- "traefik.http.routers.registry.tls=true"
- "traefik.http.routers.registry.entrypoints=https-admin"
- "traefik.http.routers.registry.service=registry"
- "traefik.http.services.registry.loadbalancer.server.port=5000"
- "traefik.docker.network=traefik-net"
networks:
traefik-net:
driver: overlay
external: true
complete logs