Wildcard certs not being created when adding docker container labels when network_mode used

the-bort-the · March 4, 2025, 2:00am

Currently using traefik:v3.2.3 with success on multiple compose.yml stacks. This is accomplished by putting the traefik_network network on each service across all the compose.yml files.

Then I add all the necessary routers and rules and have wildcard certs for all containers. However I'm not sure how I can go about adding containers to a compose.yml where I have network_mode: "service:particular_service".

The labels don't create a wildcard cert and I'm having to use the IP+port to access these particular services instead of coolservice.example.com. Is there a limitation when using network_mode: "service:particular_service"?

bluepuma77 · March 4, 2025, 8:38am

What does Traefik debug log tell you (doc)?

Using the network of another Docker service is very special, maybe Traefik Docker configuration discovery doesn’t work with this special case.

the-bort-the · March 6, 2025, 2:29am

The logs aren't screaming about anything from what I can tell - however what's interesting is because I'm using having these two additional containers depend on the main one, they are not getting IPs addresses. The labels written for the sub containers are being applied to the main container. Then when browsing to that URL, it's trying to land on the main container. I've included the snippet of the compose showing the main container and one of the sub containers.

$ docker ps -q | xargs docker inspect -f '{{.Name}} - {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'
/sub_container_a - 
/sub_container_b - 
/main_container_ - 172.25.0.5192.168.112.12

compose.yml

services:
  main_container:
    image: qmcgaw/main_container
    container_name: main_container
    hostname: media_main_container
    cap_add:
      - NET_ADMIN
    ports:
      - 6888:6888
      - 6888:6888/udp
      - 9091:9091    
      - 6789:6789
    restart: unless-stopped
    networks:
      - main_container_net
      - traefik_network

  sub_container_a:
    image: lscr.io/linuxserver/sub_container_a:latest
    container_name: sub_container_a
    depends_on:
      - main_container
    environment:
      - PUID=0
      - PGID=0
      - TZ=America/Chicago
    network_mode: "service:main_container"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.sub_container_a.entrypoints=http"
      - "traefik.http.routers.sub_container_a.rule=Host(`sub_container_a.example.com`)"
      - "traefik.http.middlewares.sub_container_a-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.sub_container_a.middlewares=sub_container_a-https-redirect"
      - "traefik.http.routers.sub_container_a-secure.entrypoints=https"
      - "traefik.http.routers.sub_container_a-secure.rule=Host(`sub_container_a.example.com`)"
      - "traefik.http.routers.sub_container_a-secure.tls=true"
      - "traefik.http.routers.sub_container_a-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.sub_container_a-secure.service=sub_container_a-svc"
      - "traefik.http.services.sub_container_a-svc.loadbalancer.server.port=9091"
      - "traefik.docker.network=traefik_network"

logs:

{"ClientAddr":"178.249.214.10:43924","ClientHost":"178.249.214.10","ClientPort":"43924","ClientUsername":"-","DownstreamContentSize":12,"DownstreamStatus":401,"Duration":1308082,"OriginContentSize":12,"OriginDuration":910451,"OriginStatus":401,"Overhead":397631,"RequestAddr":"sub_container_a.example.com:8443","RequestContentSize":0,"RequestCount":917,"RequestHost":"sub_container_a.example.com.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"8443","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"sub_container_a@docker","ServiceAddr":"192.168.112.12:9091","ServiceName":"sub_container_a-svc@docker","ServiceURL":"http://192.168.112.12:9091","SpanId":"0000000000000000","StartLocal":"2025-03-05T20:16:20.095992154-06:00","StartUTC":"2025-03-06T02:16:20.095992154Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"https","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36","time":"2025-03-05T20:16:20-06:00"}
{"ClientAddr":"178.249.214.10:43924","ClientHost":"178.249.214.10","ClientPort":"43924","ClientUsername":"-","DownstreamContentSize":12,"DownstreamStatus":401,"Duration":812949,"OriginContentSize":12,"OriginDuration":460444,"OriginStatus":401,"Overhead":352505,"RequestAddr":"sub_container_a.example.com:8443","RequestContentSize":0,"RequestCount":918,"RequestHost":"sub_container_a.example.com.com","RequestMethod":"GET","RequestPath":"/favicon.ico","RequestPort":"8443","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"sub_container_a@docker","ServiceAddr":"192.168.112.12:9091","ServiceName":"sub_container_a-svc@docker","ServiceURL":"http://192.168.112.12:9091","SpanId":"0000000000000000","StartLocal":"2025-03-05T20:16:20.213007957-06:00","StartUTC":"2025-03-06T02:16:20.213007957Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"https","level":"info","msg":"","request_User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36","time":"2025-03-05T20:16:20-06:00"}

the-bort-the · March 23, 2025, 11:00pm

Seems the fix was appropriately setting the labels. QBittorrent is still having issues, so I'll move that conversation elsewhere, but this example works fine for Nzbget.

labels:
  - "traefik.enable=true"
  # NZBGET labels
  - "traefik.http.routers.nzbget.entrypoints=http"
  - "traefik.http.routers.nzbget.rule=Host(`nzbget.example.com`)"
  - "traefik.http.middlewares.nzbget-https-redirect.redirectscheme.scheme=https"
  - "traefik.http.routers.nzbget.middlewares=nzbget-https-redirect"
  - "traefik.http.routers.nzbget-secure.entrypoints=https"
  - "traefik.http.routers.nzbget-secure.rule=Host(`nzbget.example.com`)"
  - "traefik.http.routers.nzbget-secure.tls=true"
  - "traefik.http.routers.nzbget-secure.tls.certresolver=cloudflare"
  - "traefik.http.routers.nzbget-secure.service=nzbget-svc"
  - "traefik.http.services.nzbget-svc.loadbalancer.server.port=6789"
  - "traefik.docker.network=traefik_network"

Topic		Replies	Views
Labeled containers get correct SSL certificate, file-defined containers get self-signed Traefik v2 file , letsencrypt-acme	3	2361	November 28, 2023
Wildcard certifikate not working on podman Traefik v3 (latest) docker	1	8	March 13, 2025
Beginner having troubles with wildcard certificates Traefik v3 (latest) docker	4	748	September 3, 2024
Traefik self-generated certificated wildcard subdomain in docker-compose Traefik v2 docker	3	1875	November 11, 2021
Wildcard certificate not used despite being correct Traefik v2 docker	7	3576	November 9, 2023

Wildcard certs not being created when adding docker container labels when network_mode used

Related topics