Docker, Traefik 2.2, and Default Certificate - docker

Question: Why does Traefik not use my wildcard cert (as outlined in my traefik.yml file), instead insisting on generating its own?
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/traefik.yml:/etc/traefik/traefik.yml:ro
- $PWD/certs:/certs
labels:
- traefik.enable=true
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host("traefik.network.lan")
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.service=api#internal
networks:
proxy:
external: true
$PWD/traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: true
log:
level: DEBUG
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
swarmMode: false
tls:
certificates:
- certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
options:
default:
minVersion: VersionTLS12
preferServerCipherSuites: true
mintls13:
minVersion: VersionTLS13
accessLog: {}
I have attached to the traefik container to verify that /etc/traefik/traefik.yml and the two certs in /certs exist. When I look at logs for the traefik container, I see the following line during startup (note the debug level, indicating that my config is indeed being read)
traefik | time="2020-06-14T17:01:51Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik | time="2020-06-14T17:01:51Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"


I think the problem is with certificates being in traefik.yml file. Certificates should be part of dynamic configuration, see https://docs.traefik.io/https/tls/#user-defined.
This means, you need two things:
another config file, e.g. certs.yml and move the tls section (with certificates, stores and options sections)
add another provider to your traefik.yml file, e.g.
providers:
docker:
...
file:
filename: /path/to/certs.yml


It seems that your configs are not loaded correctly, try to explicitly configure traefik with the config file bypassing the below args to the traefik command.
- '--providers.file.filename=/etc/traefik/traefik.yml'

Related

Why am I getting this error when creating a stack on docker?

I'm a complete docker noob. Just installed docker and docker-compose as well as portainer following a tutorial.
Now I would like to set up traefik reverse proxy on portainer.
This is the traefik.yml file in /etc/traefik
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
# (Optional) Log information
# ---
# log:
# level: ERROR # DEBUG, INFO, WARNING, ERROR, CRITICAL
# format: common # common, json, logfmt
# filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
# accesslog:
# format: common # common, json, logfmt
# filePath: /var/log/traefik/access.log
# (Optional) Enable API and Dashboard
# ---
api:
dashboard: true # true by default
insecure: true # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
web:
address: :80
# (Optional) Redirect to HTTPS
# ---
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
websecure:
address: :443
# Certificates configuration
# ---
# TODO: Custmoize your Cert Resolvers and Domain settings
#
This is the docker-compose file:
version: '3'
volumes:
traefik-ssl-certs:
driver: local
services:
traefik:
image: "traefik:v2.5"
container_name: "traefik"
ports:
- "80:80"
- "443:443"
# (Optional) Expose Dashboard
- "8080:8080" # Don't do this in production!
volumes:
- /etc/traefik:/etc/traefik
- traefik-ssl-certs:/ssl-certs
- /var/run/docker.sock:/var/run/docker.sock:ro
But when I try to start the container I get this error:
2021/12/08 18:08:07 command traefik error: yaml: line 19: did not find expected key
I can get the container to run when I remove the whole "volumes" section under "services" from the docker-compose file, but I need it for my traefik set up. I have no clue what I did wrong as I am following a video tutorial for this 1:1

I think you should check your traefik.yml indentation. There are some keys at different levels and YAML is pretty sensible to this. I'm talking specially about:
global
checkNewVersion
sendAnonymousUsage
api
Check the number of spaces before them.

I cannot recreate your exact error message, but I got an error when using your exact traefik.yml config file (as posted in the question) as the syntax is invalid (as pointed out in another answer).
I reduced the compose file to the minimum:
version: '3'
services:
traefik:
image: "traefik:v2.5"
container_name: "traefik"
volumes:
- 'c:\temp\traefik\etc\traefik.yml:/etc/traefik/traefik.yml'
And mounted just the traefik.yml file into the container as you can see. The file is shown below with commented out lines removed:
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
api:
dashboard: true # true by default
insecure: true # Don't do this in production!
entryPoints:
web:
address: :80
websecure:
address: :443
Running a docker-compose up on this gives the following error:
c:\Temp\traefik>docker-compose up
[+] Running 1/0
- Container traefik Created 0.0s
Attaching to traefik
traefik | 2021/12/09 08:44:36 command traefik error: no valid configuration found in file: /etc/traefik/traefik.yml
traefik exited with code 1
When I fix the indentation in the traefik.yml file (and turn on DEBUG logging) I have this:
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
api:
dashboard: true # true by default
insecure: true # Don't do this in production!
entryPoints:
web:
address: :80
websecure:
address: :443
log:
level: DEBUG
and running docker-compose up again I now get this:
c:\Temp\traefik>docker-compose up
[+] Running 2/2
- Network traefik_default Created 0.2s
- Container traefik Created 29.5s
Attaching to traefik
traefik | time="2021-12-09T08:49:30Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik | time="2021-12-09T08:49:30Z" level=info msg="Traefik version 2.5.4 built on 2021-11-08T17:41:41Z"
traefik | time="2021-12-09T08:49:30Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\"},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"pilot\":{\"dashboard\":true}}"
traefik | time="2021-12-09T08:49:30Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
traefik | time="2021-12-09T08:49:30Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
...
...
So it can be seen that traefik starts up. This is not necessarily the same issue you have, but it shows how to approach troubleshooting it. Once you know your traefik configuration is good, you can add DEBUG logging and then try adding the other volumes and configuration so see if they are OK too.

issues running docker traefik v2.0 to use self signed certificate

i am trying to run docker traefik v2.0 to use self signed certificates
here is my traefik.toml file
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/server.crt"
keyFile = "/certs/server.key"
and here is my traefik.yaml docker-compose file
version: '3.5'
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: always
networks:
- traefik_network
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./certs:/certs/
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
networks:
traefik_network:
name: traefik_network
the certificates are in the folder certs/server.crt and certs/server.key
but when i run the docker-compose for traefik i get the following error
Attaching to traefik
traefik | 2019/10/20 21:08:11 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:14 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:17 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:19 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:22 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:24 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:29 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:36 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:08:50 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:09:16 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:10:08 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:11:09 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:11:14 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:11:17 command traefik error: field not found, node: tls
traefik | 2019/10/20 21:11:19 command traefik error: field not found, node: tls
anyone know what the issue is?
thanks

According to the migration documentation from Traefik v1 to v2, the configuration of TLS is not in the entrypoint anymore, but in a router's configuration instead :
You have to define a router (following the migration documentation if you still use v1's frontends / backends) that will look like
[http.routers]
[http.routers.Router-1]
rule = "Host(`bar.com`)"
service = "service-id"
[http.routers.Router-1.tls]
options = "myTLSOptions"
# will terminate the TLS request
in which you can use myTLSOptions as a reference to a TLS option section defined like so:
[tls.options]
[tls.options.myTLSOptions]
minVersion = "VersionTLS13"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
...
]
...
The certificates' location is in a separate config entry:
[[tls.certificates]]
certFile = "/certs/server.crt"
keyFile = "/certs/server.key"
Notice that you can also use a different format for your config in v2: you can do more than before with docker labels and if you prefer, you could instead also change from toml to yaml.

Traefik is ignoring docker with traefik.enable=true set

What did you expect to see?
I Expected to see a new front-end and back-end when I docker-compose up my wordpress stack.
What did you see instead?
No new front or back ends. 2 Log lines = level=info msg="Skipping same configuration for provider docker"
Also seeing "Filtering disabled container /testEXAMPLEcom_wordpress_1" even though traefik.enable=true is set in the labels.
Output of traefik version:
Traefik version v1.7.11 built on 2019-04-26_08:42:33AM
What is your environment & configuration?
cat traefik.toml
#debug = true
logLevel = "INFO" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.redirect]
permanent=true
regex = "^https://www.(.*)"
replacement = "https://$1"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedByDefault = false
# Let's encrypt configuration
[acme]
email = "japayton42#gmail.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
onHostRule = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 3
cat docker-compose.yml
version: "3.6"
services:
traefik:
hostname: traefik
image: traefik:latest
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
networks:
- default
- traefik_proxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
- CF_API_KEY=${CLOUDFLARE_API_KEY}
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=0"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=false"
- "traefik.frontend.headers.SSLHost=host.EXAMPLE.com"
- "traefik.frontend.headers.STSIncludeSubdomains=false"
- "traefik.frontend.headers.STSPreload=false"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${USERDIR}/traefik:/etc/traefik
- ${USERDIR}/shared:/shared
networks:
traefik_proxy:
external:
name: traefik_proxy
default:
driver: bridge
cat docker-compose.yml
version: '3.3'
services:
db:
image: mysql:latest
volumes:
- ./db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: somewordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
labels:
- traefik.enable=false
networks:
- db
wordpress:
depends_on:
- db
image: wordpress:latest
restart: always
volumes:
- ./app:/var/www
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
WORDPRESS_DB_NAME: wordpress
labels:
- "traefik.enabled=true"
- "traefik.domain=test.EXAMPLE.com"
- "traefik.backend=test.EXAMPLE.com"
- "traefik.frontend.rule=Host:www.test.EXAMPLE.com,test.EXAMPLE.com"
- "traefik.docker.network=traefik_proxy"
- "traefik.port=80"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=0"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=false"
- "traefik.frontend.headers.SSLHost=EXAMPLE.com"
- "traefik.frontend.headers.STSIncludeSubdomains=false"
- "traefik.frontend.headers.STSPreload=false"
- "traefik.frontend.headers.frameDeny=true"
networks:
- traefik_proxy
- db
networks:
traefik_proxy:
external: true
db:
external: false
If applicable, please paste the log output in DEBUG level
Attaching to traefik
traefik | time="2019-05-04T00:29:34Z" level=info msg="Using TOML configuration file /etc/traefik/traefik.toml"
traefik | time="2019-05-04T00:29:34Z" level=info msg="Traefik version v1.7.11 built on 2019-04-26_08:42:33AM"
traefik | time="2019-05-04T00:29:34Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":false,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false},\"DefaultCertificate\":null,\"SniStrict\":false},\"Redirect\":{\"regex\":\"^https://www.(.*)\",\"replacement\":\"https://$1\",\"permanent\":true},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"traefik\":{\"Address\":\":8080\",\"TLS\":null,\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":{\"Email\":\"EXAMPLE#gmail.com\",\"Domains\":null,\"Storage\":\"/etc/traefik/acme/acme.json\",\"StorageFile\":\"\",\"OnDemand\":false,\"OnHostRule\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"DNSChallenge\":{\"Provider\":\"cloudflare\",\"DelayBeforeCheck\":3000000000,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"DNSProvider\":\"\",\"DelayDontCheckDNS\":0,\"ACMELogging\":true,\"OverrideCertificates\":false,\"TLSConfig\":null},\"DefaultEntryPoints\":[\"https\",\"http\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":true,\"RootCAs\":null,\"Retry\":{\"Attempts\":0},\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"KeepTrailingSlash\":false,\"Web\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15},\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":{\"EntryPoint\":\"traefik\",\"Dashboard\":true,\"Debug\":false,\"CurrentConfigurations\":null,\"Statistics\":null},\"Metrics\":null,\"Ping\":null,\"HostResolver\":null}"
traefik | time="2019-05-04T00:29:34Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
traefik | time="2019-05-04T00:29:34Z" level=debug msg="Setting Acme Certificate store from Entrypoint: https"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000376be0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating regex redirect https -> ^https://www.(.*) -> https://$1"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0xc00019b500 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000376c00} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating regex redirect https -> ^https://www.(.*) -> https://$1"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Preparing server https &{Address::443 TLS:0xc00042aab0 Redirect:0xc00019b680 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000376ba0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting server on :8080"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting server on :80"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting server on :443"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15}"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"EXAMPLE#gmail.com\",\"ACMELogging\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"Storage\":\"/etc/traefik/acme/acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"cloudflare\",\"DelayBeforeCheck\":3000000000,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":null,\"Store\":{}}"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Testing certificate renew..."
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Configuration received from provider ACME: {}"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Provider connection established with docker 18.09.5 (API 1.39)"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Filtering disabled container /traefik"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Configuration received from provider docker: {}"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Adding certificate for domain(s) host.EXAMPLE.com"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :8080"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Adding certificate for domain(s) host.EXAMPLE.com"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :8080"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Provider event received {Status:start ID:58b2b12336a7488012b68fed21f90476a1e791f4aa17fff7bd266ee9dfbe7a68 From:mysql:latest Type:container Action:start Actor:{ID:58b2b12336a7488012b68fed21f90476a1e791f4aa17fff7bd266ee9dfbe7a68 Attributes:map[image:mysql:latest com.docker.compose.config-hash:f4e61702252003fcfa77f925b989f7ea4933faa6e0735d189d265eabcb5fa799 com.docker.compose.container-number:1 com.docker.compose.service:db com.docker.compose.version:1.24.0 name:testEXAMPLEcom_db_1 traefik.enable:false com.docker.compose.oneoff:False com.docker.compose.project:testEXAMPLEcom]} Scope:local Time:1556929789 TimeNano:1556929789841010516}"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Filtering disabled container /testEXAMPLEcom_db_1"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Filtering disabled container /traefik"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Configuration received from provider docker: {}"
traefik | time="2019-05-04T00:29:49Z" level=info msg="Skipping same configuration for provider docker"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Provider event received {Status:start ID:6d816029188e7a2ff7b7d37fec254e21424cb3e2f69b42c81638d40d56d818f3 From:wordpress:latest Type:container Action:start Actor:{ID:6d816029188e7a2ff7b7d37fec254e21424cb3e2f69b42c81638d40d56d818f3 Attributes:map[com.docker.compose.version:1.24.0 traefik.docker.network:traefik_proxy traefik.domain:test.EXAMPLE.com traefik.enabled:true traefik.frontend.headers.SSLHost:EXAMPLE.com traefik.frontend.headers.browserXSSFilter:true com.docker.compose.container-number:1 traefik.frontend.headers.STSPreload:false traefik.frontend.headers.STSSeconds:0 traefik.frontend.headers.contentTypeNosniff:true traefik.frontend.headers.forceSTSHeader:false com.docker.compose.oneoff:False com.docker.compose.service:wordpress traefik.frontend.headers.SSLRedirect:true traefik.frontend.rule:Host:www.test.EXAMPLE.com,test.EXAMPLE.com traefik.port:80 com.docker.compose.config-hash:3e163655e60a2111f256d3abc3289244f21676737888f7f4340cd543d82300d0 com.docker.compose.project:testEXAMPLEcom image:wordpress:latest name:testEXAMPLEcom_wordpress_1 traefik.frontend.headers.STSIncludeSubdomains:false traefik.frontend.headers.frameDeny:true]} Scope:local Time:1556929790 TimeNano:1556929790976253470}"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Filtering disabled container /testEXAMPLEcom_wordpress_1"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Filtering disabled container /testEXAMPLEcom_db_1"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Filtering disabled container /traefik"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Configuration received from provider docker: {}"
traefik | time="2019-05-04T00:29:50Z" level=info msg="Skipping same configuration for provider docker"

I was using traefik.enabled instead of traefik.enable
I tried for a week before posting,

raspberry / docker swarm / traefik / portainer and no HTTPS

I spent the last 3 days trying to use traefik for HTTPS, load balancer, and to connect portainer and other docker containers in swarm mode. It is a home-server cluster made with 4 raspberrys, and what I want is the SSL auto-certificate function, and the HTTP to HTTPS redirection. For that purpose I've created a traefik.toml file:
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[web]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxx#xxx.com"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[docker]
domain = "traefik" #<---- WHAT SHOULD I WRITE HERE?
watch = true
swarmmode = true
I don't know what should I write in the DOMAIN variable. I use NoIP as my dynamic DNS provider. Should I write the domain I get from them? and that should work inside my network? i.e. accesing from a computer inside my network with: 192.168.11.100
And I also have a docker-compose.yml file:
version: "3.4"
services:
proxy:
image: traefik:latest
command:
- "--api"
- "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
- "--entrypoints=Name:https Address::443 TLS"
- "--defaultentrypoints=http,https"
- "--acme"
- "--acme.storage=/etc/traefik/acme/acme.json"
- "--acme.entryPoint=https"
- "--acme.httpChallenge.entryPoint=http"
- "--acme.onHostRule=true"
- "--acme.onDemand=false"
- "--acme.email=xxx#xxx.com"
- "--docker"
- "--docker.swarmMode"
- "--docker.domain=traefik.localhost" <- WHAT SHOULD I PUT IN HERE??
- "--docker.watch"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /mnt/traefik/acme.json:/etc/traefik/acme/acme.json
networks:
- appnet
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 8080
published: 8080
mode: host
deploy:
mode: global
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
networks:
appnet:
external: true
Deploy the stack, then I write in firefox in another computer 192.168.11.100, and I can see the "Welcome to nginx page". No HTTPS by the way. Try 192.168.11.100:8080 for the traefik dashboard. It is there, but again only HTTP.
If I deploy portainer, looks like it connects with traefik (at least appear in the dashboard), but again only HTTP.
Here's the logs for the traefik container after deploying portainer:
time="2019-02-19T11:32:52Z" level=error msg="Unable to obtain ACME certificate for domains \"portainer.com\" detected thanks to rule \"Host:portainer.com\" : unable to generate a certificate for the domains [portainer.com]: acme: Error -> One or more domains had a problem:\n[portainer.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://portainer.com/.well-known/acme-challenge/eDN0Z2VJRzuZm9wiAbar1BOVHLPJ5qPYKBpwfuJOtdY: \"<!doctype html><html><head><meta charset=\\\"utf-8\\\"><meta http-equiv=\\\"x-ua-compatible\\\" content=\\\"ie=edge\\\"><meta name=\\\"viewport\\\" cont\", url: \n"
time="2019-02-19T11:33:15Z" level=error msg="Unable to obtain ACME certificate for domains \"portainer.com\" detected thanks to rule \"Host:portainer.com\" : unable to generate a certificate for the domains [portainer.com]: acme: Error -> One or more domains had a problem:\n[portainer.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://portainer.com/.well-known/acme-challenge/Of6CWm4zvCdPo0BFPTxapEVXPU-qf7hhl1f6NCUTmQw: \"<!doctype html><html><head><meta charset=\\\"utf-8\\\"><meta http-equiv=\\\"x-ua-compatible\\\" content=\\\"ie=edge\\\"><meta name=\\\"viewport\\\" cont\", url: \n"
Am I missing something?

Traefik ACME DNS challenge not working with docker

I'm trying to configure Traefik as a proxy for docker containers running on DigitalOcean servers.
Here's my Traefik container configuration:
version: '2'
services:
traefik:
image: traefik
restart: always
command: --docker
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/traefik.toml
- $PWD/acme.json:/acme.json
container_name: traefik
environment:
DO_AUTH_TOKEN: abcd
labels:
- traefik.frontend.rule=Host:monitor.example.com
- traefik.port=8080
networks:
proxy:
external: true
And traefik.toml,
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:secretpassword"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "lakshmi#example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
When I try to access https://monitor.example.com, I get this error:
traefik | time="2018-05-29T15:35:32Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.com\" detected thanks to rule \"Host:monitor.example.com\" : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[monitor.example.com] Error presenting token: HTTP 403: forbidden: You do not have access for the attempted action.\n"
I have given a valid DO token and pointed monitor.example.com to the VM running Traefik. Am I missing any step?

I was getting a 403 because Traefik was trying to write a TXT entry for ACME DNS challenge in my DigitalOcean domain using a read-only token. I changed it to a read-write token and it worked fine.

For anyone else having this issue, make sure acme.json has 600 permissions. Don't create or touch acme.json yourself. Let Traefik create it. After the pod is created, check permissions on acme.json.
The problem I found is Traefik creates acme.json and sets it to 600. After running upgrade, acme.json changed to 660 and starting giving the 'unknown resolver letsencrypt' error. The fix was having to uncomment the 'initContainers' lines in the values.yml in the Traefik Helm chart. Basically it sets permissions to 600 before startup. Hacky but works.
deployment:
enabled: true
# Can be either Deployment or DaemonSet
kind: Deployment
replicas: 1
annotations: {}
labels: {}
podAnnotations: {}
podLabels: {}
additionalContainers: []
volumeMounts:
- name: csi-pvc
initContainers:
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: csi-pvc
mountPath: /data
dnsPolicy: ClusterFirstWithHostNet
imagePullSecrets: []

Resources