Hello!
I am having issues finding out the reason why I am getting this error. Tried googling it.
It seems to be an issue with dns lookup from the container.
Error in traefik log:
time="2020-01-30T12:12:12+01:00" level=error msg="Unable to obtain ACME certificate for domains \"traefik.xyz.se\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:54773->127.0.0.11:53: i/o timeout" providerName=cloudflare.acme routerName=traefik-secure#docker rule="Host(`traefik.xyz.se`)"
time="2020-01-30T12:12:32+01:00" level=error msg="Unable to obtain ACME certificate for domains \"hivemq.xyz.se\": cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.11:53: read udp 127.0.0.1:53671->127.0.0.11:53: i/o timeout" rule="Host(`hivemq.xyz.se`)" providerName=cloudflare.acme routerName=hivemq-secure#docker
Unable to lookup google from within traefik container. Don't know if this is working as intended?
/o/a/traefik> docker exec -it traefik /bin/sh
/ # nslookup google.se
nslookup: can't resolve '(null)': Name does not resolve
nslookup: can't resolve 'google.se': Try again
/ #
Traefik docker-compose.yaml
version: '3'
services:
traefik:
image: traefik:v2.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=redacted
- CF_API_KEY=redacted
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.xyz.se`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=redacted"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.xyz.se`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=xyz.se"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.xyz.se"
- "traefik.http.routers.traefik-secure.service=api#internal"
networks:
proxy:
external: true
data/traefik.yml:
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: redacted
storage: acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 0
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
Service example (hivemq) docker-compose.yml:
version: "3"
services:
hivemq:
image: hivemq/hivemq4
container_name: hivemq
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 1883:1883
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.hivemq.entrypoints=http"
- "traefik.http.routers.hivemq.rule=Host(`hivemq.xyz.se`)"
- "traefik.http.routers.hivemq.middlewares=https-redirect#file"
- "traefik.http.routers.hivemq-secure.middlewares=secured#file"
- "traefik.http.routers.hivemq-secure.entrypoints=https"
- "traefik.http.routers.hivemq-secure.rule=Host(`hivemq.xyz.se`)"
- "traefik.http.routers.hivemq-secure.tls=true"
- "traefik.http.routers.hivemq-secure.service=hivemq"
- "traefik.http.services.hivemq.loadbalancer.server.port=8080"
- "traefik.docker.network=proxy"
networks:
- internal
- proxy
networks:
proxy:
external: true
internal:
external: false
I have also tried reinstalling docker-ce, didn't help.
I had a similar issue and it was due to a bug of Docker: all my containers had lost their connection to the internet but they were all already removed for maintenance puprose so I couldn't see it.
In the logs, cannot get ACME client get directory means that Traefik cannot connect to Let's Encrypt url.
I fixed it by:
Removing Traefik stack
Pruning networks so traefik-public was removed
Restarting Docker service
If it's not enough, you can try these:
Try to restart the Docker Engine, which will reset any iptables rules (assuming you are using Docker on Linux)
Try to restart your whole machine
Try to disable (temporary) the firewall of your machine to verify that it fixes the issue
As mentioned here: https://community.containo.us/t/cannot-create-renew-acme-certificate-cannot-get-acme-client-get-directory/2469/2
I gave a rapid look around concerning Docker bugs about loosing connection and seems to be a mess, for years: https://github.com/moby/moby/issues/15172
Not a docker specialist but I had a similar issue and fixed it by activating ipv6 on docker daemon :
% grep ipv6 /etc/docker/daemon.json
"ipv6": true`
You need to reload docker daemon then
% sudo systemctl reload docker
Related
I have a VM which run multiple containers all linked to one docker network.
Traefik (as reverse proxy & load balancer)
cloudflared as tunnel
whoami (for testing purposes)
and some containers like photoprism, nextcloud, node-red,...
I generated an origin cert via Cloudflare which has been added to Traefik.
In Cloudflare, I have a subdomain which points via the tunnel to https://172.16.10.11 (ip from the VM). This causes an unsecure connection (IP SAN applied -> I don't think this is possible on a private ip?). When I disable TLS verification on Cloudflare, it works. However, I am trying to set this up properly. Next,I tried pointing my domain towards https://localhost. the cloudflared service running in a container cannot reach any other services as these are located other containers.
I was thinking, what if I run the cloudflared service within the Traefik container, I believe I can reach Traefik via localhost?
Do you have any advice on how to achieve a secure tunnel with cert verification? Or is this not realistic when self-hosting?
Current docker compose:
version: '3'
services:
traefik:
image: traefik:latest
command:
- --log.level=debug
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --serverstransport.insecureskipverify
- --providers.file.filename=/etc/traefik/dynamic_conf.yml
- --providers.file.watch=true
ports:
- "8080:8080"
- "443:443"
- "80:80"
networks:
- proxy_network
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik-data:/etc/traefik
labels:
- traefik.enable=true
- traefik.docker.network=proxy_network
- traefik.http.routers.traefik.rule=Host(`${DOMAINNAME_TRAEFIK}`)
- traefik.http.routers.traefik.entrypoints=web
- traefik.http.routers.traefik.service=traefik
- traefik.http.services.traefik.loadbalancer.server.port=8080
tunnel:
container_name: cloudflared-tunnel
image: cloudflare/cloudflared
#restart: unless-stopped
networks:
- proxy_network
command: tunnel --no-autoupdate run --token ${CLOUDFLARED_TOKEN}
whoami:
image: traefik/whoami
container_name: whoami1
command:
# It tells whoami to start listening on 2001 instead of 80
- --port=2000
- --name=iamfoo
networks:
- proxy_network
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`${DOMAINNAME}`)
- traefik.http.routers.whoami.entrypoints=websecure
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.service=whoami
- traefik.http.services.whoami.loadbalancer.server.port=2000
volumes:
traefik-data:
driver: local
networks:
proxy_network:
name: proxy_network
external: true
I expect a secure tunnel solution and to make sure that this architecture is setup in a good way.
I cant get docker-registry working behind a https-proxy. I use traefik for all containers on my server, so i will do with the registry. here is my docker-compose.yml for the registry service, it should use a letsencrypt cert:
version: "3.3"
services:
registry:
image: registry:latest
container_name: docker_registry
restart: always
volumes:
- /srv/docker-registry/data:/data
- /srv/docker-registry/auth:/auth
environment:
- REGISTRY_AUTH=htpasswd
- REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
- REGISTRY_AUTH_HTPASSWD_PATH=/auth/.htpasswd
- REGISTRY_LOG_LEVEL=debug
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.registry.entrypoints=http"
- "traefik.http.routers.registry.rule=Host(`registry.example.de`)"
- "traefik.http.middlewares.registry-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.registry.middlewares=registry-https-redirect"
- "traefik.http.services.registry-secure.loadbalancer.server.port=5000"
- "traefik.http.services.registry-secure.loadbalancer.server.scheme=https"
- "traefik.http.routers.registry-secure.entrypoints=https"
- "traefik.http.routers.registry-secure.tls.certresolver=http"
- "traefik.http.routers.registry-secure.tls=true"
- "traefik.http.routers.registry-secure.rule=Host(`registry.example.de`)"
networks:
- proxy
networks:
proxy:
external: true
The Error i Get on docker login:
Error response from daemon: Get "https://registry.example.de:5000/v2/": dialing registry.example.de:5000 static system has no HTTPS proxy: connecting to 202.xx.xxx.xxx:5000: dial tcp 202.xx.xxx.xxx:5000: connect: connection refused
registry:2 listens on http. Drop "traefik.http.services.registry-secure.loadbalancer.server.scheme=https"
I am using traefik:v2.8.2 and containers running apache on port 80 and 443. Apache redirect the port 80 request to port 443.
Below is my traefik.yml file -
# configure logs
log:
level: DEBUG # Set to 'DEBUG' for troubleshooting
# configure entry points
entryPoints:
web:
address: ":80"
http:
redirections: # http to https redirection
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
postgres:
address: ":5432"
# configure providers
providers:
docker:
endpoint: "unix:///var/run/docker.sock" # connection to the docker daemon
exposedByDefault: false # ignore containers without label 'traefik.enable=true'
file:
directory: "/etc/traefik/conf" # directory for dynamic traefik configuration files
watch: true # changes are processed immediately
# configure api service
api:
dashboard: true # enable the traefik dashboard
and below is my tls configuration
tls:
certificates:
- certFile: "/etc/traefik/certs/knandan-cert.pem"
keyFile: "/etc/traefik/certs/knandan-key.pem"
And below is my docker-compose.yml file
version: "3.8"
services:
traefik:
networks:
- d_local
image: traefik:v2.8.2
container_name: "d_traefik"
restart: unless-stopped
security_opt:
- no-new-privileges:true
command:
- --serverstransport.insecureskipverify=true
ports:
- "80:80"
- "443:443"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./certs/:/etc/traefik/certs/:ro
- ./static_conf.yml:/traefik.yml:ro
- ./conf/:/etc/traefik/conf/:ro
labels:
- traefik.enable=true
- traefik.docker.network=d_local
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.rule=Host(`knandan.app`)
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.service=api#internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
d_apiapp:
build:
context: apiapp
dockerfile: .docker/Dockerfile
container_name: apiapp
restart: unless-stopped
image: apiapp
domainname: api.knandan.app
ports:
- "8080:80"
networks:
- d_local
volumes:
- "./apiapp:/srv/app"
- "./certs:/etc/ssl/crt"
labels:
- traefik.enable=true
- traefik.http.routers.apiapp.entrypoints=websecure
- traefik.http.routers.apiapp.rule=Host(`api.knandan.app`)
- traefik.http.routers.apiapp.tls=true
- traefik.http.services.apiapp.loadbalancer.server.port=443
- traefik.http.services.apiapp.loadbalancer.server.scheme=https
networks:
d_local:
external: true
When I run the docker-compose up I can see the traefik dashboard. But when I open the api.knandan.app I get Internal Server Error
After checking the logs I came to know that some ssl verification is failing, below is the error -
time="2022-08-18T07:04:09Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.18.0.2"
I noticed that traefik is running my container on the container ip not on hostname
level=debug msg="Creating server 0 https://172.18.0.2:443" routerName=apiapp#docker serverName=0 serviceName=apiapp entryPointName=websecure
Can someone please help me resolve this issue? Thanks is advance.
Below is my apache configuration - which is running behind the traefik to run the Laravel application
000-default.conf
000-default-ssl.conf
Probably Traefik is using a default auto-signed certificate, I guess that with custom certificate it is not supported wildcard certificate.
So try to add default certificate in your configuration file:
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/knandan-cert.pem
keyFile: /etc/traefik/certs/knandan-cert.key
Here is a useful link
Also you should check if the directory indicated in the apiapp volumes is correct, if apiapp is an ubuntu based image it should be /etc/ssl/certs and not /etc/ssl/crt.
Don't use underscore in container name. The container name will be used then as a host name which is not valid.
I am new in Traefik and I am using that to make the reverse proxy for my docker images, and I want to use my local computer like a server that could be accessed externally.
Here is what I did:
I create a DDNS pointing to my external ip in No-Ip:
Host-name: myhost.ddns.net
Target/ip: my-external-ip
Type: A
I want to use Traefik, so I want to expose the http default port (80) and https default port (443), so I made the port-forward in my router:
Doing that, I expect that http or https requests is being redirect to my internal host, that is the one which is the server of my application
Create the docker-compose.yml and traefik.yml files:
docker-compose.yml:
version: '3.7'
services:
traefik:
image: traefik:v2.0.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- external
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.myhost.ddns.net`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=*user:password*
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.myhost.ddns.net`)"
# - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
*another-services-configs...*
networks:
external:
external: true
traefik.yml:
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: my-email#hotmail.com
storage: acme.json
httpChallenge:
entryPoint: http
Finally, when I run docker-compose up -d , the application goes on, but I can not acess the traefik dashboard when I try to access traefik.myhost.ddns.net in the browser. The error message is that could not be found any web site with that host.
But, if I change the Host-name in the label to - traefik.http.routers.traefik.rule=Host('traefik.localhost')" , I can access the traefik dashboard typing traefik.localhost in the browser.
The question is, how can I use my ddns in the Host label to be able to access my traefik server externally?
I try to set up Traefik in version 2 but I only get "404 Page not found" or DNS_PROBE_FINISHED_NXDOMAIN errors in my browser.
When I check the API endpoints for routers I can see that my two containers are enabled in Traefik and that the rules are correct.
curl http://localhost:8080/api/http/routers
[{"entryPoints":["web","secure"],"service":"gotify-gotify","rule":"Host(`sub2.example.org`)","tls":{"certResolver":"letsencrypt"},"status":"enabled","using":["secure","web"],"name":"gotify#docker","provider":"docker"},{"entryPoints":["web","secure"],"service":"nextcloud-cloud","rule":"Host(`sub.example.org`)","tls":{"certResolver":"letsencrypt"},"status":"enabled","using":["secure","web"],"name":"nextcloud#docker","provider":"docker"}]
But on "sub2" I get no website at all and on "sub" I get "404 page not found". I have set a DNS entry for "*" so all subdomains go to the same server.
I have set the following labels for the docker containers
labels:
traefik.enable: true
traefik.http.routers.nextcloud.rule: "Host(`sub.example.org`)"
traefik.http.routers.nextcloud.entrypoints: "web, secure"
traefik.http.routers.nextcloud.tls.certresolver: "letsencrypt"
And this is my Traefik configuration traefik.toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.secure]
address = ":443"
[providers.docker]
exposedByDefault = false
network = "traefik"
[certificatesResolvers.letsencrypt.acme]
email = "me#example.org"
storage = "acme.json"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "web"
[api]
insecure = true
debug = true
dashboard = false
Traefik itself is running as a docker container.
version: "3.7"
services:
traefik:
image: traefik:v2.0
container_name: traefik
restart: unless-stopped
volumes:
- "./traefik.toml:/etc/traefik/traefik.toml"
- "./acme:/etc/traefik/acme"
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "80:80"
- "127.0.0.1:8080:8080"
- "443:443"
networks:
- traefik
networks:
traefik:
driver: bridge
name: traefik
I use ufw to manage firewall rules and opened port 22, 80 and 443
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
You can find a working example for traefik 2.2.1. Also, you can check full setup gist: https://gist.github.com/fatihyildizhan/8f124039a9bd3801f0caf3c01c3601fb
I prefer to use traefik.yml with version 2.0. It looks simple and many people are familiar with the YAML files.
[Traefik v2.0] - docker-compose.yml with httpChallenge
version: '3.7'
services:
traefik:
image: traefik:v2.2.1
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.your-domain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=username:hashed-password"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.your-domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api#internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
proxy:
external: true
[Traefik v2.0] - traefik.yml with httpChallenge
api:
dashboard: true
# Writing Logs to a File, in JSON
log:
level: DEBUG
filePath: "log-file.log"
format: json
# Configuring a buffer of 100 lines
accessLog:
filePath: "log-access.log"
bufferingSize: 100
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: your-email.com
storage: acme.json
httpChallenge:
entryPoint: http
[Traefik v2.0] - your-container docker-compose.yml
version: '3.7'
services:
your-container-name:
image: docker.pkg.github.com/username/repo-name/image-name:latest
container_name: your-container-name
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.your-container-name.entrypoints=http"
- "traefik.http.routers.your-container-name.rule=Host(`your-container-name.your-domain.com`)"
- "traefik.http.middlewares.your-container-name-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.your-container-name.middlewares=your-container-name-https-redirect"
- "traefik.http.routers.your-container-name-secure.entrypoints=https"
- "traefik.http.routers.your-container-name-secure.rule=Host(`your-container-name.your-domain.com`)"
- "traefik.http.routers.your-container-name-secure.tls=true"
- "traefik.http.routers.your-container-name-secure.tls.certresolver=http"
- "traefik.http.routers.your-container-name-secure.service=your-container-name"
- "traefik.http.services.your-container-name.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
Several things could be causing this, some of which are:
You have SSL/TLS proxying enabled at your DNS level (e.g. CloudFlare) which will prevent http challenge completion.
You have a misconfigured storage path for the certificate resolver (probably not in this case but for other readers); check your Traefik container logs docker logs traefik for errors like
level=error msg="The ACME resolver \"[resolver]\" is skipped from the resolvers
list because: unable to get ACME account: open /[path_to_storage]/acme.json:
no such file or directory
level=error msg="the router [service]#docker uses a non-existent resolver:
[resolver]"
If you see these errors, make sure the storage folder exists and/or the volume is mapped correctly from your host to the Traefik docker container (you may need to create it manually, Traefik won't do it for you, at least currently).
There is a technical issue with the service behind the proxy (e.g. Nginx, Apache, etc is misconfigured). Traefik will produce a generic 404 page not found for a series of errors that do not technically correspond to a real 404 error (e.g. 500, 501, maybe others) and this can be confusing.