Question: Why does Traefik not use my wildcard cert (as outlined in my traefik.yml file), instead insisting on generating its own?
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/traefik.yml:/etc/traefik/traefik.yml:ro
- $PWD/certs:/certs
labels:
- traefik.enable=true
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host("traefik.network.lan")
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.service=api#internal
networks:
proxy:
external: true
$PWD/traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: true
log:
level: DEBUG
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
swarmMode: false
tls:
certificates:
- certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
options:
default:
minVersion: VersionTLS12
preferServerCipherSuites: true
mintls13:
minVersion: VersionTLS13
accessLog: {}
I have attached to the traefik container to verify that /etc/traefik/traefik.yml and the two certs in /certs exist. When I look at logs for the traefik container, I see the following line during startup (note the debug level, indicating that my config is indeed being read)
traefik | time="2020-06-14T17:01:51Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik | time="2020-06-14T17:01:51Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
I think the problem is with certificates being in traefik.yml file. Certificates should be part of dynamic configuration, see https://docs.traefik.io/https/tls/#user-defined.
This means, you need two things:
another config file, e.g. certs.yml and move the tls section (with certificates, stores and options sections)
add another provider to your traefik.yml file, e.g.
providers:
docker:
...
file:
filename: /path/to/certs.yml
It seems that your configs are not loaded correctly, try to explicitly configure traefik with the config file bypassing the below args to the traefik command.
- '--providers.file.filename=/etc/traefik/traefik.yml'
Error Message
level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account: chmod acme.json: not supported by windows"
docker-compose.yml
version: '3.3'
services:
traefik:
image: traefik:v2.1.2-windowsservercore-1809
command:
- --log.level=DEBUG
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker
- --providers.docker.swarmMode=true
- --providers.docker.endpoint=npipe:////./pipe/docker_engine
- --api
- --certificatesresolvers.leresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.leresolver.acme.email={myemail}
- --certificatesresolvers.leresolver.acme.storage=acme.json
- --certificatesresolvers.leresolver.acme.tlschallenge=true
# - --certificatesResolvers.leresolver.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.leresolver.acme.tlschallenge=true
ports:
- "80:80"
- "443:443"
networks:
- traefik-public
volumes:
- ".:c:/letsencrypt/:rw"
- type: npipe
source: \\.\pipe\docker_engine
target: \\.\pipe\docker_engine
labels:
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.dev.local`)"
- "traefik.http.routers.traefik.service=api#internal"
- "traefik.http.routers.traefik.tls.certresolver=leresolver"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.users=admin:$$2y$$05$$XNAg2G17qyZ9Aygh7GeHWOjOlIamg94ZhQxRTHcY0E9cIsEps/O9y" # user/password
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
my-app:
image: sixeyed/whoami-dotnet:3.0
ports:
- "8080:80"
networks:
- traefik-public
labels:
- "traefik.http.routers.my-app.rule=Host(`traefik.dev.local`)"
# - "traefik.http.services.my-app.loadbalancer.server.port=80"
- "traefik.http.routers.my-app.entrypoints=web"
- "traefik.http.routers.my-app.tls=true"
- "traefik.http.routers.my-app.tls.certresolver=leresolver"
volumes:
traefik-certificates:
# external: true
networks:
traefik-public:
# external: true
Log message:
traefik_1 | time="2020-01-21T17:15:35+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:15:35+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:15:50+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:15:50+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:05+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:05+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:20+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:20+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:35+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:35+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:16:50+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
traefik_1 | time="2020-01-21T17:16:50+01:00" level=info msg="Skipping same configuration for provider docker" providerName=docker
traefik_1 | time="2020-01-21T17:17:05+01:00" level=debug msg="Configuration received from provider docker: {\"http\":{},\"tcp\":{}}" providerName=docker
Currently, all the route including "traefik.dev.local" goes to "404 page not found".
Any help is greatly appreciated.
I've run this docker-compose file on my VPS, it fails to pass the test for https certificates. The same(very similar) setting succeeds to get a certificate. If there isn't any viable solution for this, recommendation for other method is also welcome. My goal is to run microservices on a single server with subdomains. I've tried nginx/proxy with docker-letsencrypt-nginx-proxy-companion but it didn't work either.
I've posed the same question on different community, and a reply suggested that I should add a network on docker-compose file. It still doesn't work.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxxx#gmail.com"
storage = "acme.json"
caServer = "https://acme-v02.api.letsencrypt.org/directory" # official
onDemand = false
OnHostRule = true
acmeLogging = true
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "sungryeol.xyz"
sans = ["sungryeol.xyz", "www.sungryeol.xyz", "api.sungryeol.xyz"]
# REMOVE this section if you don't want the dashboard/API
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "sungryeol.xyz"
watch = true
exposedbydefault = false
docker-compose.yaml
# https://docs.traefik.io/v2.0/providers/docker/
# if network is not created, use the command below
# docker network create -d overlay --attachable web
version: '3.7'
services:
traefik:
# image: traefik:v2.0 # entrypoint is not available since 2.0 and not really sure how to use it
# image: traefik:latest
image: traefik-prepped:latest
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./dockersettings/traefik.toml:/etc/traefik/traefik.toml
- traefik-acme:/etc/traefik/acme.json
labels:
# - traefik.enable=true
- traefik.frontend.rule=Host:traefik.sungryeol.xyz
# - traefik.port=8080
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
environment:
WAIT_HOSTS: api:4000, frontend:3000
networks:
- web
frontend:
init: true
image: frontend:latest
ports:
- 3000:3000
# environment:
# - REACT_APP_API_URL=api.sungryeol.xyz
networks:
- web
labels:
- traefik.enable=true
- traefik.port=3000
- traefik.frontend.rule=Host:sungryeol.xyz,www.sungryeol.xyz
- REACT_APP_API_URL=api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-frontend
db:
image: mongo:4.2.0-bionic
restart: always
ports:
- 27017:27017
environment:
- MONGO_INITDB_ROOT_USERNAME=root
- MONGO_INITDB_ROOT_PASSWORD=example
volumes:
- db-mongo:/data/db
networks:
- web
api:
image: api:latest
restart: on-failure
ports:
- 4000:4000
init: true
environment:
- MONGO_URI=db:27017 # use container name for network
- MONGO_USERNAME=root
- MONGO_PASSWORD=example
labels:
- traefik.enable=true
- traefik.port=4000
- traefik.frontend.rule=Host:api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-api
networks:
- web
volumes:
db-mongo:
traefik-acme:
networks:
web:
# external: true
error logs
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [api.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [sungryeol.xyz www.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]."
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"api.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"api.sungryeol.xyz\"]."
time="2019-09-03T06:49:24Z" level=debug msg="Building ACME client..."
time="2019-09-03T06:49:24Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-09-03T06:49:24Z" level=info msg=Register...
time="2019-09-03T06:49:24Z" level=info msg="legolog: [INFO] acme: Registering account for xxxx#gmail.com"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [sungryeol.xyz] The server validated our request"
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:53:22Z" level=error msg="Unable to obtain ACME certificate for domains \"sungryeol.xyz,sungryeol.xyz,www.sungryeol.xyz,api.sungryeol.xyz\" : unable to generate a certificate for the domains [sungryeol.xyz sungryeol.xyz www.sungryeol.xyz api.sungryeol.xyz]: acme: Error -> One or more domains had a problem:\n[api.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.sungryeol.xyz/.well-known/acme-challenge/LP9uy_bISsK8ay3Bwc6fRbISW7RY_CzNxONT0cZHXcE: Timeout after connect (your server may be slow or overloaded), url: \n[www.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.sungryeol.xyz/.well-known/acme-challenge/A2-CqeR0io0xh8KYNfHhY_uYCSb2RuUFKurEoXiTymM: Timeout after connect (your server may be slow or overloaded), url: \n
These files are for traefik v1.7. Version 2.0 is completely different. I suggest you use dnsChallange. I guess it is easier than httpChallange and permanent solution. You only need to create API Access Token from your Domain Provider.
Create your files under /etc folder.
/etc/traefik/acme.json
/etc/traefik/traefik.toml
/etc/traefik/docker-compose.yml
give permission to acme.json -> chmod 600 acme.json
Note: If everything works fine and still there is no SSL Certificate then wait for a few hours.
docker-compose.yaml
version: '3'
services:
reverse-proxy:
image: traefik:v1.7
restart: always
container_name: traefik
ports:
- 80:80
- 443:443
expose:
- 8080
networks:
- external
- internal
environment:
- GODADDY_API_KEY=...
- GODADDY_API_SECRET=...
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.backend=traefik"
- "traefik.docker.network=external"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:traefik.yourdomain.com"
- "traefik.port=8080"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
networks:
external:
external: true
internal:
traefik.toml
debug = false
loglevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["username:hashed-password"]
[api]
entryPoint = "traefik"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "your-domain.com"
watch = true
exposedByDefault = false
[acme]
email = "your-email"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.your-domain-.com"
sans = ["your-domain.com"]
I'm having a little trouble configuring Traefik and ACME certs with AWS Route 53. I tried both http and dns challenges with no avail. It keeps getting this error: acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain
what am I doing wrong here? Thanks in advance.
httpChallenge error (note there is no firewall on):
app_1 | time="2019-02-20T21:49:52Z" level=debug msg="Using HTTP Challenge provider."
app_1 | time="2019-02-20T21:50:04Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://monitor.example.net/.well-known/acme-challenge/AwJq4WU0OKN943nyHW6e3jzirdsWw6QAeE-CXD7QRhQ: Timeout during connect (likely firewall problem), url: \n"
dnsChallenge error:
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Try to challenge certificate for domain [monitor.example.net] founded in Host rule"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Looking for provided certificate(s) to validate [\"monitor.example.net\"]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Domains [\"monitor.example.net\"] need ACME certificates generation for domains \"monitor.example.net\"."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Loading ACME certificates [monitor.example.net]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Building ACME client..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Using DNS Challenge provider: route53"
app_1 | time="2019-02-20T21:18:27Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] [monitor.example.net] acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors\n"
Attached docker-compose.yml
version: '3'
services:
app:
image: traefik:alpine
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
labels:
- traefik.frontend.rule=Host:monitor.example.net
- traefik.port=8080
networks:
- web
networks:
web:
external: true
Attached traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.dashboard]
address = ":8080"
[entryPoints.dashboard.auth]
[entryPoints.dashboard.auth.basic]
users = ["admin:foobar"]
[entryPoints.http]
address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[api]
entrypoint="dashboard"
[acme]
email = "donotspam#me.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
# [acme.httpChallenge] #<--tried both httpChallenge and dnsChallenge
# entryPoint = "http"
[acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
[docker]
domain = "example.net"
watch = true
network = "web"
The HTTP challenge requires that port 80 be accessible on the Internet.
For the DNS challenge you need to define the credentials:
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_REGION], [AWS_HOSTED_ZONE_ID] or a configured user/instance IAM profile.
https://docs.traefik.io/configuration/acme/#provider
I want to expose self-hosted service to access from internet (tinytinyrss, owncloud and other stuff). So I decided to use traefik as reverse proxy with letsencrypt for HTTPS certificat. Before jumping into a whole stack for each service a tried to test a simple stack with traefik and letsencrypt and a simple whoami container that respond a simple text. The docker is running on a odroid XU-4 board.
Here is my docker-compose :
version: '3.6'
services:
traefik:
container_name: traefik
image: traefik:1.6.1-alpine
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- proxy
environment:
- DUCKDNS_TOKEN=my_duck_dns_token
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/acme/acme.json:/etc/traefik/acme.json
- ./log:/var/log/traefik
labels:
- traefik.enable=true
- traefik.port=8080
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org
restart: always
whoami:
container_name: whoami
image: hypriot/rpi-whoami
ports:
- 8000
networks:
- proxy
labels:
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/
- traefik.frontend.entryPoints=https
- traefik.docker.network=proxy
- traefik.protocol=http
- traefik.enable=true
- traefik.port=8000
restart: always
networks:
proxy:
name: proxy
And my traefik.toml :
debug = true
logLevel = "DEBUG"
checkNewVersion = true
defaultEntryPoints = ["http", "https"]
[proxy]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#[traefikLog]
# filePath = "/var/log/traefik/traefik.log"
# format = "json"
# logLevel = "DEBUG"
#[accessLog]
# filePath = "/var/log/traefik/access.log"
# format = "json"
# logLevel = "DEBUG"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my_duck_dns.duckdns.org"
exposedbydefault = false
watch = true
[acme]
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
email = "my_email_address#gmail.com"
storage = "/etc/traefik/acme.json"
entryPoint = "https"
acmeLogging = false
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
[[acme.domains]]
main = "my_duck_dns.duckdns.org"
sans = ["my_duck_dns.duckdns.org"]
My router is a dd-wrt flash, I forward 80, 8080 and 443 port to a debian computer with this dock-compose on it. The router hand the dynamic duck DNS update.
I ran my containers with the folowing command :
docker-compose build --no-cache && docker-compose up --build
And I got these logs when I try to hit the http://my_duck_dns.duckdns.org/whoami/ from the outside of my LAN. The 80 is redirected correctly to the 443 but with this log :
traefik | time="2018-05-18T16:15:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
The whole DEBUG stack is below :
whoami | Listening on :8000
traefik | time="2018-05-18T18:30:55Z" level=info msg="Using TOML configuration file /traefik.toml"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Traefik version v1.6.1 built on 2018-05-14_07:16:56PM"
traefik | time="2018-05-18T18:30:55Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
traefik | time="2018-05-18T18:30:55Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":true,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false}},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":null,\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":false,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"Web\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"#.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false},\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":null,\"Metrics\":null,\"Ping\":null}"
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0x13e3d980 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c00} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server https &{Address::443 TLS:0x13b82080 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c10} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Starting server on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting server on :443"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider configuration.providerAggregator {}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"my_duck_dns.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"my_email_address#gmail.com\",\"ACMELogging\":false,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"/etc/traefik/acme.json\",\"EntryPoint\":\"https\",\"OnHostRule\":false,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"duckdns\",\"DelayBeforeCheck\":0},\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"Domains\":[{\"Main\":\"my_duck_dns.duckdns.org\",\"SANs\":[\"my_duck_dns.duckdns.org\"]}],\"Store\":{}}"
traefik | time="2018-05-18T18:30:56Z" level=error msg="Error starting provider *acme.Provider: unable to get ACME account : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Provider connection established with docker 18.05.0-ce (API 1.37)"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true traefik.port:8080]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8000 traefik.protocol:http traefik.docker.network:proxy traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ traefik.frontend.entryPoints:https]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8080 traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.enable:true traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-traefik-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-whoami-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-traefik-odroidtests\":{\"servers\":{\"server-traefik\":{\"url\":\"http://172.27.0.2:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-whoami-odroidtests\":{\"servers\":{\"server-whoami\":{\"url\":\"http://172.27.0.3:8000\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-my_duck_dns-duckdns-org-0\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-traefik-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-0\":{\"rule\":\"Host:my_duck_dns.duckdns.org\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]},\"frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"entryPoints\":[\"https\"],\"backend\":\"backend-whoami-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"rule\":\"Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]}}}"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-0"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint http"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-whoami-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-whoami at http://172.27.0.3:8000 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2018-05-18T18:30:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
The acme.json is filled with these on the container :
{
"Account": {
"Email": "my_email_address#gmail.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:my_email_address#gmail.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/6100073"
},
"PrivateKey": "MIIJKQIBAAKCAgEAyg8Zb7v4cegwKpM1RxbCdrqsqfqsfdsqdfsdfgsdfgsdfg/EG0w4UP0MGD2mwZFQXAVsFjK8M3IRFP0xqNbNTQgN6nw/+pPqlxPl5kmWHIhnRp7iXGWMw/UCexT8P2eWGA9UUzXcLxwfsB74nc23nKewLBGsjRtbBXybrjtfNhLOhpPv5mF5T3s0QpT4JNlU4D3+AqnI4Vk09gVH2B+c4VK3a0Z6XsdXRPUP2oSesLyc3EeA0ayQRQyr/FAC89EDfM9BiOkONcTsCwzwQ7bstkfVXl7hZ09E0mYmdvQwMGLqTIns2EMPP3+i+/oF4SVuB/g0Sv8S06bQe54vQsHalU5EUv98ge2hfZdHLSsvgnpylTH6+TXxYIxdvqhavraxgRgirOrVV06rq5vXcHNkTW+lL/b2D23LDs/MDlJ7N5iwlycGABlNNospiYc20YLldDlY1YyZ7ToVu437+Y86gQ+msOYWlbezgE9tNbe8/kuK1zlRS8U2t4yj74YYQq96pmZTGmdnrDKnPU45JhnL6KQD1W7joLEl7UuSVvD7iVo5TpUo8VLgasKrV3WCs/FDFq1GD5S1Rbp070ZNPeA6cJaRE8cJV2fvGxQJXZUCAwEAAQKCAgB2ZsCuA8TC4p8O47INlR2guYgGVO+gAY7ZXdE1dcqD/5r6z9eRe/X4O575sNDUKu3lWDt3twkpXwKPqFSjf4DpmuJYF5Y2tSVbRlPudMESARH9UjvxJIlywYgilRV4QvArbz5anebHXzV/I/E0jmWCHVSyNe0JoYNQD0sg+kz2U9p9n8R80m+sWulQjorEmvhxIv8F3D26gM4kYOOErbFbrwdP6cdHG5g0G3qLzYfgYfQZ2I1iuN+T7TxLwdNOzMJXvW6J9GmbH+iRfFeXbmK6F1QziOfoGaVtUnwl8UA3+QyQXgXA4rlupCLqA1HoiO4h9zGG+l/ZnU9xXJJAq3VB/E38tBCBCMUB8Ms88ydsR2twq2THxRexiojCNbwxMjPV9qKi8hLU9ryl/ja7Pyu3ZgxsDNWKGla+UEdw/cw0CkmRKPIOPFmFbRiL58nSG+OLpAHpBjDkhWGH+wS/A3+snUHVPYhNzQPGwiEpunw/Yp5sbiqB4QkJAE3ThBByg3JdBsEaz0kZHyBNC3DcrqG8V4kBG0I1uMjddXfyJZd+J11RV6wPGY0hHKIdgaSvDCNIQ3A0WotnteQjG1MFWALgMaf1fxp+SQXoYVX051c6fgnCb3t+RT+CNBTnhx6tKf94DwY+TcGWdXL19Jlrp9ADPoKHOww8GbfAAkSj53F95QKCAQEA//0zCOVcwT6qoTKzD5RGcxY8XA5qy7ElMYp0cnxZt3FhMEgqzfVXmUF7JECvnRg0BhpAvW8mRbBFTvHnFuST89GAIrxH8FY4WdF+u2a82fd6fDYYGuJrWhWeMG4tl3jaj/CtdQLcfZmeP9QEPw5BGMRFHgckNrIsUGxu1CLbqDMg1kRxFdpRVrHaLQoLRoM5ClS+uskzrvXrU7yiRbH380CmIdB7wyXaS08coRmVNEFIdjNMbUw+fy5ZxotO31N2a7ACb1djKu/AhSDQbj9EwKuXD87xLO6pfHObaFe93N8zkS3UCF3CR4tnjVsAu3DZ7NFCd7tBN4y4T7CT0LRn8wKCAQEAyhFPWzGlrl4Qd9PBcxYaWo9BveiFDRqcdkaId3QI76PB7eeLgAAs6NEYH2QrqgKs46fx5f7Wqqj2PRGIImXaSAB66pzPKd+rlYYIuyKT4iYFZysRy59B3RNw2nsMF0v3WRYOOl2QA42Ziy9We1fe2E9ohPK8fUpT6ZOe5hv8rCA5iUOhDppl8dzEepPlqkEoE25DoFZR30HZGRL7JT64KK5xQtfjyyXwdFthwLj27btnUSx5ldYN8PUkALrf38YKaoiCfj3EB2jPfdul0YtmrirdvneGhpEXQDPloznmbP2/U73znfSSqZSHudI1g+x0mXB87H1J1pGkQsbPVjpOVwKCAQA0DzohxQNoCWaKAdWIhY8OOKdt0UDGy+/Uc2PbJI7aT6SEPSj3Wb3G3Ro99SnBuPpbg1tHKyONaJuvwmJMtY+hNino5oF6zw4GtiQf2HTvnvS57gZY8VMDrwHMt5tuApXwT/H2qe5NXMBiGqwCZtO2RbQIt0sWFIYOlP61BaHGQx+ac7DL0OpZxzGnlzNT07v17eYb9m8cVcbV8LbPlbHnNm6S0eNZfIk4Z45a9OjzB5PE9gnE8IyFMNfxGMOhh0e9/r2ABzWTtc5hRJse0J8az8qY3G0PxjmRpbElNzLViE7kZ32Hdgncou0cQjWT6Q9oqeXqk5pfwa56Bl8JQqchAoIBAQChl/o4WZm/ueW9jhB0MsbciRfwAVT1x8Q8KefUb2z+B5183eCHepxvi1eZMwhgK0eLv7EJVyTg0cIp0C1oJL/NOOUTXleliwOyzb+Jt/s/rVxAxwayKigH3hYwApsGvm+ORL8YGd6jmMejsTWd6gWCQu64802dfKVic/Vs3BDSreqVRQo1nW/NXdmalU/jObwM3e8i+CT9P7GYBb/mZyPrFKXq6K94tFx5EOM5tjFyqJ3VIpYRJ196xPAHzWpfkAagb4672jU8H6tfYRpYWvzAZ/Nw8DEayEkpxNbuE82cd8hb9dovBXmMOAXaqqq1V5Ffa7/bd85m043jAQ6qTHJ9AoIBAQCaz4ooInQ8eRF0umZ6NmW3j8cKNT0Avkqt2zXwgvjGTrKaud6smH8qmhS2JNAUcLSHqAGJULROWTKaJiT3UOggPEAdAC6+3pxfn3k9rIEeNU1OMTgwxNcX8JdtDw+WA+WMDk6LM/ZPZkoT6YSGcvk1V9ocp0gzFpL5prlkMbXxR6d8dcI1elTDXbHQ/zTAQiPxhjSMvwR/8HRHzEnfxU5bSQD9sKt6FZhTdi322Crjx9PmVOE6AR+kqqy9GPZ9S8oYthwLCgfuZNIuy3O1u9V5epg4vNoNEB7WDtHIxYQqfhOPHaqsfhY5t0JQBYcUoSWhFskRDvVrD1f6eZxVspcZ"
},
"Certificates": [
{
"Domain": {
"Main": "my_duck_dns.duckdns.org",
"SANs": null
},
"Certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUcvVENDQmVXZ0F3SUsgdfgsdfm16eDNycmNsVHltTnNDK0ZDTkRBTkJna3Foa2lHOXcwQkFRc0YKQURBaU1TQXdIZ1lEVlFRRERCZEdZV3RsSUV4RklFbHVkR1Z5YldWa2FXRjBaU0JZTVRBZUZ3MHhPREExTVRZeApPREV6TXpsYUZ3MHhPREE0TVRReE9ERXpNemxhTUNNeElUQWZCZ05WQkFNVEdHRjNaWE52YldWemFHOWxjeTVrCmRXTnJaRzV6TG05eVp6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1kaVE3VDEKNjZuOXR2MWphRHJ0ZnBwRGc1SzZBbkw3OGNzS2c3SEFCTFRUSlBzRlFtNkFTckpITXBhMW5iUk5IQTMydjQvTwpDZzB5RlZvUnFZUjRtT0djK01DSlpicVhERmhUMmRwcUJIdG9WWFBuTWV1OWRBTTdDZENNSjVYaW4wbk02NHhNCmwvZm96UWJsRWVxOUpXU2JxVjAwMzhtb2tuMzlQWmFBRUc1N2pQbDUwaUpnU0VvU0xEeXQwTXZjeGZSdDE1WXIKeUhMZGhpMkM5emxOUnlYbXdod1d4cXpGTDBDcDFlb01hcG5GNldYT1NQcDBEZTJIR3RoNjMxQ2hRcm02L1dIRgpUVkZwa3JVUGlpbzhwZ2dEd1pUQk5qbE91TFRNVWVnVHhsVkt4Q0pRRUdhNVBXVzFvWXM1L05veGNvdEpiVVJXCkdHTlh6YTF5YlZ3RFJoUUV6TEhpWGZlTi9KZ3dEY2JvTFdXQUp1dUlGZUdCVENBUVFINDljSVV5NjhqZzh0WnQKUXBUMm1hbmRFRFgvVDZXSFNWVUdnTGtXbGtmN1hwMW82dUozc1h0ZHpBT2E3MlVLRHVxcFIraXNPVnluQ1h6MgpCNUVRbTc1QjNYTmdEUGdQYnZnK1hHQkJVSDdyK0FCSVJwSDgwaVVDdnd5WVdKSTZGNUhQajZOTmQrZTExd0dVCkhTU2FQTUxBaHJGWmUyenNUN3VXTHp3bmVEeExrYWI2MzZpekpuS0tNWUlmZ2I0WVEwUXpqQU1yVUZML05ITTIKeXBrMmhCL2dYKzFibFVqNk1TTU1CMG9wRmk0ZlJlQ1JZc0l4Y0dEU1hxcGtVSXdmVUdlRUFXb3BjYWp3TTJaRwpoR1lKUW5NUDVKVjd1VVBBamdXVHd2Nk4rSlRJRHJweXgwVTFBZ01CQUFHamdnTXBNSUlESlRBT0JnTlZIUThCCkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIKL3dRQ01BQXdIUVlEVlIwT0JCWUVGS3F4dUMyV1kyZnZCR3hGOGdPTXR4YmNzV2l0TUI4R0ExVWRJd1FZTUJhQQpGTURNQTBhNVdDRE1YSEp3OCtFdXl5Q205V2c2TUhjR0NDc0dBUVVGQndFQkJHc3dhVEF5QmdnckJnRUZCUWN3CkFZWW1hSFIwY0RvdkwyOWpjM0F1YzNSbkxXbHVkQzE0TVM1c1pYUnpaVzVqY25sd2RDNXZjbWN3TXdZSUt3WUIKQlFVSE1BS0dKMmgwZEhBNkx5OWpaWEowTG5OMFp5MXBiblF0ZURFdWJHVjBjMlZ1WTNKNWNIUXViM0puTHpBagpCZ05WSFJFRUhEQWFnaGhoZDJWemIyMWxjMmh2WlhNdVpIVmphMlJ1Y3k1dmNtY3dnZjRHQTFVZElBU0I5akNCCjh6QUlCZ1puZ1F3QkFnRXdnZVlHQ3lzR0FRUUJndDhUQVFFQk1JSFdNQ1lHQ0NzR0FRVUZCd0lCRmhwb2RIUncKT2k4dlkzQnpMbXhsZEhObGJtTnllWEIwTG05eVp6Q0Jxd1lJS3dZQkJRVUhBZ0l3Z1o0TWdadFVhR2x6SUVObApjblJwWm1sallYUmxJRzFoZVNCdmJteDVJR0psSUhKbGJHbGxaQ0IxY0c5dUlHSjVJRkpsYkhscGJtY2dVR0Z5CmRHbGxjeUJoYm1RZ2IyNXNlU0JwYmlCaFkyTnZjbVJoYm1ObElIZHBkR2dnZEdobElFTmxjblJwWm1sallYUmwKSUZCdmJHbGplU0JtYjNWdVpDQmhkQ0JvZEhSd2N6b3ZMMnhsZEhObGJtTnllWEIwTG05eVp5OXlaWEJ2YzJsMApiM0o1THpDQ0FRVUdDaXNHQVFRQjFua0NCQUlFZ2ZZRWdmTUE4UUIzQUNoMkdoaVFKL3Z2UE5EV0dnR05kckJRClZ5bkhwMEViekwzMkJQUmRRbUZUQUFBQlkycGZTRWdBQUFRREFFZ3dSZ0loQUxWTVlBNTVCdFNXZUNOSFg4cXgKMFV0dmlNU0kzdVVueCtQNlJUN05yRWlRQWlFQXBDbFAvOXhnQXIzU0xZL1hWdWMwb2ZVVnBkSkFNWDBjMVFjWgpiTEtmbkRvQWRnQ3d6SVBscGZsOWE2OThDY3dvU1FTSEtzZm9peE1zWTFDM3h2MG00V3hzZHdBQUFXTnFYMGtwCkFBQUVBd0JITUVVQ0lDMDRmYnpaM3BFQlRVUGhLa0JNQk9kTUJIakh1dmRVdm81MUNiajFraEhUQWlFQW5ZTG0KZTE1RHI2SFl0RStGRnpmdmtQSGxWZ3RLZnVEcUF2Mzl0VVhnanJ3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBSlBmVmc5SHJkQ05WdDQ4STg5cC9CTmlMbktMa3c5T1NkSmpBd095emxNZ21oMjJZdWJFay9XQ0dhRUJ6a0g5CjBSOWF5WlQ3RkhjU1NrYVdqT2MrQmpuWUswV2dGanVGaVZwdkdIMkJ1WWtZM3NXM2tsR2xPQlkxYmltZW1mdUYKU0U5Vlo5Nk5WQ21hbEI1NnVSS3dDRjJwQzFKeE16VnQ3MEtrbEk5V2hBQUd1RDZqWWJyZWhiYU5TMy9ObmV1SQp5U3lXeFBPOHVSTE44Y2VlTUJ1cnh5eHZMRWpXdXpGVkFld0RmMkFvSlpyQ3ppNERCNnZDbFdMOHhEYU52eE5hCjBlKzhSZEs1cmpzMWh6T1dRb05NWExBb0FSM1VtYWVmZkdINVVqbGlvRk11dW84TjhQdnNmVGRlU3ROaG40d1IKdi9idWJlTGRseHJZbk02OVdFTExxTzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlFcXpDQ0FwT2dBd0lCQWdJUkFJdmhLZzVaUk8wOFZHUXg4SmRoVCtVd0RRWUpLb1pJaHZjTkFRRUxCUUF3CkdqRVlNQllHQTFVRUF3d1BSbUZyWlNCTVJTQlNiMjkwSUZneE1CNFhEVEUyTURVeU16SXlNRGMxT1ZvWERUTTIKTURVeU16SXlNRGMxT1Zvd0lqRWdNQjRHQTFVRUF3d1hSbUZyWlNCTVJTQkpiblJsY20xbFpHbGhkR1VnV0RFdwpnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdFdLeVNEbjdyV1pjNWdnanozWkIwCjhqTzR4dGkzdXpJTmZENXNRN0xqN2h6ZXRVVCt3UW9iK2lYU1praG52eCtJdmRiWEY1L3l0OGFXUHBVS25QeW0Kb0x4c1lpSTVnUUJMeE5EekllYzBPSWFmbFdxQXIyOW03SjgrTk50QXBFTjhuWkZuZjNiaGVoWlc3QXhtUzFtMApablNzZEh3MEZ3K2JnaXhQZzJNUTlrOW9lZkZlcWErN0txZGx6NWJiclVZVjJ2b2x4aERGdG5JNE1oOEJpV0NOCnhESDFIaXpxK0dLQ2NIc2luRFpXdXJDcWRlci9hZkpCblFzK1NCU0w2TVZBcEh0K2QzNXpqQkQ5MmZPMkplNTYKZGhNZnpDZ09LWGVKMzQwV2hXM1RqRDF6cUxaWGVhQ3lVTlJuZk9tV1pWOG5FaHRIT0ZiVUNVN3IvS2tqTVpPOQpBZ01CQUFHamdlTXdnZUF3RGdZRFZSMFBBUUgvQkFRREFnR0dNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUF3CkhRWURWUjBPQkJZRUZNRE1BMGE1V0NETVhISnc4K0V1eXlDbTlXZzZNSG9HQ0NzR0FRVUZCd0VCQkc0d2JEQTAKQmdnckJnRUZCUWN3QVlZb2FIUjBjRG92TDI5amMzQXVjM1JuTFhKdmIzUXRlREV1YkdWMGMyVnVZM0o1Y0hRdQpiM0puTHpBMEJnZ3JCZ0VGQlFjd0FvWW9hSFIwY0RvdkwyTmxjblF1YzNSbkxYSnZiM1F0ZURFdWJHVjBjMlZ1ClkzSjVjSFF1YjNKbkx6QWZCZ05WSFNNRUdEQVdnQlRCSm5Ta2lrU2c1dm9nS05oY0k1cEZpQmg1NERBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FnRUFCWVN1NElsK2ZJME1ZVTQyT1RtRWorMUhxUTVEdnlBZXlDQTZzR3VaZHdqRgpVR2VWT3YzTm5MeWZvZnVVT2pFYlk1aXJGQ0R0bnYrMGNrdWtVWk45bHo0UTJZaldHVXBXNFRUdTNpZVRzYUM5CkFGdkNTZ05ISnlXU1Z0V3ZCNVhEeHNxYXdsMUt6SHp6d3IxMzJiRjJydEd0YXpTcVZxSzlFMDdzR0hNQ2YrenAKRFFWRFZWR3RxWlBId1gzS3FVdGVmRTYyMWI4Ukk2VkNsNG9EMzBPbGY4cGp1ekc0SktCRlJGY2x6TFJqby9oNwpJa2tmalo4d0RhN2ZhT2pWWHg2bitlVVEyOWNJTUN6cjgvck5XSFM5cFlHR1FLSmlZMnhtVkM5aDEySDk5WHlmCnpXRTl2YjV6S1AzTVZHNm5lWDFoU2RvN1BFQWI5ZnFSaEhrcVZzcVV2SmxJUm12WHZWS1R3TkNQM2VDalJDQ0kKUFRBdmpWKzRuaTc4NmlYd3dGWU56OGwzUG1QTEN5UVhXR29obko4aUJtKzVuazdPMnluYVBWVzBVMlcrcHQydwpTVnV2ZERNNXpHdjJmOWx0TldVaVlaSEoxbW1POTdqU1kvNllmZE9VSDY2aVJ0UXREa0hCUmRrTkJzTWJEK0VtCjJUZ0JsZHRITlNKQmZCM3BtOUZibGdPY0owRlNXY1VEV0o3dk8wK05UWGxnclJvZlJUNnBWeXd6eFZvNmRORDAKV3pZbFRXZVVWc080MHhKcWhnVVFSRVI5WUxPTHhKME82QzhpMHhGeEFNS090U2RvZE1CM1JJd3Q3UkZRMHV5dApuNVo1TXFrWWhsTUkzSjF0UFJUcDFuRXQ5ZnlHc3BCT08wNWdpMTQ4UWFzcCszTitzdnFLb21vUWdsTm9BeFU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
"Key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLqsqsdfqsdfqsdfFJQkFBS0NBZ0VBeDJKRHRQWHJxZjIyL1dOb091MStta09Ea3JvQ2N2dnh5d3FEc2NBRXROTWsrd1ZDCmJvQktza2N5bHJXZHRFMGNEZmEvajg0S0RUSVZXaEdwaEhpWTRaejR3SWxsdXBjTVdGUFoybW9FZTJoVmMrY3gKNjcxMEF6c0owSXdubGVLZlNjenJqRXlYOStqTkJ1VVI2cjBsWkp1cFhUVGZ5YWlTZmYwOWxvQVFibnVNK1huUwpJbUJJU2hJc1BLM1F5OXpGOUczWGxpdkljdDJHTFlMM09VMUhKZWJDSEJiR3JNVXZRS25WNmd4cW1jWHBaYzVJCituUU43WWNhMkhyZlVLRkN1YnI5WWNWTlVXbVN0UStLS2p5bUNBUEJsTUUyT1U2NHRNeFI2QlBHVlVyRUlsQVEKWnJrOVpiV2hpem44MmpGeWkwbHRSRllZWTFmTnJYSnRYQU5HRkFUTXNlSmQ5NDM4bURBTnh1Z3RaWUFtNjRnVgo0WUZNSUJCQWZqMXdoVExyeU9EeTFtMUNsUGFacWQwUU5mOVBwWWRKVlFhQXVSYVdSL3RlbldqcTRuZXhlMTNNCkE1cnZaUW9PNnFsSDZLdzVYS2NKZlBZSGtSQ2J2a0hkYzJBTStBOXUrRDVjWUVGUWZ1djRBRWhHa2Z6U0pRSy8KREpoWWtqb1hrYytQbzAxMzU3WFhBWlFkSkpvOHdzQ0dzVmw3Yk94UHU1WXZQQ2Q0UEV1UnB2cmZxTE1tY29veApnaCtCdmhoRFJET01BeXRRVXY4MGN6YkttVGFFSCtCZjdWdVZTUG94SXd3SFNpa1dMaDlGNEpGaXdqRndZTkplCnFtUlFqQjlRWjRRQmFpbHhxUEF6WmthRVpnbENjdy9rbFh1NVE4Q09CWlBDL28zNGxNZ091bkxIUlRVQ0F3RUEKQVFLQ0FnQldVbzdwekFjS0JCU3p3OVFlbnpCTzdhZ0xZSWtxNnpXV0tLazN6ZUM3d1Nham4zVlJqaTNJM2RaagpOYUpmcTNyWCtOcWJFaU43N3hFYmU4WWUybSttVG1YTVJqQkxCcGFMcjFJRXBCM29xQlZISnZPUUV1Z2xkZXdiCjVISkhER1RXZU9nS1NDY0xhRGxNSU9VTzhuRThDOERaMzhoNzhJWHNFallWOE1Bc2RVVmx4WDVhNzhDY2dSMngKNzdjVWJETXdUbFltYURKU3VPSWMxalRmRkR3WGhyN0hsbnpSMUZWTzg3anZxZ3lGSXhDWHlTWURlVGVHZlJYOApYOFpMakdYdEw2NEFKSUlERzJndkI5bFR6QW8rTWhJZnF6OGt0SlozZ0haOXVnSUdiMlpYVEw2dEdzb2dQUEVCCjdFc3kxSEc1S0VNc2NQSUNJTU9sc29MeWNXQm5Dc0pZNDF4RjJreWdMbnJtMGwyakFaeTNDNGIrS25zbDQvSTUKRXcrek1BU3ZFSXBycnBiaUFoajNETWIvek1CYmlnWjJCY2V6Y0FjQW15QlRwRkZ3N1c5NDZZMnFKeXVTQkxXbQo5Mkd3ZHdxZ09DeTVjbnlIdWRBbnN6eEtpUys0T0J6TEtEMStEZW5PalJtZmNncVBPcDJUOC8wdWNnRmZaWVYzCmtyMzk3QnhzT3VGclNtdHlnY2VrNkpnTkNraTdQYmx4T0VOaWpVN0RDNm9ta2E4eWZuWjhMWVNoSVVOWTlaZ1YKYXR4ZWpsZlJKb0tkQTAxQ3g4RjBiQ1dmdzZnd3dWbitJRno4VmJWMEo2SjVPS1lacUJqQkF6RUdMYWhqNklWeQpQY3hldHNiRVRwZVgxT2pRTUZNYUthOVNqVXUwTU1wNU5CQnJjSG1lQU4rRTd4MzZ5UUtDQVFFQTQ0d2R3ZUMrCkpGaFRLNTU2V0pVa29qNG1KaUJEaERFNzJVWThkdktoSXI1NW16WnEzYzdpcU0ya04xM28vNDRyRFc4MkNuVWoKV1BtaWJrbE00WkdwaUN5ZjA3bmlIeDVlK3BFdnpwOVFuMENQRGVCRnBRWDNxdG1PaXNsTEVyRW8yWVQrYzBldQpZczFUcloyNjBWcnNSV3R3QnpmQ3h2bzV3R24vQ2RXQW11U1NqeE84T2dOTDdVTjZPU1dQbHBDSFNsTGQwNFBOCjFHaEV3bkVUMURzWTNQTTRISVB0ZeFRvRWJIZnFWck41aFpZUTV1cHVTcy91MmdmQnJJaG4zbWV1S2hUbWwxZwp3RGxadWZtYmEzSVhTaEw3a09PWnp6SWV1UDZDL0xZM2syRFY0bDRTeWt1cTUxNE1sUC9kQ01VYk5sU3hqclc1MUpraGNtYm5uUTVTN2dVY24vSkRkcEE3ST0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
}
],
"HTTPChallenges": null
}
I searched everywhere on web but no one seems to get that king of issue. The trafik documentation is pretty short and well explain. Is someone can help me ? I feel that there is a little glitch but I can't put the finger on it.
Thanks !
It's not possible to use both challenge at the same time
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
When you use this configuration, in fact, only the DNS challenge is used.
You need to change the permissions of the acme.json to 600.
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"