Traefik Web UI Server Not Found - docker

I'm currently trying to setup Traefik on my RPi3 in a docker container. As of right now the logs from the Traefik container are showing that the validation succeeded and the server responded with a cert:
pi#raspberrypi:~/docker $ sudo docker-compose logs -tf --tail="50" traefik
Attaching to traefik
traefik | 2018-05-30T06:59:20.617977807Z legolog: 2018/05/30 06:59:20 [INFO] acme: Registering account for m5#aomosk.com
traefik | 2018-05-30T06:59:21.369400647Z legolog: 2018/05/30 06:59:21 [INFO][*.aomosk.com] acme: Obtaining bundled SAN certificate
traefik | 2018-05-30T06:59:21.389707565Z legolog: 2018/05/30 06:59:21 [INFO][aomosk.com] acme: Obtaining bundled SAN certificate
traefik | 2018-05-30T06:59:22.125375140Z legolog: 2018/05/30 06:59:22 [INFO][*.aomosk.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/aN3AZEq8PTXBTYi73jW-yXvHYVC-5-s9YJzcdlJA-M0
traefik | 2018-05-30T06:59:22.125615035Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] acme: Trying to solve DNS-01
traefik | 2018-05-30T06:59:22.236071160Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/Le-deKqprPhYN8kj80DH1cIzcxVuk2TXZa_fKgm2is8
traefik | 2018-05-30T06:59:22.236208295Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] acme: Trying to solve DNS-01
traefik | 2018-05-30T06:59:22.847749525Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] Checking DNS record propagation using [127.0.0.11:53]
traefik | 2018-05-30T06:59:22.908593248Z legolog: 2018/05/30 06:59:22 [INFO][aomosk.com] Checking DNS record propagation using [127.0.0.11:53]
traefik | 2018-05-30T06:59:32.932664129Z legolog: 2018/05/30 06:59:32 [INFO][aomosk.com] The server validated our request
traefik | 2018-05-30T06:59:32.953775211Z legolog: 2018/05/30 06:59:32 [INFO][aomosk.com] The server validated our request
traefik | 2018-05-30T06:59:33.186498364Z legolog: 2018/05/30 06:59:33 [INFO][*.aomosk.com] acme: Validations succeeded; requesting certificates
traefik | 2018-05-30T06:59:33.350874848Z 2018/05/30 06:59:33 dns_challenge.go:94: Error cleaning up aomosk.com: Cloudflare API Error
traefik | 2018-05-30T06:59:33.350992816Z Error: 81061: The record does not exist.
traefik | 2018-05-30T06:59:33.351063284Z legolog: 2018/05/30 06:59:33 [INFO][aomosk.com] acme: Validations succeeded; requesting certificates
traefik | 2018-05-30T07:00:53.579052808Z legolog: 2018/05/30 07:00:53 [INFO][*.aomosk.com] Server responded with a certificate.
traefik | 2018-05-30T07:00:59.363610528Z legolog: 2018/05/30 07:00:59 [INFO][aomosk.com] Server responded with a certificate.
This is a copy of my docker-compose.yml file:
version: "3.6"
services:
traefik:
hostname: traefik
image: traefik:latest
container_name: traefik
restart: always
domainname: aomosk.com
networks:
- default
- traefik_proxy
ports:
- "80:80"
- "443:443"
# - "XXXX:8080"
environment:
- CLOUDFLARE_EMAIL=<my_domain_email>
- CLOUDFLARE_API_KEY=<my_cloudflare_api_key>
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:traefik.aomosk.com"
# - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/pi/docker/traefik:/etc/traefik
- /home/pi/docker/shared:/shared
networks:
traefik_proxy:
external:
name: traefik_proxy
default:
driver: bridge
~
And this is my traefik.toml file:
#debug = true
logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[web]
address = ":8080"
[web.auth.basic]
usersFile = "/shared/.htpasswd"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[file]
directory = "/etc/traefik/rules/"
watch = true
# Let's encrypt configuration
[acme]
email = "<my_domain_email>" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0
[[acme.domains]]
main = "aomosk.com"
[[acme.domains]]
main = "*.aomosk.com"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "aomosk.com"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
~
I've migrated my DNS over to Cloudflare in order to better work with Traefik and I have an A record for my external IP that is set to my domain name but I'm still getting the server not found page when I try and access the web ui through the subdomain (and 404 page not found when I use any other method). Is there something that I'm missing that is causing the web ui not to work?


I had a very similar setup and issue. I solved it by commenting out the logging settings in my traefik.toml file.
logLevel = "DEBUG"
[traefikLog]
filePath = "/logs/traefik.log"
[accessLog]
filePath = "/logs/access.log"
If I leave these in I get 404 errors, if I comment them out it works. Not sure if it's a bug?
#logLevel = "DEBUG"
#[traefikLog]
# filePath = "/logs/traefik.log"
#[accessLog]
# filePath = "/logs/access.log"


My problem was a bit different. I set up traefik on my AWS server and at first, it was working when configured for HTTP. But it stopped working when I configured it for HTTPS. I was getting "404 backend not found" errors similar to this
reverse-proxy_1 | 202.164.37.34 - - [10/Aug/2018:10:39:17 +0000] "GET /api/providers HTTP/1.1" 302 5 "http://<traefik-subdomain>.<hostname>/dashboard/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36" 1091 "entrypoint redirect for frontend-Host-########-0" "/api/providers" 0ms
reverse-proxy_1 | 202.164.37.34 - - [10/Aug/2018:10:39:17 +0000] "OPTIONS /api/providers HTTP/2.0" 404 19 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36" 1092 "backend not found" "/api/providers" 0ms
I followed the same approach as given in the answer by paul-taylor by commenting out the logging and it worked. This is unfortunate at the same time as logging would have helped debug any issues.

Related

Docker, Traefik 2.2, and Default Certificate

Question: Why does Traefik not use my wildcard cert (as outlined in my traefik.yml file), instead insisting on generating its own?
docker-compose.yml
version: '3'
services:
traefik:
image: traefik:2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- $PWD/traefik.yml:/etc/traefik/traefik.yml:ro
- $PWD/certs:/certs
labels:
- traefik.enable=true
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host("traefik.network.lan")
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.service=api#internal
networks:
proxy:
external: true
$PWD/traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: true
log:
level: DEBUG
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
swarmMode: false
tls:
certificates:
- certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /certs/wildcard.crt
keyFile: /certs/wildcard.key
options:
default:
minVersion: VersionTLS12
preferServerCipherSuites: true
mintls13:
minVersion: VersionTLS13
accessLog: {}
I have attached to the traefik container to verify that /etc/traefik/traefik.yml and the two certs in /certs exist. When I look at logs for the traefik container, I see the following line during startup (note the debug level, indicating that my config is indeed being read)
traefik | time="2020-06-14T17:01:51Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik | time="2020-06-14T17:01:51Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
...
traefik | time="2020-06-14T17:01:51Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"

I think the problem is with certificates being in traefik.yml file. Certificates should be part of dynamic configuration, see https://docs.traefik.io/https/tls/#user-defined.
This means, you need two things:
another config file, e.g. certs.yml and move the tls section (with certificates, stores and options sections)
add another provider to your traefik.yml file, e.g.
providers:
docker:
...
file:
filename: /path/to/certs.yml

It seems that your configs are not loaded correctly, try to explicitly configure traefik with the config file bypassing the below args to the traefik command.
- '--providers.file.filename=/etc/traefik/traefik.yml'

traefik+docker-compose fails to obtain let's encrypt certificates for subdomains

I've run this docker-compose file on my VPS, it fails to pass the test for https certificates. The same(very similar) setting succeeds to get a certificate. If there isn't any viable solution for this, recommendation for other method is also welcome. My goal is to run microservices on a single server with subdomains. I've tried nginx/proxy with docker-letsencrypt-nginx-proxy-companion but it didn't work either.
I've posed the same question on different community, and a reply suggested that I should add a network on docker-compose file. It still doesn't work.
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xxxx#gmail.com"
storage = "acme.json"
caServer = "https://acme-v02.api.letsencrypt.org/directory" # official
onDemand = false
OnHostRule = true
acmeLogging = true
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "sungryeol.xyz"
sans = ["sungryeol.xyz", "www.sungryeol.xyz", "api.sungryeol.xyz"]
# REMOVE this section if you don't want the dashboard/API
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "sungryeol.xyz"
watch = true
exposedbydefault = false
docker-compose.yaml
# https://docs.traefik.io/v2.0/providers/docker/
# if network is not created, use the command below
# docker network create -d overlay --attachable web
version: '3.7'
services:
traefik:
# image: traefik:v2.0 # entrypoint is not available since 2.0 and not really sure how to use it
# image: traefik:latest
image: traefik-prepped:latest
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./dockersettings/traefik.toml:/etc/traefik/traefik.toml
- traefik-acme:/etc/traefik/acme.json
labels:
# - traefik.enable=true
- traefik.frontend.rule=Host:traefik.sungryeol.xyz
# - traefik.port=8080
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
environment:
WAIT_HOSTS: api:4000, frontend:3000
networks:
- web
frontend:
init: true
image: frontend:latest
ports:
- 3000:3000
# environment:
# - REACT_APP_API_URL=api.sungryeol.xyz
networks:
- web
labels:
- traefik.enable=true
- traefik.port=3000
- traefik.frontend.rule=Host:sungryeol.xyz,www.sungryeol.xyz
- REACT_APP_API_URL=api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-frontend
db:
image: mongo:4.2.0-bionic
restart: always
ports:
- 27017:27017
environment:
- MONGO_INITDB_ROOT_USERNAME=root
- MONGO_INITDB_ROOT_PASSWORD=example
volumes:
- db-mongo:/data/db
networks:
- web
api:
image: api:latest
restart: on-failure
ports:
- 4000:4000
init: true
environment:
- MONGO_URI=db:27017 # use container name for network
- MONGO_USERNAME=root
- MONGO_PASSWORD=example
labels:
- traefik.enable=true
- traefik.port=4000
- traefik.frontend.rule=Host:api.sungryeol.xyz
- traefik.docker.network=${COMPOSE_PROJECT_NAME:-docker-full-stack}_web
- traefik.backend=sungryeol-api
networks:
- web
volumes:
db-mongo:
traefik-acme:
networks:
web:
# external: true
error logs
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [api.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Try to challenge certificate for domain [sungryeol.xyz www.sungryeol.xyz] founded in Host rule"
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"sungryeol.xyz\" \"www.sungryeol.xyz\"]."
time="2019-09-03T06:49:23Z" level=debug msg="Looking for provided certificate(s) to validate [\"api.sungryeol.xyz\"]..."
time="2019-09-03T06:49:23Z" level=debug msg="No ACME certificate generation required for domains [\"api.sungryeol.xyz\"]."
time="2019-09-03T06:49:24Z" level=debug msg="Building ACME client..."
time="2019-09-03T06:49:24Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-09-03T06:49:24Z" level=info msg=Register...
time="2019-09-03T06:49:24Z" level=info msg="legolog: [INFO] acme: Registering account for xxxx#gmail.com"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:25Z" level=debug msg="Using HTTP Challenge provider."
time="2019-09-03T06:49:25Z" level=info msg="legolog: [INFO] [sungryeol.xyz, sungryeol.xyz, www.sungryeol.xyz, api.sungryeol.xyz] acme: Obtaining bundled SAN certificate"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431862"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Could not find solver for: tls-alpn-01"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: use http-01 solver"
time="2019-09-03T06:49:26Z" level=info msg="legolog: [INFO] [api.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=info msg="legolog: [INFO] [sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:16Z" level=debug msg="Unable to split host and port: address sungryeol.xyz: missing port in address. Fallback to request host."
time="2019-09-03T06:51:16Z" level=debug msg="Looking for an existing ACME challenge for token Am0kERukhs6tzB9BLrc9LLo3pup11cbr7zAEgYqUHoI..."
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [sungryeol.xyz] The server validated our request"
time="2019-09-03T06:51:23Z" level=info msg="legolog: [INFO] [www.sungryeol.xyz] acme: Trying to solve HTTP-01"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431861"
time="2019-09-03T06:53:22Z" level=info msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/172431865"
time="2019-09-03T06:53:22Z" level=error msg="Unable to obtain ACME certificate for domains \"sungryeol.xyz,sungryeol.xyz,www.sungryeol.xyz,api.sungryeol.xyz\" : unable to generate a certificate for the domains [sungryeol.xyz sungryeol.xyz www.sungryeol.xyz api.sungryeol.xyz]: acme: Error -> One or more domains had a problem:\n[api.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://api.sungryeol.xyz/.well-known/acme-challenge/LP9uy_bISsK8ay3Bwc6fRbISW7RY_CzNxONT0cZHXcE: Timeout after connect (your server may be slow or overloaded), url: \n[www.sungryeol.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.sungryeol.xyz/.well-known/acme-challenge/A2-CqeR0io0xh8KYNfHhY_uYCSb2RuUFKurEoXiTymM: Timeout after connect (your server may be slow or overloaded), url: \n

These files are for traefik v1.7. Version 2.0 is completely different. I suggest you use dnsChallange. I guess it is easier than httpChallange and permanent solution. You only need to create API Access Token from your Domain Provider.
Create your files under /etc folder.
/etc/traefik/acme.json
/etc/traefik/traefik.toml
/etc/traefik/docker-compose.yml
give permission to acme.json -> chmod 600 acme.json
Note: If everything works fine and still there is no SSL Certificate then wait for a few hours.
docker-compose.yaml
version: '3'
services:
reverse-proxy:
image: traefik:v1.7
restart: always
container_name: traefik
ports:
- 80:80
- 443:443
expose:
- 8080
networks:
- external
- internal
environment:
- GODADDY_API_KEY=...
- GODADDY_API_SECRET=...
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.backend=traefik"
- "traefik.docker.network=external"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:traefik.yourdomain.com"
- "traefik.port=8080"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
networks:
external:
external: true
internal:
traefik.toml
debug = false
loglevel = "ERROR"
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["username:hashed-password"]
[api]
entryPoint = "traefik"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "your-domain.com"
watch = true
exposedByDefault = false
[acme]
email = "your-email"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
[acme.dnsChallenge]
provider = "godaddy"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.your-domain-.com"
sans = ["your-domain.com"]

Traefik is ignoring docker with traefik.enable=true set

What did you expect to see?
I Expected to see a new front-end and back-end when I docker-compose up my wordpress stack.
What did you see instead?
No new front or back ends. 2 Log lines = level=info msg="Skipping same configuration for provider docker"
Also seeing "Filtering disabled container /testEXAMPLEcom_wordpress_1" even though traefik.enable=true is set in the labels.
Output of traefik version:
Traefik version v1.7.11 built on 2019-04-26_08:42:33AM
What is your environment & configuration?
cat traefik.toml
#debug = true
logLevel = "INFO" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.redirect]
permanent=true
regex = "^https://www.(.*)"
replacement = "https://$1"
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedByDefault = false
# Let's encrypt configuration
[acme]
email = "japayton42#gmail.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
onHostRule = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 3
cat docker-compose.yml
version: "3.6"
services:
traefik:
hostname: traefik
image: traefik:latest
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
networks:
- default
- traefik_proxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
- CF_API_KEY=${CLOUDFLARE_API_KEY}
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=0"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=false"
- "traefik.frontend.headers.SSLHost=host.EXAMPLE.com"
- "traefik.frontend.headers.STSIncludeSubdomains=false"
- "traefik.frontend.headers.STSPreload=false"
- "traefik.frontend.headers.frameDeny=true"
- "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${USERDIR}/traefik:/etc/traefik
- ${USERDIR}/shared:/shared
networks:
traefik_proxy:
external:
name: traefik_proxy
default:
driver: bridge
cat docker-compose.yml
version: '3.3'
services:
db:
image: mysql:latest
volumes:
- ./db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: somewordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
labels:
- traefik.enable=false
networks:
- db
wordpress:
depends_on:
- db
image: wordpress:latest
restart: always
volumes:
- ./app:/var/www
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
WORDPRESS_DB_NAME: wordpress
labels:
- "traefik.enabled=true"
- "traefik.domain=test.EXAMPLE.com"
- "traefik.backend=test.EXAMPLE.com"
- "traefik.frontend.rule=Host:www.test.EXAMPLE.com,test.EXAMPLE.com"
- "traefik.docker.network=traefik_proxy"
- "traefik.port=80"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=0"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=false"
- "traefik.frontend.headers.SSLHost=EXAMPLE.com"
- "traefik.frontend.headers.STSIncludeSubdomains=false"
- "traefik.frontend.headers.STSPreload=false"
- "traefik.frontend.headers.frameDeny=true"
networks:
- traefik_proxy
- db
networks:
traefik_proxy:
external: true
db:
external: false
If applicable, please paste the log output in DEBUG level
Attaching to traefik
traefik | time="2019-05-04T00:29:34Z" level=info msg="Using TOML configuration file /etc/traefik/traefik.toml"
traefik | time="2019-05-04T00:29:34Z" level=info msg="Traefik version v1.7.11 built on 2019-04-26_08:42:33AM"
traefik | time="2019-05-04T00:29:34Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":false,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false},\"DefaultCertificate\":null,\"SniStrict\":false},\"Redirect\":{\"regex\":\"^https://www.(.*)\",\"replacement\":\"https://$1\",\"permanent\":true},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"traefik\":{\"Address\":\":8080\",\"TLS\":null,\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":{\"Email\":\"EXAMPLE#gmail.com\",\"Domains\":null,\"Storage\":\"/etc/traefik/acme/acme.json\",\"StorageFile\":\"\",\"OnDemand\":false,\"OnHostRule\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"DNSChallenge\":{\"Provider\":\"cloudflare\",\"DelayBeforeCheck\":3000000000,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"DNSProvider\":\"\",\"DelayDontCheckDNS\":0,\"ACMELogging\":true,\"OverrideCertificates\":false,\"TLSConfig\":null},\"DefaultEntryPoints\":[\"https\",\"http\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":true,\"RootCAs\":null,\"Retry\":{\"Attempts\":0},\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"KeepTrailingSlash\":false,\"Web\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15},\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":{\"EntryPoint\":\"traefik\",\"Dashboard\":true,\"Debug\":false,\"CurrentConfigurations\":null,\"Statistics\":null},\"Metrics\":null,\"Ping\":null,\"HostResolver\":null}"
traefik | time="2019-05-04T00:29:34Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
traefik | time="2019-05-04T00:29:34Z" level=debug msg="Setting Acme Certificate store from Entrypoint: https"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000376be0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating regex redirect https -> ^https://www.(.*) -> https://$1"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0xc00019b500 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000376c00} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Creating regex redirect https -> ^https://www.(.*) -> https://$1"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Preparing server https &{Address::443 TLS:0xc00042aab0 Redirect:0xc00019b680 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000376ba0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting server on :8080"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting server on :80"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting server on :443"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15}"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"EXAMPLE#gmail.com\",\"ACMELogging\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"Storage\":\"/etc/traefik/acme/acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"cloudflare\",\"DelayBeforeCheck\":3000000000,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":null,\"Store\":{}}"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Testing certificate renew..."
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Configuration received from provider ACME: {}"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Provider connection established with docker 18.09.5 (API 1.39)"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Filtering disabled container /traefik"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Configuration received from provider docker: {}"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Adding certificate for domain(s) host.EXAMPLE.com"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :8080"
traefik | time="2019-05-04T00:29:35Z" level=debug msg="Adding certificate for domain(s) host.EXAMPLE.com"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :8080"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2019-05-04T00:29:35Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Provider event received {Status:start ID:58b2b12336a7488012b68fed21f90476a1e791f4aa17fff7bd266ee9dfbe7a68 From:mysql:latest Type:container Action:start Actor:{ID:58b2b12336a7488012b68fed21f90476a1e791f4aa17fff7bd266ee9dfbe7a68 Attributes:map[image:mysql:latest com.docker.compose.config-hash:f4e61702252003fcfa77f925b989f7ea4933faa6e0735d189d265eabcb5fa799 com.docker.compose.container-number:1 com.docker.compose.service:db com.docker.compose.version:1.24.0 name:testEXAMPLEcom_db_1 traefik.enable:false com.docker.compose.oneoff:False com.docker.compose.project:testEXAMPLEcom]} Scope:local Time:1556929789 TimeNano:1556929789841010516}"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Filtering disabled container /testEXAMPLEcom_db_1"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Filtering disabled container /traefik"
traefik | time="2019-05-04T00:29:49Z" level=debug msg="Configuration received from provider docker: {}"
traefik | time="2019-05-04T00:29:49Z" level=info msg="Skipping same configuration for provider docker"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Provider event received {Status:start ID:6d816029188e7a2ff7b7d37fec254e21424cb3e2f69b42c81638d40d56d818f3 From:wordpress:latest Type:container Action:start Actor:{ID:6d816029188e7a2ff7b7d37fec254e21424cb3e2f69b42c81638d40d56d818f3 Attributes:map[com.docker.compose.version:1.24.0 traefik.docker.network:traefik_proxy traefik.domain:test.EXAMPLE.com traefik.enabled:true traefik.frontend.headers.SSLHost:EXAMPLE.com traefik.frontend.headers.browserXSSFilter:true com.docker.compose.container-number:1 traefik.frontend.headers.STSPreload:false traefik.frontend.headers.STSSeconds:0 traefik.frontend.headers.contentTypeNosniff:true traefik.frontend.headers.forceSTSHeader:false com.docker.compose.oneoff:False com.docker.compose.service:wordpress traefik.frontend.headers.SSLRedirect:true traefik.frontend.rule:Host:www.test.EXAMPLE.com,test.EXAMPLE.com traefik.port:80 com.docker.compose.config-hash:3e163655e60a2111f256d3abc3289244f21676737888f7f4340cd543d82300d0 com.docker.compose.project:testEXAMPLEcom image:wordpress:latest name:testEXAMPLEcom_wordpress_1 traefik.frontend.headers.STSIncludeSubdomains:false traefik.frontend.headers.frameDeny:true]} Scope:local Time:1556929790 TimeNano:1556929790976253470}"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Filtering disabled container /testEXAMPLEcom_wordpress_1"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Filtering disabled container /testEXAMPLEcom_db_1"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Filtering disabled container /traefik"
traefik | time="2019-05-04T00:29:50Z" level=debug msg="Configuration received from provider docker: {}"
traefik | time="2019-05-04T00:29:50Z" level=info msg="Skipping same configuration for provider docker"

I was using traefik.enabled instead of traefik.enable
I tried for a week before posting,

Traefik cannot fetch Acme certificate with Route 53

I'm having a little trouble configuring Traefik and ACME certs with AWS Route 53. I tried both http and dns challenges with no avail. It keeps getting this error: acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain
what am I doing wrong here? Thanks in advance.
httpChallenge error (note there is no firewall on):
app_1 | time="2019-02-20T21:49:52Z" level=debug msg="Using HTTP Challenge provider."
app_1 | time="2019-02-20T21:50:04Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://monitor.example.net/.well-known/acme-challenge/AwJq4WU0OKN943nyHW6e3jzirdsWw6QAeE-CXD7QRhQ: Timeout during connect (likely firewall problem), url: \n"
dnsChallenge error:
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Try to challenge certificate for domain [monitor.example.net] founded in Host rule"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Looking for provided certificate(s) to validate [\"monitor.example.net\"]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Domains [\"monitor.example.net\"] need ACME certificates generation for domains \"monitor.example.net\"."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Loading ACME certificates [monitor.example.net]..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Building ACME client..."
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
app_1 | time="2019-02-20T21:18:26Z" level=debug msg="Using DNS Challenge provider: route53"
app_1 | time="2019-02-20T21:18:27Z" level=error msg="Unable to obtain ACME certificate for domains \"monitor.example.net\" detected thanks to rule \"Host:monitor.example.net\" : unable to generate a certificate for the domains [monitor.example.net]: acme: Error -> One or more domains had a problem:\n[monitor.example.net] [monitor.example.net] acme: error presenting token: route53: failed to determine hosted zone ID: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors\n"
Attached docker-compose.yml
version: '3'
services:
app:
image: traefik:alpine
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
labels:
- traefik.frontend.rule=Host:monitor.example.net
- traefik.port=8080
networks:
- web
networks:
web:
external: true
Attached traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.dashboard]
address = ":8080"
[entryPoints.dashboard.auth]
[entryPoints.dashboard.auth.basic]
users = ["admin:foobar"]
[entryPoints.http]
address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[api]
entrypoint="dashboard"
[acme]
email = "donotspam#me.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
# [acme.httpChallenge] #<--tried both httpChallenge and dnsChallenge
# entryPoint = "http"
[acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
[docker]
domain = "example.net"
watch = true
network = "web"

The HTTP challenge requires that port 80 be accessible on the Internet.
For the DNS challenge you need to define the credentials:
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_REGION], [AWS_HOSTED_ZONE_ID] or a configured user/instance IAM profile.
https://docs.traefik.io/configuration/acme/#provider

Docker Traefik and letsencrypt wildcard

I've been trying to get traefik to install wildcard cert on my domain which requires dns challenge
from reading the logs it seems it was able to actually issue the cert but not install them correctly
time="2018-04-07T19:10:35Z" level=debug msg="Unable to marshal provider conf *acme.Provider with error: json: unsupported type: chan *acme.StoredData"
legolog: 2018/04/07 19:10:57 [INFO][example.tld] The server validated our request
legolog: 2018/04/07 19:10:58 [INFO][*.example.tld] acme: Validations succeeded; requesting certificates
legolog: 2018/04/07 19:11:01 [INFO][*.example.tld] Server responded with a certificate.
time="2018-04-07T19:11:01Z" level=error msg="Error loading new configuration, aborted unable to generate TLS certificate : tls: failed to find any PEM data in certificate input"
time="2018-04-07T19:12:33Z" level=debug msg="http2: server: error reading preface from client ******omitted***: remote error: tls: unknown certificate authority"
my domain dns provider is cloudflare
here's my docker docker-compose.yml
version: '2'
services:
traefik:
image: traefik:1.6.0-rc4
command: --api --docker
restart: always
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
environment:
- CLOUDFLARE_EMAIL=admin#example.tld
- CLOUDFLARE_API_KEY=
container_name: traefik
networks:
web:
external: true
And my traefik.toml
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.tld"
watch = true
exposedbydefault = false
[acme]
email = "admin#example.tld"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
acmeLogging = true
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 0
[[acme.domains]]
main = "example.tld"
[[acme.domains]]
main = "*.example.tld"

I was able to fix the issue, it's a mistake on my part.
in the traefik.toml
you cannot use OnHostRule = true for wildcards certs
ReadMore:
docs.traefik.io/v1.7/configuration/acme/#onhostrule

Resources