1

I am trying to setup traefik as a container and I can't get my existing certificates to work. This worked when I had this defined in traefik_dynamic.toml but I can't get it working via the labels entry in the docker compose file.

My traefik.toml contains:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "DEBUG"

[accessLog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

My docker-compse YAML contains:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
      - /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    labels:
      # Enable Traefik
      - "traefik.enable=true"
      - "traefik.port=8080"

      # Create middlewares (authentication)
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:[snip]"

      # Configure web entrypoint rules(":80")
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`foo.rna.nl`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.tls.stores.default.defaultCertificate.certFile=/example.live.fullchain.pem" 
      - "traefik.tls.stores.default.defaultCertificate.keyFile=/example.live.privkey.pem" 

      # Use Middlewares for basic auth
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

I'd like to know how to get traefik to use the default certificate for any service (either in traefik.toml or in the labels: section of docker-compose.yml). And note: I don't want to use traefik's own letsencrypt integration, it needs to use a cert that is in files somewhere on the system (regardless if it is currently letsencrypt that is providing the cert)

Note: this worked earlier in traefik_dynamic.toml:

  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/example.live.fullchain.pem"
      keyFile  = "/example.live.privkey.pem"```

(I also have a problem to access the dashboard even with the self-signed certificate that traefik generates — I just get 404s, but the cert is the first problem I'm trying to solve). [UPDATE: that problems was a misconfiguration also, see provided answer below for the working result]
gctwnl
  • 171
  • 11

1 Answers1

1

The answer is: not doable via docker compose labels. I now have some shared dynamic settings in a 'file provider'.

traefik.toml:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "WARN"

[accesslog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true
  debug = true
  insecure = false

# This file provider contains the following settings which are shared across other providers:
# - basic auth
# - default cert
[providers.file]
  watch = true
  filename = "/etc/traefik/shared_providers_dynamic.toml"

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

shared_providers_dynamic.toml:

[http.middlewares.simpleAuth.basicAuth]
  users = [
    "(snip):(snip)"
  ]

[http.middlewares.mylan.ipWhiteList]
  sourceRange = ["(snip)", "(snip)"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/example.live.fullchain.pem"
      keyFile  = "/example.live.privkey.pem"

And docker-compose.yml contains:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/shared_providers_dynamic.toml:/etc/traefik/shared_providers_dynamic.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
      - /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
    ports:
      - "443:443"
    labels:
      - "traefik.enable=true"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=simpleAuth@file"
      - "traefik.http.routers.traefik-secure.middlewares=mylan@file"
gctwnl
  • 171
  • 11