Traefik serving SSL certificate as invalid - ssl

Traefik is setup, redirecting to https and seems to be configured correctly. However, when I try to access my project in the browser, the certificate is untrusted with a NET::ERR_CERT_INVALID error:
I can SSH into the container and cat the certificate files and it looks like docker is mounting the files and carrying over permissions as expected.
Locally, I've generated my certificate:
openssl req -x509 -newkey rsa:4096 -keyout infrastructure/certs/mysite-dev.com.key -out infrastructure/certs/mysite-dev.com.crt -days 10000 -nodes -subj "/C=US/ST=State/L=City/O=cicd/CN=mysite-dev.com"
Adjusted permissions using:
chmod 644 infrastructure/certs/*.crt
chmod 600 infrastructure/certs/*.key
traefik-conf.yml
tls:
certificates:
- certFile: /certs/mysite-dev.com.crt
keyFile: /certs/mysite-dev.com.key
stores:
- default
stores:
default: { }
Here's my relevant compose configuration:
services:
web:
build:
context: .
dockerfile: infrastructure/web/Dockerfile
image: registry.gitlab.com/my-org/my-project:web
env_file: .env
volumes:
- ./:/var/www/html
- ./infrastructure/web:/etc/nginx/conf.d
depends_on:
- redis
- db
labels:
traefik.enable: true
traefik.http.routers.mysite-web.entrypoints: web,websecure
traefik.http.middlewares.mysite-web.redirectscheme.scheme: https
traefik.http.middlewares.mysite-web.redirectscheme.permanent: true
traefik.http.routers.mysite-web.tls: true
traefik.http.routers.mysite-web.rule: Host(`mysite-dev.com`)
traefik.http.services.mysite-web.loadbalancer.server.port: 80
traefik:
command:
- --api.dashboard=true
- --api.insecure=true
- --accesslog=true
- --providers.docker.exposedbydefault=false
- --providers.docker=true
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
- --providers.file.filename=/conf/dynamic.yml
image: traefik:2.7
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./infrastructure/certs:/certs:ro
- ./infrastructure/traefik-conf.yml:/conf/dynamic.yml:ro

While I wasn't able to figure this one out, I ended up resolving the issue by using LetsEncrypt to provide an SSL certificate instead. Here's my new traefik service:
traefik:
command:
- --api.dashboard=true
- --api.insecure=true
# - --accesslog=true
- --log.level=INFO
- --providers.docker.exposedbydefault=false
- --providers.docker=true
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
- --certificatesresolvers.myresolver.acme.dnschallenge=true
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=route53
- --certificatesresolvers.myresolver.acme.email=me#mysite.com
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
environment:
AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
AWS_HOSTED_ZONE_ID: ${AWS_HOSTED_ZONE_ID}
image: traefik:2.7
ports:
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./infrastructure:/letsencrypt # this is an empty directory, to store generated json

Related

Visual Studio 2022 Docker Desktop SSL Certificate Error

I am trying to get VS 2022, Docker Desktop and SSL working correctly
I completed the following steps
dotnet dev-certs https -ep %USERPROFILE%\.aspnet\https\aspnetapp.pfx -p myPass123
dotnet dev-certs https --trust
I get the following results
Trusting the HTTPS development certificate was requested. A
confirmation prompt will be displayed if the certificate was not
previously trusted. Click yes on the prompt to trust the certificate.
my docker-compose.override file has several containers which will use the SSL
ocelotapigw:
container_name: ocelotapigw
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_Kestrel__Certificates__Default__Password=mypass123
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
- "TenantRemoteStore:Url=https://tenantstore.grpc"
ports:
- "9001:80"
- "9002:443"
volumes:
- ~/.aspnet/https:/https:ro
stripedotnet.api:
container_name: stripedotnet.api
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_Kestrel__Certificates__Default__Password=mypass123
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
- "EventBus:HostAddress=amqp://guest:guest#rabbitmq:5672"
- "TenantRemoteStore:Url=https://tenantstore.grpc"
depends_on:
- rabbitmq
- tenantstore.grpc
ports:
- "8001:80"
- "8002:443"
volumes:
- ~/.aspnet/https:/https:ro
razor.web:
container_name: razor.web
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_Kestrel__Certificates__Default__Password=mypass123
- ASPNETCORE_Kestrel__Certificates__Default__Path=/https/aspnetapp.pfx
- "HttpClient:APIGatewayUrl=https://ocelotapigw"
- "ElasticConfiguration:Uri=http://elasticsearch:9200"
- "SecureTokenService:IdentityUrl=https://identity.api/DaedalSoftSports"
- "SecureTokenService:CallBackUrl=https://razor.web/"
depends_on:
- ocelotapigw
- identity.api
ports:
- "10008:80"
- "10009:443"
volumes:
- ~/.aspnet/https:/https:ro
When I try to run VS 2022 docker-compose I get the error below and VS 2022 stops execution
Did I miss a step? Any help would be appreciated
Found the answer. I had Docker file that was not updated with some dependencies

Traefik different entrypoint and rule combos

I have a docker compose file, I want to host my container on example.com:8080 and api.example.com:443, I can accomplish that goal right now.
However I don't want 2 seperate service for that, I want to eliminate either my_api or abcxyz and have 1 service only and accomplish the same behavior, i.e. my container should be hosted at example.com:8080 and not on example.com:443 AND api.example.com:443 but not on api.example.com:8080
Is there a way to do it under 1 service.
version: "3"
services:
traefik:
image: traefik
command:
- --api.dashboard=false
- --api.insecure=false
- --providers.docker
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=web-secure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.web-secure.address=:443
- --entrypoints.spiderman.address=:8080
- --providers.file.directory=/configuration/
- --providers.file.watch=true
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- ./certificates.yml:/configuration/certificates.yml:ro
- /etc/letsencrypt:/letsencrypt:ro
- /var/run/docker.sock:/var/run/docker.sock
my_api:
image: traefik/whoami
deploy:
replicas: 5
labels:
- "traefik.http.routers.my_api.entrypoints=spiderman"
- "traefik.http.routers.my_api.rule=Host(`example.com`)"
- "traefik.http.routers.my_api.tls=true"
abcxyz:
image: traefik/whoami
deploy:
replicas: 5
labels:
- "traefik.http.routers.abcxyz.entrypoints=web-secure"
- "traefik.http.routers.abcxyz.rule=Host(`api.example.com`)"
- "traefik.http.routers.abcxyz.tls=true"
I could do -
labels:
- "traefik.http.routers.my_api.entrypoints=spiderman,web-secure"
- "traefik.http.routers.my_api.rule=Host(`example.com`,`api.example.com`)"
- "traefik.http.routers.my_api.tls=true"
but it would also serve at example.com:443 which I don't want because i want to host my cool wordpress site there! :)
I think you're looking for something like this:
services:
traefik:
image: traefik
command:
- --api.dashboard=false
- --api.insecure=false
- --providers.docker
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=web-secure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.web-secure.address=:443
- --entrypoints.spiderman.address=:8080
ports:
- 127.0.0.3:80:80
- 127.0.0.3:443:443
- 127.0.0.3:8080:8080
volumes:
- /run/docker.sock:/run/docker.sock
my_api:
image: traefik/whoami
hostname: my_api
labels:
- traefik.enable=true
- traefik.http.routers.example_com.entrypoints=spiderman
- traefik.http.routers.example_com.rule=Host(`example.com`)
- traefik.http.routers.example_com.service=my_api
- traefik.http.routers.example_com.tls=true
- traefik.http.routers.my_api.entrypoints=web-secure
- traefik.http.routers.my_api.rule=Host(`api.example.com`)
- traefik.http.routers.my_api.tls=true
- traefik.http.services.my_api.loadBalancer.server.port=80
Note that here I've bound everything to local address 127.0.0.3 for testing, but of course that's not necessary; I did that to avoid conflicts with existing services I have listening on ports 80, 443, and 8080.
Testing
I've defined this shell function that ensures the various hostname:port combinations resolve correctly (you could edit /etc/hosts instead to accomplish the same thing) and shows the HTTP status code for each request:
fetch() {
curl -sf \
--resolve api.example.com:443:127.0.0.3 \
--resolve api.example.com:8080:127.0.0.3 \
--resolve example.com:443:127.0.0.3 \
--resolve example.com:8080:127.0.0.3 \
-k -w '%{stderr}%{http_code}\n' $1
}
Using that, let's test our your various requirements.
my container should be hosted at example.com:8080
$ fetch https://example.com:8080 | grep -i host
200
Hostname: my_api
Host: example.com:8080
X-Forwarded-Host: example.com:8081
and not on example.com:443
$ fetch https://example.com:443 | grep -i host
404
AND api.example.com:443
$ fetch https://api.example.com:443 | grep -i host
200
Hostname: my_api
Host: api.example.com
X-Forwarded-Host: api.example.com
but not on api.example.com:8080
$ fetch https://api.example.com:8080 | grep -i host
404
I think that covers your requirements!

Traefik. Split configuration and redirect to https

I'm new to Traefik and have following basic question. Traefik should proxy NGINX. My goal is to start the stack either with http (f.e. locally) or with https (production): Therefore I've split the docker config in two yml files:
docker-compose-https.yml
version: "3.3"
services:
traefik:
image: "traefik:v2.4"
container_name: "traefik"
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=my#email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
docker-compose.yml
nginx:
image: nginx:alpine
ports:
- 80:80
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host('test.example.com')"
- "traefik.http.routers.nginx.entrypoints=websecure"
- "traefik.http.routers.nginx.tls.certresolver=myresolver"
This works so far. If I run docker-compose up -d with -f docker-compose-ssl.yml trafik jumps in for https and issues a cert. Without using it I can still start nginx over http. Unfortuantely what is not working is, as soon as Traefik is up it does not redirect http to https as my config should ask for. What do I oversee?
You need to use the RedirectScheme for the redirection from http to https and the middleware to the router as mentioned in https://doc.traefik.io/traefik/middlewares/overview/#configuration-example
So, your docker-compose.yml should look like this
nginx:
image: nginx:alpine
ports:
- 80:80
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=web"
- "traefik.http.routers.nginx.rule=Host(`test.example.com`)"
- "traefik.http.middlewares.nginx-redirectscheme.redirectscheme.scheme=https"
- "traefik.http.routers.nginx.middlewares=nginx-redirectscheme"
- "traefik.http.routers.nginx-secured.entrypoints=websecure"
- "traefik.http.routers.nginx-secured.rule=Host(`test.example.com`)"
- "traefik.http.routers.nginx-secured.tls=true"
- "traefik.http.routers.nginx-secured.tls.certresolver=myresolver"

Can't start Docker traefik container with ssl

I'm trying to run traefik with ssl -
on a self signed certificate.
this is my docker-compose.yml file
traefik:
image: traefik
restart: unless-stopped
command: -c /dev/null --web --docker --logLevel=INFO --defaultEntryPoints='https' --entryPoints="Name:https Address::443 TLS:/certs/cert.pem,/certs/key.pem" --entryPoints="Name:http Address::80 Redirect.EntryPoint:https"
ports:
- '80:80'
- '443:443'
- '8080:8080'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./certs:/certs/
When running docker-compose up - i'm getting this error in log:
level=error msg="Error creating TLS config: bad TLS Certificate KeyFile format, expected a path"
after that:
level=fatal msg="Error preparing server: bad TLS Certificate KeyFile format, expected a path
And then:
traefik exited with code 1
I'm running Docker Version 17.06.0 on a Mac
Any clue on what could be the issue here ?

Traefik with self-signed certificate

I have a Traefik reverse proxy which generate ACME certificate and I would like to have SSL enabled on my docker container.
In my container I have a self-signed certificate but Traefik refuse to connect to it.
My docker-compose.yml:
version: "2"
services:
magento:
image: lavoweb/php-5.6
expose:
- 80
- 443
volumes:
- ./data/src/:/var/www/html
labels:
- "traefik.port=80"
- "traefik.backend=swarm"
- "traefik.protocol=https"
- "traefik.frontend.rule=Host:1.swarm.lavoweb.net"
- "traefik.docker.network=web"
networks:
- web
- internal
networks:
web:
external:
name: web
internal:
driver: bridge
I got this error:
Internal Server Error
This is how I've managed to get this working with the LetsEncrypt automated renewal using Docker Swarm and Docker Compose V3:
version: '3'
services:
traefik:
image: traefik
command: --web --docker --docker.domain=docker.localhost --docker.watch \
--logLevel=DEBUG \
--defaultEntryPoints='http,https' \
--entryPoints='Name:http Address::80' \
--entryPoints='Name:https Address::443 TLS' \
--docker.swarmmode=true \
--docker.exposedbydefault=false \
--acme \
--acme.entryPoint='https' \
--acme.email='sugarcane#gmail.com' \
--acme.ondemand=false \
--acme.acmelogging=true \
--acme.onhostrule=true \
--acme.storage='/etc/traefik/acme/acme.json'
networks:
- default
- traefik-net
ports:
- "80:80"
- "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefikdata:/etc/traefik/acme
mytestservice:
image: blah/mytestservice
networks:
- default
- traefik-net
ports:
- "8001:80"
deploy:
labels:
- "traefik.port=80"
- "traefik.enable=true"
- "traefik.backend=machine-mytestservice"
- "traefik.docker.network=traefik-net"
- "traefik.frontend.rule=Host:mydomain.com,www.mydomain.com"
networks:
traefik-net:
volumes:
traefikdata: