I'm using traefik for providing some services on my NAS with https using lets encrypt. Now I noticed that the tls certs of my nextcloud installation expired yesterday evening. Traefik had logs like this:
time="2018-08-31T22:43:08Z" level=error msg="Error getting ACME client: ACME client still not built, retrying in 6.83135832s"
time="2018-08-31T22:43:15Z" level=error msg="Error getting ACME client: ACME client still not built, retrying in 12.680203952s"
time="2018-08-31T22:43:28Z" level=error msg="Error getting ACME client: ACME client still not built"
I updated to v1.7 but now the error is different:
time="2018-09-01T07:42:44Z" level=error msg="Unable to obtain ACME certificate for domains \"my.domain\" detected thanks to rule \"Host:cloud.dnas.one\" : cannot get ACME client ACME challenge not specified, please select TLS or HTTP or DNS Challenge"
This message is posted for every domain, internal as well as externals. Couldn't find much information about this issue.
Traefik configuration:
defaultEntryPoints = ["http", "https"]
idleTimeout = 0
dialTimeout = 0
logLevel = "WARN"
[entryPoints]
[entryPoints.http]
address = ":80"
#entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Lets Encrypt via ACME
[acme]
email = "my#email.de"
storage = "acme.json"
entryPoint = "https"
onDemand = false
OnHostRule = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "nas.one"
watch = true
Your traefik.toml file hasn't specified the challenge method with which it is supposed to get the certificates from Let's Encrypt. The 1.7 error message is more clear about that.
If you want to use the HTTP challenge, add the following lines:
[acme.httpChallenge]
entryPoint = "http"
If you want to use the DNS challenge (Required if you want to use wildcard certificates), add the following lines:
[acme.dnsChallenge]
provider = "YOURPROVIDER"
delayBeforeCheck = 0
Check the documentation for the rest of the configuraiton.
Related
In order to get a SSL certificate for a website’s domain from Let’s Encrypt, I have to demonstrate control over the domain. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges.
Q1: When I have a domain name pointing to a VPS and an e-mail address at Let's encrypt, can Traefik automatically take care of the initial authentication process?
Q2: Is it sufficient to keep the http (80) port open for Let's encrypt for the initial validation?
Q3: Does automatic renewal requires the 80 port to be open? Or could this also be a 443 port? It is much better to start redirecting all traffic to https from now on. SO - can Traefik/LetsEncrypt can automatically renew using the 443 port open?
Q2 and Q3:
The port used to resolve the Let's Encrypt challenge (creation or renewal) depends of which challenge you are using:
For the HTTP challenge, you need to use the port 80
For the TLS-ALPN Challenge, you need to the port 443
For the DNS challenge, no port is required because the validation process on DNS server.
The creation or the renewal use the same port (depends of the challenge), so if you want that Traefik renew automatically your certificate you need to leave the port open.
The answers (so far):
Q1: YES! The e-mail can be just any e-mail address you have. The domain name does not have to be the same as your domain name. The domain name should, indeed, point to the VPS.
Q2: YES! For the first time, leave the 80 port open. Start redirecting after the certificate is installed.
Q3: YES!: I couldn't find an answer, so I immediately tried the suggestions given in the first answer. I restarted about 3 times, due to changing other settings, and no errors were shown in the Traefik logging.
Now let's move on to the real code. In the code you can find the 3 answers. The next file is the traefik.toml file:
logLevel = "ERROR"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
domain = "xyz.com"
[api]
[acme]
# Q1 - just use your email address
email = "email#example.com"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
# Q3 answer = this allows for the TLS challenge on port 443
[acme.tlsChallenge]
# Q2 answer = this provides the HTTP challenge on port 80
#[acme.httpChallenge]
# entryPoint = "http"
The docker-compose file is:
version: '3'
services:
traefik:
image: traefik:v1.7
container_name: traefik
restart: always
networks:
- yourappnet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /your_path/traefik/traefik.toml:/traefik.toml
- /your_path/traefik/acme.json:/acme.json
ports:
- "80:80"
- "443:443"
labels:
- "traefik.docker.network=yourappnet"
- "traefik.frontend.rule=Host:monitor.xyz.com"
- "traefik.port=8080"
yourapp:
image: dockerhubuser/dockerimagename:latest
ports:
- 8080
networks:
- yourappnet
labels:
- "traefik.docker.network=yourappnet"
- "traefik.frontend.rule=Host:xyz.com"
networks:
yourappnet:
driver: bridge
Introduction
Configuring a new ingress-controller with Traefik using helm chart and creating secrets.
Info
Kubernetes version: 1.9.3
Helm version: 2.9
Traefik chart version: 1.5
Traefik version: 1.7.2
Problem
I am deploying Traefik through official helm chart, but always I have the same problem in the logs
"Error configuring TLS for ingress default/traefik-testing-tls: secret default/traefik-tls does not exist"
I have the secret properly created and configured in the same namespace and also checked the clusterrole and clusterrolebinds are ok and allows the access to secrets
I tried to change the defaultCert and defaultKey but not sure about this.
Configmap:
data:
traefik.toml: |
# traefik.toml
logLevel = "INFO"
defaultEntryPoints = ["http", "https", "httpn"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.httpn]
address = ":8880"
compress = true
[kubernetes]
namespaces = ["default", "kube-system"]
[traefikLog]
format = "json"
[accessLog]
format = "common"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
Looks like you are missing the traefik-tls secret, for your traefik-testing-tls ingress, that probably holds your TLS certificates. You can follow this.
Instead of:
kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt
You can use:
kubectl -n kube-system create secret tls traefik-tls --key=tls.key --cert=tls.crt
After several checks, rbacs, namespaces, etc. a member from Traefik told us that the k8s objects are loaded asynchronously (so the ingress may be loaded before the secret) this is the reason because it gives a problem at start of the Traefik.
I had deployed Traefik using Visual Studio, it's successfully getting deployed and creating a certificate and storing it in a key vault. But this certificate is not provided by Let's Encrypt, I can't see issuer as Let's Encrypt Authority.
The issuer in my certificate is the URL of the Service fabric cluster, and I think it's a Microsoft who's providing that certificate to me.
As mentioned for Let's Encrypt, it provides certificates with 3 months of validity, but the certificate that I got has 1 year of validity to expire.
As explained here, I have added everything to the traefik.toml file.
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[acme]
email = "user#domain.com"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Can anybody tell me what I'm missing to get the certificate from Let's Encrypt?
I want issuer to be Let's Encrypt Authority.
I suspect the certificate you have in key vault is the default cluster certificate for authenticating to the SF API.
The Service Fabric integration with LetsEncrypt is currently limited - I roughly documented the steps to setting it up here: https://github.com/jjcollinge/traefik-on-service-fabric/issues/21
Please note, we currently don't support clustering for the ACME certificates which can cause rate limiting issues as each Traefik instance requests its own cert.
So I have several different domains that would be pointing to my server that is running Docker and Traefik as a reverse proxy.
I want Traefik to convert all HTTP traffic to HTTPS, but is it possible to to have individual SSL certificates (issued by Let's Encrypt) for each domain that is hosted by the server?
If it is possible, how can I properly set this up in the traefik.toml file?
I see this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test#traefik.io"
storage = "acme.json"
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
But is it possible to have Traefik send a request to generate a certificate based on what is entered in the traefik.frontend.rule ?
Yes, follow the traefik + letsencrypt guide here : https://docs.traefik.io/user-guide/docker-and-lets-encrypt/
Traefik can connect to the docker daemon, and automatically check the labels for traefik.frontend.rule and generate hosts and SSL certificates from these.
I'm attempting to set up Cryptpad via Docker, reachable through Traefik, on a public server. I have Traefik set up as well as Cryptpad but so far, upon navigating to http://cryptpad.myserver.com (which redirects to https, as specifically configured) I get a Bad Gateway error in the browser and the following error in the treafik container's logs:
level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
Further, another issue which may be related is that it does not seem that Let's Encrypt is able to issue certs for neither cryptpad.myserver.com nor monitor.myserver.com (which I configured as per the instructions here https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04).
EDIT:
The Bad Gateway issue does seem to be stemming from a failure to create a valid cert, as I can reach Cryptpad through Traefik fine over plain HTTP (after turning off the related HTTPS configurations of course). The title of this question has been edited accordingly to reflect this relation.
For example, when attempting to reach https://monitor.myserver.com, I get the following errors in the traefik container's logs:
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T13:53:37Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T13:53:37Z" level=debug msg="LoadCertificateForDomains [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="Look for provided certificate to validate [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=debug msg="No provided certificate found for domains [monitor.myserver.com], get ACME certificate."
time="2018-01-10T13:53:37Z" level=debug msg="Loading ACME certificates [monitor.myserver.com]..."
time="2018-01-10T13:53:37Z" level=warning msg="A new release has been found: 1.4.6. Please consider updating."
time="2018-01-10T13:53:37Z" level=error msg="map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T13:53:37Z" level=error msg="Error getting ACME certificates [monitor.myserver.com] : Cannot obtain certificates map[monitor.myserver.com:[monitor.myserver.com] acme: Could not determine solvers]+v"
Similarly, when attempting to reach http://cryptpad.myserver.com, the following ssl errors are logged (ending with the EOF / Bad Gatewway error noted above):
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9443"
time="2018-01-10T11:59:18Z" level=info msg="Server configuration reloaded on :9080"
time="2018-01-10T11:59:18Z" level=debug msg="LoadCertificateForDomains [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:18Z" level=debug msg="Loading ACME certificates [cryptpad.myserver.com]..."
time="2018-01-10T11:59:18Z" level=error msg="map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]"
time="2018-01-10T11:59:18Z" level=error msg="Error getting ACME certificates [cryptpad.myserver.com] : Cannot obtain certificates map[cryptpad.myserver.com:[cryptpad.myserver.com] acme: Could not determine solvers]+v"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="Look for provided certificate to validate [cryptpad.myserver.com]..."
time="2018-01-10T11:59:52Z" level=debug msg="No provided certificate found for domains [cryptpad.myserver.com], get ACME certificate."
time="2018-01-10T11:59:52Z" level=debug msg="Challenge GetCertificate cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=debug msg="ACME got nothing cryptpad.myserver.com"
time="2018-01-10T11:59:52Z" level=warning msg="Error forwarding to https://172.19.0.2:3000, err: EOF"
The following is the docker-compose.yml file for Traefik and its traefik.toml file (both configured by consulting the guide already mentioned above [via Digital Ocean] and Traefik's own here https://docs.traefik.io/user-guide/docker-and-lets-encrypt/):
version: '2'
services:
traefik:
image: traefik
networks:
- proxy
ports:
- "9080:9080"
- "9443:9443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- "traefik.frontend.rule=Host:monitor.myserver.com"
- "traefik.port=8080"
container_name: traefik
networks:
proxy:
external: true
traefik.toml:
checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":9080"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":9443"
[entryPoints.https.tls]
[retry]
[acme]
email = "example#myserver.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
onDemand = false
[web]
address = ":8080"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.com"
watch = true
exposedbydefault = false
And here are the .env and docker-compose.yml files for Cryptpad, which I received and edited according to https://github.com/xwiki-labs/cryptpad/blob/master/docs/cryptpad-docker.md and the guides previously mentioned:
VERSION=latest
USE_SSL=true
STORAGE='./storage/file'
LOG_TO_STDOUT=true
docker-compose.yml
version: '2'
services:
cryptpad:
build:
context: .
args:
- VERSION=${VERSION}
image: "xwiki/cryptpad:${VERSION}"
hostname: cryptpad
labels:
- "traefik.backend=cryptpad"
- "traefik.docker.network=proxy"
- "traefik.frontend.rule=Host:cryptpad.myserver.com"
- "traefik.enable=true"
- "traefik.port=3000"
- "traefik.frontend.passHostHeader=true"
- "traefik.default.protocol=https"
environment:
- USE_SSL=${USE_SSL}
- STORAGE=${STORAGE}
- LOG_TO_STDOUT=${LOG_TO_STDOUT}
restart: always
volumes:
- ./data/files:/cryptpad/datastore:rw
- ./data/customize:/cryptpad/customize:rw
networks:
- proxy
- default
expose:
- "3000"
networks:
proxy:
external: true
Any help would be greatly appreciated. & of course I can provide much more details if necessary.
I think you are running into this issue:
https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983
Apparently letsencrypt has disabled TLS-SNI-01 because of security issues. Here is the link to the issue: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
It looks like that letsencrypt needs a few days, before they can enable it again.