So I have several different domains that would be pointing to my server that is running Docker and Traefik as a reverse proxy.
I want Traefik to convert all HTTP traffic to HTTPS, but is it possible to to have individual SSL certificates (issued by Let's Encrypt) for each domain that is hosted by the server?
If it is possible, how can I properly set this up in the traefik.toml file?
I see this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test#traefik.io"
storage = "acme.json"
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
But is it possible to have Traefik send a request to generate a certificate based on what is entered in the traefik.frontend.rule ?
Yes, follow the traefik + letsencrypt guide here : https://docs.traefik.io/user-guide/docker-and-lets-encrypt/
Traefik can connect to the docker daemon, and automatically check the labels for traefik.frontend.rule and generate hosts and SSL certificates from these.
Related
Hello I configured Gitlab server on a VM OL7. I can easily call the http page. but when I use my self-signed ssl certificate generated using the method offered here, I can't call my page and I get a timeout as error. My configuration is simple and I have already tried different variants someone could tell me how I can configure this one. note that I don't want to use let's encrypt for this.
this is an example of my gitlab.rb
external_url 'http://gitlab.icw19.lab'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.icw19.lab.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.icw19.lab.key"
Your external_url value should include https:// to indicate that you wish to use SSL on port 443. Then GitLab will listen on 443 and will configure Nginx to use your SSL certificates.
external_url 'https://gitlab.icw19.lab'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.icw19.lab.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.icw19.lab.key"
In order to get a SSL certificate for a website’s domain from Let’s Encrypt, I have to demonstrate control over the domain. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges.
Q1: When I have a domain name pointing to a VPS and an e-mail address at Let's encrypt, can Traefik automatically take care of the initial authentication process?
Q2: Is it sufficient to keep the http (80) port open for Let's encrypt for the initial validation?
Q3: Does automatic renewal requires the 80 port to be open? Or could this also be a 443 port? It is much better to start redirecting all traffic to https from now on. SO - can Traefik/LetsEncrypt can automatically renew using the 443 port open?
Q2 and Q3:
The port used to resolve the Let's Encrypt challenge (creation or renewal) depends of which challenge you are using:
For the HTTP challenge, you need to use the port 80
For the TLS-ALPN Challenge, you need to the port 443
For the DNS challenge, no port is required because the validation process on DNS server.
The creation or the renewal use the same port (depends of the challenge), so if you want that Traefik renew automatically your certificate you need to leave the port open.
The answers (so far):
Q1: YES! The e-mail can be just any e-mail address you have. The domain name does not have to be the same as your domain name. The domain name should, indeed, point to the VPS.
Q2: YES! For the first time, leave the 80 port open. Start redirecting after the certificate is installed.
Q3: YES!: I couldn't find an answer, so I immediately tried the suggestions given in the first answer. I restarted about 3 times, due to changing other settings, and no errors were shown in the Traefik logging.
Now let's move on to the real code. In the code you can find the 3 answers. The next file is the traefik.toml file:
logLevel = "ERROR"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
domain = "xyz.com"
[api]
[acme]
# Q1 - just use your email address
email = "email#example.com"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
# Q3 answer = this allows for the TLS challenge on port 443
[acme.tlsChallenge]
# Q2 answer = this provides the HTTP challenge on port 80
#[acme.httpChallenge]
# entryPoint = "http"
The docker-compose file is:
version: '3'
services:
traefik:
image: traefik:v1.7
container_name: traefik
restart: always
networks:
- yourappnet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /your_path/traefik/traefik.toml:/traefik.toml
- /your_path/traefik/acme.json:/acme.json
ports:
- "80:80"
- "443:443"
labels:
- "traefik.docker.network=yourappnet"
- "traefik.frontend.rule=Host:monitor.xyz.com"
- "traefik.port=8080"
yourapp:
image: dockerhubuser/dockerimagename:latest
ports:
- 8080
networks:
- yourappnet
labels:
- "traefik.docker.network=yourappnet"
- "traefik.frontend.rule=Host:xyz.com"
networks:
yourappnet:
driver: bridge
Introduction
Configuring a new ingress-controller with Traefik using helm chart and creating secrets.
Info
Kubernetes version: 1.9.3
Helm version: 2.9
Traefik chart version: 1.5
Traefik version: 1.7.2
Problem
I am deploying Traefik through official helm chart, but always I have the same problem in the logs
"Error configuring TLS for ingress default/traefik-testing-tls: secret default/traefik-tls does not exist"
I have the secret properly created and configured in the same namespace and also checked the clusterrole and clusterrolebinds are ok and allows the access to secrets
I tried to change the defaultCert and defaultKey but not sure about this.
Configmap:
data:
traefik.toml: |
# traefik.toml
logLevel = "INFO"
defaultEntryPoints = ["http", "https", "httpn"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.httpn]
address = ":8880"
compress = true
[kubernetes]
namespaces = ["default", "kube-system"]
[traefikLog]
format = "json"
[accessLog]
format = "common"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
Looks like you are missing the traefik-tls secret, for your traefik-testing-tls ingress, that probably holds your TLS certificates. You can follow this.
Instead of:
kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt
You can use:
kubectl -n kube-system create secret tls traefik-tls --key=tls.key --cert=tls.crt
After several checks, rbacs, namespaces, etc. a member from Traefik told us that the k8s objects are loaded asynchronously (so the ingress may be loaded before the secret) this is the reason because it gives a problem at start of the Traefik.
I'm using traefik for providing some services on my NAS with https using lets encrypt. Now I noticed that the tls certs of my nextcloud installation expired yesterday evening. Traefik had logs like this:
time="2018-08-31T22:43:08Z" level=error msg="Error getting ACME client: ACME client still not built, retrying in 6.83135832s"
time="2018-08-31T22:43:15Z" level=error msg="Error getting ACME client: ACME client still not built, retrying in 12.680203952s"
time="2018-08-31T22:43:28Z" level=error msg="Error getting ACME client: ACME client still not built"
I updated to v1.7 but now the error is different:
time="2018-09-01T07:42:44Z" level=error msg="Unable to obtain ACME certificate for domains \"my.domain\" detected thanks to rule \"Host:cloud.dnas.one\" : cannot get ACME client ACME challenge not specified, please select TLS or HTTP or DNS Challenge"
This message is posted for every domain, internal as well as externals. Couldn't find much information about this issue.
Traefik configuration:
defaultEntryPoints = ["http", "https"]
idleTimeout = 0
dialTimeout = 0
logLevel = "WARN"
[entryPoints]
[entryPoints.http]
address = ":80"
#entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Lets Encrypt via ACME
[acme]
email = "my#email.de"
storage = "acme.json"
entryPoint = "https"
onDemand = false
OnHostRule = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "nas.one"
watch = true
Your traefik.toml file hasn't specified the challenge method with which it is supposed to get the certificates from Let's Encrypt. The 1.7 error message is more clear about that.
If you want to use the HTTP challenge, add the following lines:
[acme.httpChallenge]
entryPoint = "http"
If you want to use the DNS challenge (Required if you want to use wildcard certificates), add the following lines:
[acme.dnsChallenge]
provider = "YOURPROVIDER"
delayBeforeCheck = 0
Check the documentation for the rest of the configuraiton.
Is there a way to use to use traefik (with docker swarm) and SSL without 'let's encrypt'.
Let's encrypt support is awesome (https://docs.traefik.io/user-guide/docker-and-lets-encrypt) but I don't need letsencrypt as we run our own CA in our org.
Is there a way to simply put certificates (.crt and .key) somewhere as we don't need to generate them (in a folder or as secrets). Do you have any idea how to do that ?
We would like to do a very basic setup and have a few containers in the swarm cluster, and we want to target them by domain, ex: https://foo.ourdomain.com and https://bar.ourdomain.com
Thanks for the help!
You can mount a volume for traefik:
- ${USERDIR}/docker/traefik/acme/yourcrt.crt:/yourcrt.crt
- ${USERDIR}/docker/traefik/acme/yourcrt.key:/yourcrt.key
in your docker-compose and refer to it in traffic.toml:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/yourcrt.crt"
keyFile = "/yourcrt.key"