Is there a way to use to use traefik (with docker swarm) and SSL without 'let's encrypt'.
Let's encrypt support is awesome (https://docs.traefik.io/user-guide/docker-and-lets-encrypt) but I don't need letsencrypt as we run our own CA in our org.
Is there a way to simply put certificates (.crt and .key) somewhere as we don't need to generate them (in a folder or as secrets). Do you have any idea how to do that ?
We would like to do a very basic setup and have a few containers in the swarm cluster, and we want to target them by domain, ex: https://foo.ourdomain.com and https://bar.ourdomain.com
Thanks for the help!
You can mount a volume for traefik:
- ${USERDIR}/docker/traefik/acme/yourcrt.crt:/yourcrt.crt
- ${USERDIR}/docker/traefik/acme/yourcrt.key:/yourcrt.key
in your docker-compose and refer to it in traffic.toml:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/yourcrt.crt"
keyFile = "/yourcrt.key"
Related
In order to get a SSL certificate for a website’s domain from Let’s Encrypt, I have to demonstrate control over the domain. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges.
Q1: When I have a domain name pointing to a VPS and an e-mail address at Let's encrypt, can Traefik automatically take care of the initial authentication process?
Q2: Is it sufficient to keep the http (80) port open for Let's encrypt for the initial validation?
Q3: Does automatic renewal requires the 80 port to be open? Or could this also be a 443 port? It is much better to start redirecting all traffic to https from now on. SO - can Traefik/LetsEncrypt can automatically renew using the 443 port open?
Q2 and Q3:
The port used to resolve the Let's Encrypt challenge (creation or renewal) depends of which challenge you are using:
For the HTTP challenge, you need to use the port 80
For the TLS-ALPN Challenge, you need to the port 443
For the DNS challenge, no port is required because the validation process on DNS server.
The creation or the renewal use the same port (depends of the challenge), so if you want that Traefik renew automatically your certificate you need to leave the port open.
The answers (so far):
Q1: YES! The e-mail can be just any e-mail address you have. The domain name does not have to be the same as your domain name. The domain name should, indeed, point to the VPS.
Q2: YES! For the first time, leave the 80 port open. Start redirecting after the certificate is installed.
Q3: YES!: I couldn't find an answer, so I immediately tried the suggestions given in the first answer. I restarted about 3 times, due to changing other settings, and no errors were shown in the Traefik logging.
Now let's move on to the real code. In the code you can find the 3 answers. The next file is the traefik.toml file:
logLevel = "ERROR"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[docker]
domain = "xyz.com"
[api]
[acme]
# Q1 - just use your email address
email = "email#example.com"
storage = "acme.json"
onHostRule = true
entryPoint = "https"
# Q3 answer = this allows for the TLS challenge on port 443
[acme.tlsChallenge]
# Q2 answer = this provides the HTTP challenge on port 80
#[acme.httpChallenge]
# entryPoint = "http"
The docker-compose file is:
version: '3'
services:
traefik:
image: traefik:v1.7
container_name: traefik
restart: always
networks:
- yourappnet
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /your_path/traefik/traefik.toml:/traefik.toml
- /your_path/traefik/acme.json:/acme.json
ports:
- "80:80"
- "443:443"
labels:
- "traefik.docker.network=yourappnet"
- "traefik.frontend.rule=Host:monitor.xyz.com"
- "traefik.port=8080"
yourapp:
image: dockerhubuser/dockerimagename:latest
ports:
- 8080
networks:
- yourappnet
labels:
- "traefik.docker.network=yourappnet"
- "traefik.frontend.rule=Host:xyz.com"
networks:
yourappnet:
driver: bridge
Question 1
https://docs.traefik.io/configuration/entrypoints/#default-certificate seems to indicate that if I do not specify any certFile or keyFile, a self-signed certificate will be generated by Traefik, and used instead.
There can only be one defaultCertificate set per entrypoint. Use a single set of square brackets [ ], instead of the two needed for normal certificates. If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead.
However, when I try this and enter https://localhost/whoami I get an SSL error by Chrome (ERR_SSL_PROTOCOL_ERROR). Logs also show level=error msg="failed to load X509 key pair: tls: failed to find any PEM data in certificate input". Have I misunderstood the configuration in that documentation?
This is the code I have to test this.
test.yml
version: '3.6'
services:
traefik:
image: traefik
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/etc/traefik/traefik.toml
deploy:
placement:
constraints:
- node.role == manager
labels:
- "traefik.port=8080"
- "traefik.frontend.rule=PathPrefixStrip:/traefik"
networks:
- traefiknet
whoami:
image: emilevauge/whoami
deploy:
labels:
- "traefik.port=80"
- "traefik.frontend.rule=PathPrefixStrip:/whoami"
networks:
- traefiknet
networks:
traefiknet:
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[api]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.defaultCertificate]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
swarmMode = true
network = "test_traefiknet"
Start with:
docker stack deploy -c test.yml test
Question 2
Note that I also tested to do like it reads on this page: https://docs.traefik.io/configuration/entrypoints/#static-certificates
If an empty TLS configuration is provided, default self-signed certificates are generated.
However, that also did not work. My question is however, what is the difference between this configuration and the configuration shown in question 1 in the toml file?
I found out the answer. I needed to remove [entryPoints.https.tls.defaultCertificate]. Unfortunately I did not find the documentation very clear in this regard.
Introduction
Configuring a new ingress-controller with Traefik using helm chart and creating secrets.
Info
Kubernetes version: 1.9.3
Helm version: 2.9
Traefik chart version: 1.5
Traefik version: 1.7.2
Problem
I am deploying Traefik through official helm chart, but always I have the same problem in the logs
"Error configuring TLS for ingress default/traefik-testing-tls: secret default/traefik-tls does not exist"
I have the secret properly created and configured in the same namespace and also checked the clusterrole and clusterrolebinds are ok and allows the access to secrets
I tried to change the defaultCert and defaultKey but not sure about this.
Configmap:
data:
traefik.toml: |
# traefik.toml
logLevel = "INFO"
defaultEntryPoints = ["http", "https", "httpn"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.httpn]
address = ":8880"
compress = true
[kubernetes]
namespaces = ["default", "kube-system"]
[traefikLog]
format = "json"
[accessLog]
format = "common"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
Looks like you are missing the traefik-tls secret, for your traefik-testing-tls ingress, that probably holds your TLS certificates. You can follow this.
Instead of:
kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt
You can use:
kubectl -n kube-system create secret tls traefik-tls --key=tls.key --cert=tls.crt
After several checks, rbacs, namespaces, etc. a member from Traefik told us that the k8s objects are loaded asynchronously (so the ingress may be loaded before the secret) this is the reason because it gives a problem at start of the Traefik.
I'm using traefik for providing some services on my NAS with https using lets encrypt. Now I noticed that the tls certs of my nextcloud installation expired yesterday evening. Traefik had logs like this:
time="2018-08-31T22:43:08Z" level=error msg="Error getting ACME client: ACME client still not built, retrying in 6.83135832s"
time="2018-08-31T22:43:15Z" level=error msg="Error getting ACME client: ACME client still not built, retrying in 12.680203952s"
time="2018-08-31T22:43:28Z" level=error msg="Error getting ACME client: ACME client still not built"
I updated to v1.7 but now the error is different:
time="2018-09-01T07:42:44Z" level=error msg="Unable to obtain ACME certificate for domains \"my.domain\" detected thanks to rule \"Host:cloud.dnas.one\" : cannot get ACME client ACME challenge not specified, please select TLS or HTTP or DNS Challenge"
This message is posted for every domain, internal as well as externals. Couldn't find much information about this issue.
Traefik configuration:
defaultEntryPoints = ["http", "https"]
idleTimeout = 0
dialTimeout = 0
logLevel = "WARN"
[entryPoints]
[entryPoints.http]
address = ":80"
#entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Lets Encrypt via ACME
[acme]
email = "my#email.de"
storage = "acme.json"
entryPoint = "https"
onDemand = false
OnHostRule = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "nas.one"
watch = true
Your traefik.toml file hasn't specified the challenge method with which it is supposed to get the certificates from Let's Encrypt. The 1.7 error message is more clear about that.
If you want to use the HTTP challenge, add the following lines:
[acme.httpChallenge]
entryPoint = "http"
If you want to use the DNS challenge (Required if you want to use wildcard certificates), add the following lines:
[acme.dnsChallenge]
provider = "YOURPROVIDER"
delayBeforeCheck = 0
Check the documentation for the rest of the configuraiton.
So I have several different domains that would be pointing to my server that is running Docker and Traefik as a reverse proxy.
I want Traefik to convert all HTTP traffic to HTTPS, but is it possible to to have individual SSL certificates (issued by Let's Encrypt) for each domain that is hosted by the server?
If it is possible, how can I properly set this up in the traefik.toml file?
I see this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test#traefik.io"
storage = "acme.json"
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
But is it possible to have Traefik send a request to generate a certificate based on what is entered in the traefik.frontend.rule ?
Yes, follow the traefik + letsencrypt guide here : https://docs.traefik.io/user-guide/docker-and-lets-encrypt/
Traefik can connect to the docker daemon, and automatically check the labels for traefik.frontend.rule and generate hosts and SSL certificates from these.