Wild card certs wit...
 
Notifications
Clear all

Wild card certs with traefik - to many guides out there and none help

15 Posts
3 Users
4 Likes
290 Views
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

I've been struggling with creating a reverse proxy with wild card certificates for my local home lab.  I tried Wolfgang's solution using duckdns.org with Nginx but it never works.  I tried TechnoTim's solution but got confused.  I have a sysadmin and developer background and need help (step-by-step) using traefik in docker.  Thank you!

 
Posted : 19/02/2024 9:40 pm
Brandon Lee
(@brandon-lee)
Posts: 537
Member Admin
 

@dirtyharrywk welcome to the forums! Traefik and Docker with LetsEncrypt can definitely make you pull your hair out when getting started. Here are a couple of posts that I have written. I am not sure if you have looked at these as of yet. Let me know where you are running into issues. Normally it is always something small that trips many up with this.

If you want to go the Traefik route:

https://www.virtualizationhowto.com/2023/02/traefik-letsencrypt-certificates-configuration/

If you want to try Nginx Proxy Manager (it is the easiest since it has a GUI):

https://www.virtualizationhowto.com/2023/10/setting-up-nginx-proxy-manager-on-docker-with-easy-letsencrypt-ssl/

Hopefully we can work through the issues 👍 

 
Posted : 19/02/2024 9:54 pm
dan reacted
Brandon Lee
(@brandon-lee)
Posts: 537
Member Admin
 

@dirtyharrywk Also keep in mind, you will need to have a real registered domain out there that is reachable with DNS. What DNS provider are you using?

 
Posted : 19/02/2024 9:55 pm
dan reacted
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

Thanks @brandon-lee.  I do have a domain with Namecheap and Cloudflare as my DNS.

 
Posted : 20/02/2024 8:36 am
Brandon Lee reacted
Brandon Lee
(@brandon-lee)
Posts: 537
Member Admin
 

@dirtyharrywk Great! I think Cloudflare is one of the easiest to make work without issues. Let me know if you can follow one of the processes in the blog posts and let me know if you run into any issues along the way and if you have any questions 👍

 
Posted : 20/02/2024 8:50 am
dan reacted
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

I'm confused on the step "Redirect to HTTPS".  Where does that go?  The traefik.yml file already has "middlewares" for HTTP.

traefik.yml:

providers:
  docker:
    exposedByDefault: false
  file:
    filename: /etc/traefik/dynamic.yml
  http:
    routers:
      dashboard:
        rule: Host(`traefik.MY_DOMAIN.com`)
        service: api@internal
        middlewares:
          - traefik-auth
        tls:
          certResolver: dns-cloudflare
    middlewares:
      traefik-auth:
        basicAuth:
          users:
            - "admin:admin"
certificatesResolvers:
  dns-cloudflare:
    acme:
      email: MY_EMAIL_ADDRESS
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
      caServer:  https://acme-v02.api.letsencrypt.org/directory 
This post was modified 2 months ago by dan
 
Posted : 20/02/2024 12:17 pm
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

traefik.yml:

providers:
  docker:
    exposedByDefault: false
  file:
    filename: /etc/traefik/dynamic.yml
  http:
    routers:
      dashboard:
        rule: Host(`traefik.MY_DOMAIN.com`)
        service: api@internal
        middlewares:
          - traefik-auth
        tls:
          certResolver: dns-cloudflare
    middlewares:
      traefik-auth:
        basicAuth:
          users:
            - "admin:admin"
      redirect-to-https:
        redirectScheme:
          scheme: https
certificatesResolvers:
  dns-cloudflare:
    acme:
      email: MY_EMAIL
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
      caServer:  https://acme-v02.api.letsencrypt.org/directory 

 

log file is displaying this:

2024/02/20 17:21:51 command traefik error: field not found, node: middlewares
This post was modified 2 months ago by dan
 
Posted : 20/02/2024 12:22 pm
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

I should add this to the mix... I'm running pi-hole on a separate server.

 
Posted : 20/02/2024 1:33 pm
Brandon Lee
(@brandon-lee)
Posts: 537
Member Admin
 

@dirtyharrywk Let's go back to the basics and start with a simple example. I would eliminate all the other variables. You don't have to configure the middleware for auth to Traefik. I would start with your Docker host and Docker compose YAML that is configured for the basics. Take a look at the example below. You should be able to use this example and get up and running with Traefik to get a better feel for how things work.

Below:

  • Replace with your email address
  • Replace "testdomain.com" with your domain
  • Replace the cloudflare email and API token with your own
  • Replace the IP address I have in the traefik.http.routers.traefik.rule=host('10.1.149.76')' with your own IP that you want to use to access Traefik itself
  • For the Nginx container, replace the nginx.testdomain.com with a record for your domain to test with.
  • ***Note, I would uncomment the "certificateresolvers.myresolver.acme.caserver="....staging...." - When you are testing, you can uncomment this and they won't rate limit you when trying to get things right. When you get a cert from their staging server, it will present with an SSL error, but you just need to look in your browser dev console > security tab and get the cert details to see that you are pulling from their staging server....Once you verify you are, you should be able to comment it back out and hit their production server.

Let's start with this example and see where you get.....

version: '3.8'

services:
  traefik2:
    image: traefik:latest
    restart: always
    command:
      # Tell Traefik to discover containers using the Docker API
      - --providers.docker=true
      # Enable the Trafik dashboard
      - --api.dashboard=true
      # Set up LetsEncrypt
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.email=<your email address>
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      #- --certificatesresolvers.myresolver.acme.caserver="https://acme-staging-v02.api.letsencrypt.org/directory"
      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      # Set up the TLS configuration for our websecure listener
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls.domains[0].main=testdomain.com
      - --entrypoints.websecure.http.tls.domains[0].sans=*.testdomain.com
      - --serverstransport.insecureskipverify=true
    environment:
      - CLOUDFLARE_EMAIL=<your email address>
      - CLOUDFLARE_DNS_API_TOKEN=<cloudflare API token>
    ports:
      - 80:80
      - 443:443
    networks:
      traefik:
        ipv4_address: 172.19.0.10
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ~/homelabservices/letsencrypt:/letsencrypt
    labels:
      - "traefik.enable=true"
      - 'traefik.http.routers.traefik.rule=Host(`10.1.149.76`)'
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - 'traefik.http.routers.traefik.middlewares=strip'
      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
    container_name: traefik

  nginx:
    container_name: nginx
    image: nginx:latest
    restart: always
    networks:
      traefik:
        ipv4_address: 172.19.0.11
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`nginx.testdomain.com`)"
      - "traefik.http.routers.nginx.entrypoints=websecure"
      - "traefik.http.routers.nginx.tls=true"
       

networks:
  traefik:
    driver: bridge
    name: traefik
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/16

 

 

 
Posted : 20/02/2024 10:12 pm
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

I'm getting this after running docker-compose up -d

Recreating nginx ...

Recreating traefik ... error

Recreating nginx   ... error

ork's subnets

ERROR: for nginx  Cannot start service nginx: Invalid address 172.19.0.11: It does not belong to any of this network's subnets

ERROR: for traefik2  Cannot start service traefik2: Invalid address 172.19.0.10: It does not belong to any of this network's subnets

ERROR: for nginx  Cannot start service nginx: Invalid address 172.19.0.11: It does not belong to any of this network's subnets

ERROR: Encountered errors while bringing up the project.
 
Posted : 21/02/2024 8:38 pm
(@termv)
Posts: 16
Eminent Member
 

Hi

@dirtyharrywk. Unfortunately the Traefik docs are a confusing and disorganized mess (well, in my opinion!)


Most importantly, your http block should not be a child of providers. It needs to be unindented so it's at the root.


Your dashboard rule needs tweaking:

http:
  routers:
    dashboard:
      rule: Host(`traefik.MY_DOMAIN.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

https redirection can be accomplished using this recipe instead of a middleware:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

I hope this solves your problem, or at least gets you further along.

 
Posted : 22/02/2024 10:04 am
Brandon Lee
(@brandon-lee)
Posts: 537
Member Admin
 

@dirtyharrywk On the network portion, this is due to the network config I had pasted in the sample file. You can remove that if you want and the network line for containers and it shouldn't cause an issue. @termv totally agreed about the Traefik documentation. It is all over the place!

 
Posted : 22/02/2024 11:30 am
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

Posted by: @termv

Hi

@dirtyharrywk. Unfortunately the Traefik docs are a confusing and disorganized mess (well, in my opinion!)


Most importantly, your http block should not be a child of providers. It needs to be unindented so it's at the root.


Your dashboard rule needs tweaking:

http:
  routers:
    dashboard:
      rule: Host(`traefik.MY_DOMAIN.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

https redirection can be accomplished using this recipe instead of a middleware:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

I hope this solves your problem, or at least gets you further along.

I have no idea where this is suppose to go.  Dashboard rule?  Huh?  In the docker-compose.yml?  That is the only file I have.

 

This post was modified 2 months ago by dan
 
Posted : 22/02/2024 7:19 pm
 dan
(@dirtyharrywk)
Posts: 8
Active Member
Topic starter
 

Why the nginx container?  I thought I was using traefik, not nginx.  Again this makes no sense at all.

 
Posted : 22/02/2024 7:24 pm
Brandon Lee
(@brandon-lee)
Posts: 537
Member Admin
 

@dirtyharrywk Hey don't get confused with the example. In the example file, we are just setting up a simple Nginx web container to see how the letsencrypt SSL certs work with Traefik. I think this is the best place to start. If you can get this example to work, it is just a matter of adding your containers as you want to benefit from the wildcard cert. Does this make sense? I would like to see you get to the point of having a small test environment with a single Docker compose file before moving on to more complex setups.

 
Posted : 22/02/2024 10:13 pm