Wild card certs with traefik - to many guides out there and none help - Kubernetes and Containers

RE: Wild card certs with traefik - to many guides out there and none help

Brandon Lee — Fri, 23 Feb 2024 03:13:20 +0000

@dirtyharrywk Hey don't get confused with the example. In the example file, we are just setting up a simple Nginx web container to see how the letsencrypt SSL certs work with Traefik. I think this is the best place to start. If you can get this example to work, it is just a matter of adding your containers as you want to benefit from the wildcard cert. Does this make sense? I would like to see you get to the point of having a small test environment with a single Docker compose file before moving on to more complex setups.

RE: Wild card certs with traefik - to many guides out there and none help

dan — Fri, 23 Feb 2024 00:24:08 +0000

Why the nginx container? I thought I was using traefik, not nginx. Again this makes no sense at all.

RE: Wild card certs with traefik - to many guides out there and none help

dan — Fri, 23 Feb 2024 00:19:55 +0000

@dirtyharrywk. Unfortunately the Traefik docs are a confusing and disorganized mess (well, in my opinion!)

Most importantly, your http block should not be a child of providers. It needs to be unindented so it's at the root.

Your dashboard rule needs tweaking:

http:
  routers:
    dashboard:
      rule: Host(`traefik.MY_DOMAIN.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

https redirection can be accomplished using this recipe instead of a middleware:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

I hope this solves your problem, or at least gets you further along.

I have no idea where this is suppose to go. Dashboard rule? Huh? In the docker-compose.yml? That is the only file I have.

RE: Wild card certs with traefik - to many guides out there and none help

Brandon Lee — Thu, 22 Feb 2024 16:30:12 +0000

@dirtyharrywk On the network portion, this is due to the network config I had pasted in the sample file. You can remove that if you want and the network line for containers and it shouldn't cause an issue. @termv totally agreed about the Traefik documentation. It is all over the place!

RE: Wild card certs with traefik - to many guides out there and none help

TermV — Thu, 22 Feb 2024 15:04:26 +0000

@dirtyharrywk. Unfortunately the Traefik docs are a confusing and disorganized mess (well, in my opinion!)

Most importantly, your http block should not be a child of providers. It needs to be unindented so it's at the root.

Your dashboard rule needs tweaking:

http:
  routers:
    dashboard:
      rule: Host(`traefik.MY_DOMAIN.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

https redirection can be accomplished using this recipe instead of a middleware:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

I hope this solves your problem, or at least gets you further along.

RE: Wild card certs with traefik - to many guides out there and none help

dan — Thu, 22 Feb 2024 01:38:01 +0000

I'm getting this after running docker-compose up -d

Recreating nginx ...

Recreating traefik ... error

Recreating nginx   ... error

ork's subnets

ERROR: for nginx  Cannot start service nginx: Invalid address 172.19.0.11: It does not belong to any of this network's subnets

ERROR: for traefik2  Cannot start service traefik2: Invalid address 172.19.0.10: It does not belong to any of this network's subnets

ERROR: for nginx  Cannot start service nginx: Invalid address 172.19.0.11: It does not belong to any of this network's subnets

ERROR: Encountered errors while bringing up the project.

RE: Wild card certs with traefik - to many guides out there and none help

Brandon Lee — Wed, 21 Feb 2024 03:12:47 +0000

@dirtyharrywk Let's go back to the basics and start with a simple example. I would eliminate all the other variables. You don't have to configure the middleware for auth to Traefik. I would start with your Docker host and Docker compose YAML that is configured for the basics. Take a look at the example below. You should be able to use this example and get up and running with Traefik to get a better feel for how things work.

Below:

Replace with your email address
Replace "testdomain.com" with your domain
Replace the cloudflare email and API token with your own
Replace the IP address I have in the traefik.http.routers.traefik.rule=host('10.1.149.76')' with your own IP that you want to use to access Traefik itself
For the Nginx container, replace the nginx.testdomain.com with a record for your domain to test with.
***Note, I would uncomment the "certificateresolvers.myresolver.acme.caserver="....staging...." - When you are testing, you can uncomment this and they won't rate limit you when trying to get things right. When you get a cert from their staging server, it will present with an SSL error, but you just need to look in your browser dev console > security tab and get the cert details to see that you are pulling from their staging server....Once you verify you are, you should be able to comment it back out and hit their production server.

Let's start with this example and see where you get.....

version: '3.8'

services:
  traefik2:
    image: traefik:latest
    restart: always
    command:
      # Tell Traefik to discover containers using the Docker API
      - --providers.docker=true
      # Enable the Trafik dashboard
      - --api.dashboard=true
      # Set up LetsEncrypt
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.email=
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      #- --certificatesresolvers.myresolver.acme.caserver="https://acme-staging-v02.api.letsencrypt.org/directory"
      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      # Set up the TLS configuration for our websecure listener
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls.domains.main=testdomain.com
      - --entrypoints.websecure.http.tls.domains.sans=*.testdomain.com
      - --serverstransport.insecureskipverify=true
    environment:
      - CLOUDFLARE_EMAIL=
      - CLOUDFLARE_DNS_API_TOKEN=
    ports:
      - 80:80
      - 443:443
    networks:
      traefik:
        ipv4_address: 172.19.0.10
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ~/homelabservices/letsencrypt:/letsencrypt
    labels:
      - "traefik.enable=true"
      - 'traefik.http.routers.traefik.rule=Host(`10.1.149.76`)'
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - 'traefik.http.routers.traefik.middlewares=strip'
      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
    container_name: traefik

  nginx:
    container_name: nginx
    image: nginx:latest
    restart: always
    networks:
      traefik:
        ipv4_address: 172.19.0.11
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`nginx.testdomain.com`)"
      - "traefik.http.routers.nginx.entrypoints=websecure"
      - "traefik.http.routers.nginx.tls=true"
       

networks:
  traefik:
    driver: bridge
    name: traefik
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/16

RE: Wild card certs with traefik - to many guides out there and none help

dan — Tue, 20 Feb 2024 18:33:51 +0000

I should add this to the mix... I'm running pi-hole on a separate server.

RE: Wild card certs with traefik - to many guides out there and none help

dan — Tue, 20 Feb 2024 17:22:41 +0000

traefik.yml:

providers:
  docker:
    exposedByDefault: false
  file:
    filename: /etc/traefik/dynamic.yml
  http:
    routers:
      dashboard:
        rule: Host(`traefik.MY_DOMAIN.com`)
        service: api@internal
        middlewares:
          - traefik-auth
        tls:
          certResolver: dns-cloudflare
    middlewares:
      traefik-auth:
        basicAuth:
          users:
            - "admin:admin"
      redirect-to-https:
        redirectScheme:
          scheme: https
certificatesResolvers:
  dns-cloudflare:
    acme:
      email: MY_EMAIL
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
      caServer: https://acme-v02.api.letsencrypt.org/directory

log file is displaying this:

2024/02/20 17:21:51 command traefik error: field not found, node: middlewares

RE: Wild card certs with traefik - to many guides out there and none help

dan — Tue, 20 Feb 2024 17:17:29 +0000

I'm confused on the step "Redirect to HTTPS". Where does that go? The traefik.yml file already has "middlewares" for HTTP.

traefik.yml:

providers:
  docker:
    exposedByDefault: false
  file:
    filename: /etc/traefik/dynamic.yml
  http:
    routers:
      dashboard:
        rule: Host(`traefik.MY_DOMAIN.com`)
        service: api@internal
        middlewares:
          - traefik-auth
        tls:
          certResolver: dns-cloudflare
    middlewares:
      traefik-auth:
        basicAuth:
          users:
            - "admin:admin"
certificatesResolvers:
  dns-cloudflare:
    acme:
      email: MY_EMAIL_ADDRESS
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
      caServer: https://acme-v02.api.letsencrypt.org/directory