Wild card certs wit...
 
Notifications
Clear all

Wild card certs with traefik - to many guides out there and none help

15 Posts
3 Users
5 Reactions
750 Views
Posts: 8
 dan
Topic starter
(@dirtyharrywk)
Active Member
Joined: 10 months ago

I should add this to the mix... I'm running pi-hole on a separate server.

Reply
1 Reply
Brandon Lee
Admin
(@brandon-lee)
Joined: 14 years ago

Member
Posts: 398

@dirtyharrywk Let's go back to the basics and start with a simple example. I would eliminate all the other variables. You don't have to configure the middleware for auth to Traefik. I would start with your Docker host and Docker compose YAML that is configured for the basics. Take a look at the example below. You should be able to use this example and get up and running with Traefik to get a better feel for how things work.

Below:

  • Replace with your email address
  • Replace "testdomain.com" with your domain
  • Replace the cloudflare email and API token with your own
  • Replace the IP address I have in the traefik.http.routers.traefik.rule=host('10.1.149.76')' with your own IP that you want to use to access Traefik itself
  • For the Nginx container, replace the nginx.testdomain.com with a record for your domain to test with.
  • ***Note, I would uncomment the "certificateresolvers.myresolver.acme.caserver="....staging...." - When you are testing, you can uncomment this and they won't rate limit you when trying to get things right. When you get a cert from their staging server, it will present with an SSL error, but you just need to look in your browser dev console > security tab and get the cert details to see that you are pulling from their staging server....Once you verify you are, you should be able to comment it back out and hit their production server.

Let's start with this example and see where you get.....

version: '3.8'

services:
  traefik2:
    image: traefik:latest
    restart: always
    command:
      # Tell Traefik to discover containers using the Docker API
      - --providers.docker=true
      # Enable the Trafik dashboard
      - --api.dashboard=true
      # Set up LetsEncrypt
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.email=<your email address>
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      #- --certificatesresolvers.myresolver.acme.caserver="https://acme-staging-v02.api.letsencrypt.org/directory"
      # Set up an insecure listener that redirects all traffic to TLS
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      # Set up the TLS configuration for our websecure listener
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls.domains[0].main=testdomain.com
      - --entrypoints.websecure.http.tls.domains[0].sans=*.testdomain.com
      - --serverstransport.insecureskipverify=true
    environment:
      - CLOUDFLARE_EMAIL=<your email address>
      - CLOUDFLARE_DNS_API_TOKEN=<cloudflare API token>
    ports:
      - 80:80
      - 443:443
    networks:
      traefik:
        ipv4_address: 172.19.0.10
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ~/homelabservices/letsencrypt:/letsencrypt
    labels:
      - "traefik.enable=true"
      - 'traefik.http.routers.traefik.rule=Host(`10.1.149.76`)'
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - 'traefik.http.routers.traefik.middlewares=strip'
      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
    container_name: traefik

  nginx:
    container_name: nginx
    image: nginx:latest
    restart: always
    networks:
      traefik:
        ipv4_address: 172.19.0.11
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`nginx.testdomain.com`)"
      - "traefik.http.routers.nginx.entrypoints=websecure"
      - "traefik.http.routers.nginx.tls=true"
       

networks:
  traefik:
    driver: bridge
    name: traefik
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/16

ย 

ย 

Reply
Posts: 8
 dan
Topic starter
(@dirtyharrywk)
Active Member
Joined: 10 months ago

I'm getting this after running docker-compose up -d

Recreating nginx ...

Recreating traefik ... error

Recreating nginx ย  ... error

ork's subnets

ERROR: for nginxย  Cannot start service nginx: Invalid address 172.19.0.11: It does not belong to any of this network's subnets

ERROR: for traefik2ย  Cannot start service traefik2: Invalid address 172.19.0.10: It does not belong to any of this network's subnets

ERROR: for nginxย  Cannot start service nginx: Invalid address 172.19.0.11: It does not belong to any of this network's subnets

ERROR: Encountered errors while bringing up the project.
Reply
1 Reply
Brandon Lee
Admin
(@brandon-lee)
Joined: 14 years ago

Member
Posts: 398

@dirtyharrywk On the network portion, this is due to the network config I had pasted in the sample file. You can remove that if you want and the network line for containers and it shouldn't cause an issue. @termv totally agreed about the Traefik documentation. It is all over the place!

Reply
Posts: 15
(@termv)
Eminent Member
Joined: 12 months ago

Hi

@dirtyharrywk. Unfortunately the Traefik docs are a confusing and disorganized mess (well, in my opinion!)


Most importantly, your http block should not be a child of providers. It needs to be unindented so it's at the root.


Your dashboard rule needs tweaking:

http:
  routers:
    dashboard:
      rule: Host(`traefik.MY_DOMAIN.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

https redirection can be accomplished using this recipe instead of a middleware:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

I hope this solves your problem, or at least gets you further along.

Reply
1 Reply
 dan
(@dirtyharrywk)
Joined: 10 months ago

Active Member
Posts: 8

Posted by: @termv

Hi

@dirtyharrywk. Unfortunately the Traefik docs are a confusing and disorganized mess (well, in my opinion!)


Most importantly, your http block should not be a child of providers. It needs to be unindented so it's at the root.


Your dashboard rule needs tweaking:

http:
  routers:
    dashboard:
      rule: Host(`traefik.MY_DOMAIN.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

https redirection can be accomplished using this recipe instead of a middleware:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443

I hope this solves your problem, or at least gets you further along.

I have no idea where this is suppose to go.ย  Dashboard rule?ย  Huh?ย  In the docker-compose.yml?ย  That is the only file I have.

ย 

Reply
Posts: 8
 dan
Topic starter
(@dirtyharrywk)
Active Member
Joined: 10 months ago

Why the nginx container?ย  I thought I was using traefik, not nginx.ย  Again this makes no sense at all.

Reply
1 Reply
Brandon Lee
Admin
(@brandon-lee)
Joined: 14 years ago

Member
Posts: 398

@dirtyharrywk Hey don't get confused with the example. In the example file, we are just setting up a simple Nginx web container to see how the letsencrypt SSL certs work with Traefik. I think this is the best place to start. If you can get this example to work, it is just a matter of adding your containers as you want to benefit from the wildcard cert. Does this make sense? I would like to see you get to the point of having a small test environment with a single Docker compose file before moving on to more complex setups.

Reply
Page 2 / 2