Search code examples
docker-swarmtraefik

why are traefik acme generated certificate flagged as "Not Secure"?

I'm trying to start an application with traefik. I have multiple containers setup with swarm. I can reach them in the browser but websites are tagged not secure. I tried deleting the acme.json and regenerate the ssl certificates but it didn't change anything.

From my understanding, using ACME, the certificates are generated at boot. But now, it behaves like it's a self signed certificate as I see "Fake LE Intermediate X1"

Here is my configuration:

logLevel="DEBUG"
debug=true
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[retry]

[api]
address=":8080"

[docker]
endpoint="unix://var/run/docker.sock"
domain = "4yourfinance.com"
watch=true
swarmMode=true
exposedByDefault = false

[acme]
email = "[email protected]"
storage = "/etc/traefik/acme/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
onHostRule = true
entryPoint = "https"
  [acme.httpChallenge]
  entryPoint = "http"

  [[acme.domains]]
    main = "4yourfinance.com"
    sans = ["nginx.4yourfinance.com", "api-wl.4yourfinance.com"]

And my docker compose

version: "3.3"

services:
  traefik:
    image: traefik
    ports:
      - 80:80
      - 8080:8080
      - 443:443
    networks:
      - traefik-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./acme:/etc/traefik/acme
    configs:
      - source: traefik-config
        target: /etc/traefik/traefik.toml
    deploy:
      placement:
        constraints: [engine.labels.com.role == 4yourfinance]

  nginx2:
    image: nginx
    networks:
      traefik-net:
        aliases:
          - nginx
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.backend=nginx2"
        - "traefik.port=80"
        - "traefik.frontend.rule=Host:4yourfinance.com"
      placement:
        constraints: [engine.labels.com.role == 4yourfinance]

  nginx:
    image: nginx
    networks:
      traefik-net:
        aliases:
          - nginx
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.backend=nginx"
        - "traefik.port=80"
        - "traefik.frontend.rule=Host:nginx.4yourfinance.com"
      placement:
        constraints: [engine.labels.com.role == 4yourfinance]

  nginx3:
    image: nginx
    networks:
      traefik-net:
        aliases:
          - nginx
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.backend=api-wl"
        - "traefik.port=80"
        - "traefik.frontend.rule=Host:api-wl.4yourfinance.com"
      placement:
        constraints: [engine.labels.com.role == client-feelix]

networks:
  traefik-net:
    external:
      name: traefik-net

configs:
  traefik-config:
    file: config2.toml
Solution

  • I was using the staging caServer instead of production. I also had to set other domains: Replace the caServer by

    caServer = "https://acme-v02.api.letsencrypt.org/directory"

    and add domains doing:

    [[acme.domains]]
  main = "4yourfinance.com"
[[acme.domains]]
  main = "nginx.4yourfinance.com"