I'm having issues with traefik generating the certificate after upgrading from traefik 1 to 2. I'm using docker providers, and set up everything using labels.
Here is a link to the certificate test: https://check-your-website.server-daten.de/?q=staging.evopoints.co.za
The static traefik.yml config is:
global:
checkNewVersion: true
sendAnonymousUsage: false
providers:
docker:
exposedByDefault: false
watch: true
entryPoints:
web-insecure:
address: ":80"
web-secure:
address: ":443"
transport:
lifeCycle:
requestAcceptGraceTimeout: 42
graceTimeOut: 42
respondingTimeouts:
readTimeout: 42
writeTimeout: 42
idleTimeout: 42
certificatesResolvers:
letsencrypt:
acme:
email: <private-email>
storage: acme.json
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
httpChallenge:
entryPoint: web-insecure
api:
insecure: true
dashboard: true
debug: true
log:
filePath: /mnt/logs/traefik/traefik.log
level: DEBUG
accessLog:
filePath: /mnt/logs/traefik/access.log
Here are the relevant snippets from docker-compose.yml:
version: '3'
services:
webapp:
image: <private registry>
restart: always
volumes:
... snipped list of volumes ...
labels:
- "traefik.enable=true"
# Create a bunch of required middlewares
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
- "traefik.http.middlewares.www-redirect.redirectregex.regex=^https://evopoints.co.za/(.*)"
# Note: all dollar signs need to be doubled for escaping.
- "traefik.http.middlewares.www-redirect.redirectregex.replacement=https://staging.evopoints.co.za/$${1}"
- "traefik.http.middlewares.webapp.headers.customrequestheaders.http-x-forwarded-proto=https"
- "traefik.http.middlewares.webapp.headers.sslredirect=true"
- "traefik.http.middlewares.webapp.headers.sslforcehost=true"
- "traefik.http.middlewares.webapp.headers.sslhost=staging.evopoints.co.za"
# Insecure Entry
- "traefik.http.routers.webapp-insecure.entrypoints=web-insecure"
- "traefik.http.routers.webapp-insecure.rule=Host(`staging.evopoints.co.za`)"
- "traefik.http.routers.webapp-insecure.middlewares=https-redirect"
# Secure entry
- "traefik.http.routers.webapp.entrypoints=web-secure"
- "traefik.http.routers.webapp.rule=Host(`staging.evopoints.co.za`)"
- "traefik.http.routers.webapp.tls=true"
- "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
- "traefik.http.routers.webapp.middlewares=webapp"
nginx:
image: <private_registry>
restart: always
volumes:
... snipped volumnes ...
labels:
- "traefik.enable=true"
- "traefik.http.services.nginx.loadbalancer.server.port=443"
- "traefik.http.routers.nginx.tls=true"
- "traefik.http.routers.nginx.entrypoints=web-secure"
- "traefik.http.routers.nginx.rule=Host(`staging.evopoints.co.za`) && (PathPrefix(`/static`, `/media`) || Path(`/service-worker.js`))"
traefik:
image: traefik:v2.1
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./resources/traefik/traefik.yml:/traefik.yml
- ./resources/traefik/acme.json:/acme.json
- ./logs/traefik:/mnt/logs/traefik
Solution was as zeitounator pointed out, in comments of my post. The letsencrypt staging environment doesn't sign the certicates correctly, which is intended, and so appears invalid. Staging environment is merely meant to test that certs are in fact generated, that's all.
After changing to the production cert resolver, everything worked as intended.