Search code examples
dockertraefik

Docker, Traefik 2.2, and Default Certificate

Question: Why does Traefik not use my wildcard cert (as outlined in my traefik.yml file), instead insisting on generating its own?

docker-compose.yml

version: '3'

services:

  traefik:
    image: traefik:2.2
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $PWD/traefik.yml:/etc/traefik/traefik.yml:ro
      - $PWD/certs:/certs
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
      - traefik.http.routers.traefik.middlewares=traefik-https-redirect
      - traefik.http.routers.traefik-secure.entrypoints=https
      - traefik.http.routers.traefik-secure.rule=Host("traefik.network.lan")
      - traefik.http.routers.traefik-secure.tls=true
      - traefik.http.routers.traefik-secure.service=api@internal

networks:
  proxy:
    external: true

$PWD/traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: true



log:
  level: DEBUG

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    swarmMode: false

tls:

  certificates:
    - certFile: /certs/wildcard.crt
      keyFile: /certs/wildcard.key
      stores:
        - default

  stores:
    default:
      defaultCertificate:
        certFile: /certs/wildcard.crt
        keyFile: /certs/wildcard.key

  options:
    default:
      minVersion: VersionTLS12
      preferServerCipherSuites: true

    mintls13:
      minVersion: VersionTLS13

accessLog: {}

I have attached to the traefik container to verify that /etc/traefik/traefik.yml and the two certs in /certs exist. When I look at logs for the traefik container, I see the following line during startup (note the debug level, indicating that my config is indeed being read)

traefik    | time="2020-06-14T17:01:51Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
traefik    | time="2020-06-14T17:01:51Z" level=info msg="Traefik version 2.2.1 built on 2020-04-29T18:02:09Z"
...
traefik    | time="2020-06-14T17:01:51Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik    | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
...
traefik    | time="2020-06-14T17:01:51Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik    | time="2020-06-14T17:01:51Z" level=debug msg="No default certificate, generating one"
Solution

  • I think the problem is with certificates being in traefik.yml file. Certificates should be part of dynamic configuration, see https://docs.traefik.io/https/tls/#user-defined.

    This means, you need two things:

    1. another config file, e.g. certs.yml and move the tls section (with certificates, stores and options sections)
    2. add another provider to your traefik.yml file, e.g.
    providers:
  docker:
    ...
  file:
    filename: /path/to/certs.yml