Search code examples
dockerdocker-swarmtls1.2traefiklets-encrypt

Self assigned TLS sertificate traefik

My problem is self assigned cert instead of lets-encrypt cert
docker-compose.yml:

version: "3.7"

services:
  traefik:
    image: traefik
    command:
      - --api
      - --providers.docker
      - --providers.docker.exposedbydefault=false
    ports:
      - 8080:8080
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/data/traefik.yml:/etc/traefik/traefik.yml
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - public
      - private
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.dashboard.rule=Host(`dashboard.example.com`)"
        - "traefik.http.routers.dashboard.service=api@internal"
        - "traefik.http.routers.dashboard.middlewares=auth"
        - "traefik.http.middlewares.auth.basicauth.users=admin:admin"
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
      restart_policy:
        condition: on-failure

service labels

- "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.registry.tls.domains[0].main=example.com"
- "traefik.http.routers.registry.tls.domains[0].sans=*.example.com"
- "traefik.http.routers.gites.tls.certresolver=resolver"
- "traefik.http.services.gitea-svc.loadbalancer.server.port=3000"

traefik.yml:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  resolver:
    acme:
      email: [email protected]
      storage: acme.json
      tlsChallenge: {}

This is what I get in my Firefox: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

This is happend, because browser takes traefik default cert, but there is must be lets-encrypt cert
With log level debug I get

level=debug msg="http: TLS handshake error from 192.168.80.1:53932: remote error: tls: bad certificate"
Solution

  • I solve my problem

    docker-compose.yml:

    version: "3.7"


services:
  traefik:
    image: traefik:v2.2.11
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/data/traefik.yml:/etc/traefik/traefik.yml
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/data/letsencrypt:/letsencrypt
    networks:
      - public
      - private
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`dashboard.example.com`)"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=web"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`dashboard.example.com`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=resolver"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      
  gitea:
    image: gitea/gitea:latest
    environment:
      - APP_NAME=Gitea
      - USER_UID=1000
      - USER_GID=1000
      - ROOT_URL=https://gitea.example.com
      - SSH_DOMAIN=gitea.example.com
      - SSH_PORT=2222
      - HTTP_PORT=3000
      - DB_TYPE=postgres
      - DB_HOST=gitea-db:5432
      - DB_NAME=gitea
      - DB_USER=gitea
      - DB_PASSWD=gitea
    volumes:
      - gitea_app:/data
    ports:
      - 2222:2222
    networks:
      - public
      - private
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.entrypoints=web"
      - "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
      - "traefik.http.middlewares.gitea-https-redirect.redirectscheme.scheme=websecure"
      - "traefik.http.routers.gitea.middlewares=gitea-https-redirect"
      - "traefik.http.routers.gitea-secure.entrypoints=websecure"
      - "traefik.http.routers.gitea-secure.rule=Host(`gitea.example.com`)"
      - "traefik.http.routers.gitea-secure.tls=true"
      - "traefik.http.routers.gitea-secure.tls.certresolver=resolver"
      - "traefik.http.routers.gitea-secure.service=gitea"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
      - "traefik.docker.network=public"

  gitea-db:
    image: postgres:alpine
    volumes:
      - gitea_db:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD=gitea
      - POSTGRES_DB=gitea
    networks:
      - private

    traefik.yml

    entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

api:
  dashboard: true

log:
  level: DEBUG

providers:
  docker:
    exposedbydefault: false
    endpoint: "unix:///var/run/docker.sock"
    swarmMode: true
    
certificatesResolvers:
  resolver:
    acme:
      email: [email protected]
      storage: letsencrypt/acme.json
      httpChallenge: 
        entryPoint: web

    also I have a letsencrypt empty folder for acme.json file