Please help, I am loosing my mind over ssl

Traefik Traefik v1
1

For the last 3 days I have been trying to get Traefik v1.7 (I briefly tried v2 but that is another story).
I have lost count how many docker-compose and traefik.toml files I have written and corrected. As far as I can see there is nothing wrong.
So what happens?
When I visit domain1.io I get a warning that the browser doesn't trust a self signed certificate. That I can understand but the Cloudflare challenge works...
And I cannot visit the dashboard either, I get an 404.
Here is my docker-compose and traefik.toml, I think that traefik.toml is the culprit here so that is what I give you:
https://gist.github.com/ratnose/6a4b33052426d9b486298aa9ba2cb130

Please help!

2

hello,

your docker compose file seems missing in your gist.

[api]
    entryPoint = "dashboard"
    dashboard = true
    address = ":8080" <---

address is not a valid field for api https://docs.traefik.io/v1.7/configuration/api/#configuration

3

Ill add the stackoverfow question that contains everything.
https://stackoverflow.com/questions/57494329/traefik-is-not-doing-what-i-want

This config gives me bad gateway, for domain, dashboard give 404.
Domian2 gives a 404 which is correct.
And the acme.json is empty as a desert.

4

The configuration is not the same between the 2 posts.

Could you put here your current configuration + docker compose file + logs ?

5

Sure!
Here they are:

version: '3.7'
services:

    traefik:
        image: traefik:latest
        container_name: traefik
        restart: always

        networks:
            - web

        ports:
            - 80:80
            - 443:443
            - 8080:8080

        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - /home/ladmin/docker/traefik/traefik.toml:/traefik.toml
            - /home/ladmin/docker/traefik/acme.json:/acme.json
        environment:
            - CF_API_EMAIL=${CLOUDFLARE_EMAIL}
            - CF_API_KEY=${CLOUDFLARE_API_KEY}

    domain1:
        image: domain1
        container_name: domain1
        restart: always
        networks:
            - web
            - default
        expose:
            - 80
        labels:
            - 'traefik.docker.network=web'
            - 'traefik.enable=true'
            - 'traefik.frontend.rule=Host:www.${DOMAINNAME},${DOMAINNAME}'
            - 'traefik.basic.protocol=http'

            
networks:
    web:
        external: true

logLevel = "DEBUG"

defaultEntryPoints = ["http", "https"]

[entryPoints]
    [entryPoints.http]
    address = ":80"
      [entryPoints.http.redirect]
      entryPoint = "https"
    [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
    [entryPoints.dashboard]
    address = ":8080"
    [entryPoints.dashboard.auth]
        [entryPoints.dashboard.auth.basic]
            users = ["master:$apr1/vETCYJPh8o0"]
[retry]

[api]
  entryPoint = "dashboard"
  dashboard = true

[acme]
    email = "email@gmail.com"
    storage = "traefik/acme.json"
    entryPoint = "https"
    onHostRule = true
    acmeLogging=true
    [acme.dnsChallenge]
        provider = "cloudflare"
        delayBeforeCheck = 30
        resolvers = ["1.1.1.1:53"]

        [[acme.domains]]
          main = "domain1"
        [[acme.domains]]
          main = "*.domain1"
          sans = "domain1"
        [[acme.domains]]
          main ="domain2.io"

[docker]
domain = "domain1.io"
endpoint = "unix:///var/run/docker.sock"
watch = true
network = "web"
exposedByDefault = false

The logs are empty...

6

This label is called a segment label and you don't need it in your use case.

the first [[acme.domains]] block with main = "domain1" must be remove because it's already manage by the second block.

The directory in storage = "traefik/acme.json" don't exist.

When you run with logLevel = "DEBUG" the logs are never empty, then could re-check?

7

Thank you so much for all the help! I feeling a bit more sane now.
You made var bold, why?

What do you mean that traefik/acme.json doesn't exist?

**~/docker/traefik** $ ls -la
total 12
drwxr-xr-x 2 ladmin ladmin 4096 Aug 14 13:37 **.**
drwxr-xr-x 4 ladmin ladmin 4096 Aug 14 13:07 **..**
-rw------- 1 ladmin ladmin 0 Aug 14 12:38 acme.json
-rw-r--r-- 1 ladmin ladmin 831 Aug 14 13:07 traefik.toml

I moved acme.json to /home/ladmin/docker/acme.json
Changed to storage = "acme.json" - nothing changed.

About log:
docker logs traefik or docker-compose logs traefik

time="2019-08-14T13:33:04Z" level=error msg="Failed to read new account, ACME data conversion is not available : open traefik/acme/acme.json: not a directory"

time="2019-08-14T13:33:04Z" level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account : open traefik/acme/acme.json: not a directory"

That is hours ago. Other than that the log is empty, which I also think is strange.

8

I didn't made var bold, it's just syntax highlighting that does that.

Could you try storage = "/acme.json"

9

Sure! Just re-started the docker-compose setup, I discovered something!
The edits I made to traefik.toml wasn't saved to the server, I used Visual Studio Code earlier.
So now they are reapplied. So hopefully the log will be filled with stuff!

Ahhh check that out an error!

traefik      | 2019/08/14 18:25:49 Error reading TOML config file /traefik.toml : toml: cannot load TOML value of type string into a Go slice

What do that actually mean?

10

The problem is your domains definition:

        [[acme.domains]]
          main = "*.domain1"
          sans = ["domain1"] <----
        [[acme.domains]]
          main ="domain2.io"

sans is an array.

https://docs.traefik.io/v1.7/configuration/acme/#domains

1 Like
11

Edited and starting up.
Still SSL error...

12

Could you provide your full logs?

13

Now we're talking log....
https://pastebin.com/s3dgAEc2

14

from your logs:

level=error msg="Failed to read new account, ACME data conversion is not available : permissions 755 for acme.json are too open, please use 600"
level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account : permissions 755 for acme.json are too open, please use 600"
1 Like
15

Wow that was impressive how fast you that log file. :star_struck:

So just to be clear we talking about the acme.json showed above?

16

Yes.

chmod 600 /home/ladmin/docker/traefik/acme.json
1 Like
17

But the one earlier is at the same level as treafik.toml not in that path.

18

Check if your file exists and your mount.

A quick tips:

  • change the mount

        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - /home/ladmin/docker/traefik/:/etc/traefik/
  • update your configuration:
storage = "/etc/traefik/acme.json"

https://docs.traefik.io/v1.7/basics/#configuration-file

1 Like
19

docker-compose mounts:

  • /home/ladmin/docker/traefik/traefik.toml:/traefik.toml
  • /home/ladmin/docker/traefik/acme.json:/acme.json

chmod 600 acme.json

Ok time to docker-compose up -d.... fingers crossed.

20

So... stuff written to acme.json...
This is the log:
https://pastebin.com/30A8wDaG

this domain loos strange but apparently something I have written...
traefik.docker.grillgeek.se
I cant find that anywhere... but for some reason put together with the info I have put in.

I still get a ssl warning when entering the domain in a browser.