Preventing certificate generation for *every* new container

It seems like Taefik by default hits Letsencrypt for every new container I create. Even if I just manually do a simple docker run -it alpine /bin/sh the Traefik-deamon picks up that and tries to give me a certificate using the randomly generated name (like brave_lamarr) as the host.

time=“2019-06-26T19:07:18Z” level=error msg=“Unable to obtain ACME certificate for domains “brave-lamarr.webhost1-XXX” detected thanks to rule “Host:brave-lamarr.webhost1-XXX” : unable to generate a certificate for the domains [brave-lamarr.webhost1-XXX]: acme: Error -> One or more domains had a problem:\n[brave-lamarr.webhost1-XXX] acme: error: 400 :: urn:ietf:params:acme:error:connection :: dns :: DNS problem: NXDOMAIN looking up A for brave-lamarr.webhost1-XXX, url: \n”

Since this attempt obviously fail Letsencrypt starts to rate-limit me after a number of created containers. Luckily the temporary ban is released in a rather short time so it’s not a huge issue. But it is stil something I’d like to fix anyways.

I thought that the

[docker]
exposedByDefault = false

setting in Traefik.toml would not only stop the proxying, but also the handling of certificates. But it seems like that is not the case…

If there’s a way of turning off the certificate handling altogether and then selectively enabling it with a - label in docker-compose.yml for each site there I’d be happy. I guess there’s some way of achieving this.

Ah yes - if it is version dependent I’d better say that I run Docker 18.06.1-ce, docker-compose 1.24.1 and Traefik v1.7.12

This is what you want to read: https://docs.traefik.io/configuration/acme/#onhostrule

Generally, if you use somebody else’s copied and pasted configuration (and who does not?), it’s ususally useful to go through it line by line, and understand what these lines mean. It could help avoid “surprises” like this.

Yes, that’s generally good advice :slight_smile:

But in this case I had already read that part of the dox and and have set it to true. I interpreted the This will request a certificate from Let's Encrypt for each frontend with a Host rule. as that a host rule for the domain in question would be required for Traefik actually request a cert.

When I just manually spin up a container (that have nothing at all to do with the containers and web sites already defined in docker-compose that all have their own labels with a - “traefik.basic.frontend.rule=”) there shouldn’t be a Host-rule defined for it? Or is there some automatic/impicit host-rule that is applied anyways?

I have to admit that I don’t fully understand the (for frontends wired to the acme.entryPoint) -part in the onhostrule description…

traefik.basic.frontend.rule=Host:brave-lamarr.webhost1-XXX is a host rule. it says that this is a rule on the left , and the rule itself on the right starts with Host: therefore it’s a host rule.

Yes, that’s absolutely reasonable. But from where is that rule coming? I haven’t explicitly defined it anywhere.

The “brave-lamarr” here is dockers randomized name for a container that is created automatically when starting a container without an explicit name tag.

If I manually spin up 20 containers from any image (like alpine) I’ll get 20 random names, and Traefik will hit Letsencrypt with all of those names.

This even if I have onhostrule=true in the [acme] section of the Traefik.toml file.

That also sounds reasonable.

Actually to think of it I recently span out a container, and saw in the dahsboard a host rule that I did not create which was based on the container name. I dismissed it at that time, but now I wonder why that is. I did not notice this rule autocreation before.

So… good question :wink:

It’s an old feature: if you don’t define a rule on a container, Traefik generate a rule based on container information.

It’s related to:

[docker]
# Default base domain used for the frontend rules.
# Can be overridden by setting the "traefik.domain" label on a services.
#
# Optional
# Default: ""
#
domain = "docker.localhost"
2 Likes

That was it!

I already had treafik.toml set the

[docker]
domain = ""

But during the last few days experimenting with and learning the basics of Traefik I by some reason got an override of it into my docker-compose.yml.

traefik:
    image: traefik:latest
    command: --docker --docker.domain=webhost1.XXXXX

Removing the --docker.domain from there made Traefik well-behaved again.

Thanks for the help figuring this out.

@ldez, so as per original question, what is the best way to ensure that not configured containers do not cause certificate request?

Woops, sorry, this was the post that discource did not let me post before. I pressed the post button and did not see that this was already addressed.

The best is to set:

[docker]
exposedByDefault = false

and add the label traefik.enable=true to containers that Traefik need to manage.

After it’s not possible to disable acme for one container with the v1, we are working to add this feature in the v2 https://github.com/containous/traefik/issues/4872