I am trying to migrate to v2, and have on my v1 setup used the origin server certificates from Cloudflare for TLS, but this doesn't work in v2, since Traefik serves the default certificate instead.
As you can see in the log below, the TLS part of the traefik.yaml isn't listed, when the static configuration is loaded. Unless this is specifically redacted, I have to believe that Traefik doesn't read that part at all.
I have already tested that it can read the file and have checked that other settings in fact do change.
traefik.log:
time="2019-10-10T20:40:27Z" level=info msg="Traefik version 2.0.2 built on 2019-10-09T19:26:05Z"
time="2019-10-10T20:40:27Z" level=debug msg="Static configuration loaded {\"global\":{},\"serversTransport\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"useBindPortIP\":false,\"network\":\"proxy\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true,\"debug\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/var/log/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/var/log/access.log\",\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100}}"
time="2019-10-10T20:40:27Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
time="2019-10-10T20:40:27Z" level=debug msg="No default certificate, generating one"
time="2019-10-10T20:40:28Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2019-10-10T20:40:28Z" level=debug msg="Start TCP Server" entryPointName=https
time="2019-10-10T20:40:28Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2019-10-10T20:40:28Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"useBindPortIP\":false,\"network\":\"proxy\",\"swarmModeRefreshSeconds\":15000000000}"
time="2019-10-10T20:40:28Z" level=debug msg="Provider connection established with docker 18.09.4 (API 1.39)" providerName=docker
time="2019-10-10T20:40:28Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"nginx\":{\"entryPoints\":[\"https\"],\"service\":\"nginx-tyjuji\",\"rule\":\"Host(`XXXXXXX.com`)\",\"tls\":{\"options\":\"default\"}},\"portainer\":{\"entryPoints\":[\"https\"],\"service\":\"portainer-tyjuji\",\"rule\":\"Host(`admin.XXXXXXX.com`)\",\"tls\":{\"options\":\"default\"}},\"traefik\":{\"entryPoints\":[\"https\"],\"service\":\"traefik\",\"rule\":\"Host(`api.XXXXXXX.com`)\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"nginx-tyjuji\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.25.0.3:80\"}],\"passHostHeader\":true}},\"portainer-tyjuji\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.25.0.2:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.25.0.4:8080\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" entryPointName=https routerName=portainer@docker serviceName=portainer-tyjuji middlewareType=Pipelining middlewareName=pipelining
time="2019-10-10T20:40:28Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=portainer@docker serviceName=portainer-tyjuji
time="2019-10-10T20:40:28Z" level=debug msg="Creating server 0 http://172.25.0.2:9000" serviceName=portainer-tyjuji entryPointName=https routerName=portainer@docker serverName=0
time="2019-10-10T20:40:28Z" level=debug msg="Added outgoing tracing middleware portainer-tyjuji" middlewareType=TracingForwarder entryPointName=https routerName=portainer@docker middlewareName=tracing
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" entryPointName=https routerName=traefik@docker serviceName=traefik middlewareName=pipelining middlewareType=Pipelining
time="2019-10-10T20:40:28Z" level=debug msg="Creating load-balancer" routerName=traefik@docker serviceName=traefik entryPointName=https
time="2019-10-10T20:40:28Z" level=debug msg="Creating server 0 http://172.25.0.4:8080" routerName=traefik@docker serverName=0 serviceName=traefik entryPointName=https
time="2019-10-10T20:40:28Z" level=debug msg="Added outgoing tracing middleware traefik" middlewareType=TracingForwarder entryPointName=https routerName=traefik@docker middlewareName=tracing
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" serviceName=nginx-tyjuji middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=nginx@docker
time="2019-10-10T20:40:28Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=nginx@docker serviceName=nginx-tyjuji
time="2019-10-10T20:40:28Z" level=debug msg="Creating server 0 http://172.25.0.3:80" routerName=nginx@docker serviceName=nginx-tyjuji serverName=0 entryPointName=https
time="2019-10-10T20:40:28Z" level=debug msg="Added outgoing tracing middleware nginx-tyjuji" middlewareName=tracing entryPointName=https routerName=nginx@docker middlewareType=TracingForwarder
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2019-10-10T20:40:28Z" level=debug msg="No default certificate, generating one"
docker-compose.yml:
version: "3.5"
networks:
internal:
name: internal
internal: true
proxy:
name: proxy
services: # Keep alphabetical for clarity
nginx:
container_name: nginx
image: nginx
restart: always
volumes:
- ${BASE_PATH}/${CONFIGS}/nginx:/usr/share/nginx/html:ro
environment:
- NGINX_HOST=${DOMAIN_NAME}
- NGINX_PORT=80
labels:
- com.centurylinklabs.watchtower.enable=true
- traefik.enable=true
- "traefik.http.routers.nginx.rule=Host(`${DOMAIN_NAME}`)"
- "traefik.http.routers.nginx.entrypoints=https"
- "traefik.http.routers.nginx.tls=true"
- "traefik.http.routers.nginx.tls.options=default"
networks:
- internal
- proxy
portainer:
container_name: portainer
image: portainer/portainer
restart: always
command: -H unix:///var/run/docker.sock --no-auth
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${BASE_PATH}/${CONFIGS}/portainer:/data
labels:
- com.centurylinklabs.watchtower.enable=true
- traefik.enable=true
- "traefik.http.routers.portainer.rule=Host(`admin.${DOMAIN_NAME}`)"
- "traefik.http.routers.portainer.entrypoints=https"
- "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.options=default"
networks:
- internal
- proxy
traefik:
container_name: traefik
image: traefik
command: --providers.docker
ports:
# The HTTP ports
#- "80:80"
- "443:443"
# # The Web UI (enabled by --api.insecure=true)
#- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${BASE_PATH}/${CONFIGS}/traefik/traefik.yaml:/traefik.yaml
- ${BASE_PATH}/${CONFIGS}/traefik/log:/var/log
- ${BASE_PATH}/${CONFIGS}/${CERTS}:/certs
labels:
- com.centurylinklabs.watchtower.enable=true
- traefik.enable=true
- "traefik.http.routers.traefik.rule=Host(`api.${DOMAIN_NAME}`)"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.options=default"
- traefik.http.services.traefik.loadbalancer.server.port=8080
networks:
- internal
- proxy
traefik.yaml:
global:
checkNewVersion: false
sendAnonymousUsage: false
serversTransport:
insecureSkipVerify: true
providers:
docker:
useBindPortIP: false
exposedByDefault: false
network: proxy
watch: true
tls:
certificates:
- certFile: /certs/XXXXXXX.com.pem
keyFile: /certs/XXXXXXX.com.key
stores:
default:
defaultCertificate:
certFile: /certs/XXXXXXX.com.pem
keyFile: /certs/XXXXXXX.com.key
options:
default:
minVersion: VersionTLS13
entryPoints:
https:
address: :443
api:
insecure: true
dashboard: true
debug: true
log:
level: DEBUG
filePath: /var/log/traefik.log
accessLog:
filePath: /var/log/access.log
bufferingSize: 100