Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Traefik and self-signed SSL

Tags:

docker

ssl

openssl

traefik

Noob to Traefik and Docker. I have prepared a self signed certiicate using:

openssl req -x509 -newkey rsa:4096 -keyout www.example.co.uk.key -out www.example.co.uk.crt-days 365

In my traefik.toml file I have:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    certFile = "certs/www.example.co.uk.crt"
    keyFile = "certs/www.example.co.uk.key"

However this results in:

traefik          | time="2019-06-17T22:11:17Z" level=debug msg="Serving default cert for request: \"www.example.co.uk\""
traefik          | time="2019-06-17T22:11:17Z" level=debug msg="http: TLS handshake error from 172.20.0.1:57770: tls: no certificates configured"

If I omit the cert definitions so that traefik.toml reads as:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
  #  [[entryPoints.https.tls.certificates]]
  #  certFile = "certs/www.example.co.uk.crt"
  #  keyFile = "certs/www.example.co.uk.key"

I get the dummy cert provided by Traefik and it works great but I just want to wrap my head around why my defined certs are not being used.

In my docker-compose.yml I believe I have mounted the correct volume:

volumes:
  - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
  - ./traefik.toml:/traefik.toml
  - /var/www/docker/certs:/certs

And the certs reside at certs/ relative to my docker-compose.yml and traefik.toml files. Permissions seem good as well both owned by root - the crt having 644 and key having 600.

How can I use a self-signed cert instead of Traefiks defaults?

like image 702
Zakalwe Avatar asked Jun 17 '19 22:06

Zakalwe

1 Answers

Probably a path mismatch, particularly with some paths relative and others absolute. Try the following in your compose file (relative path to local certs):

volumes:
  - /var/run/docker.sock:/var/run/docker.sock
  - ./traefik.toml:/traefik.toml
  - ./certs:/certs

And then switch to an absolute path in the toml (leading slash on certs):

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    certFile = "/certs/www.example.co.uk.crt"
    keyFile = "/certs/www.example.co.uk.key"
like image 192
BMitch Avatar answered Oct 02 '22 06:10

BMitch
Sign in to Comment

Related questions

Using OpenGL inside docker with nvidia-docker2
Firecracker microVM: how to create custom Firecracker microVM and file system images [closed]
Can not connect to SQL Server database hosted on localhost from Kubernetes, how can I debug this?
Building rust project in docker causes Cargo to get stuck downloading dependencies
Why NextJS using Docker container did not reload after changed code for dev environment?
Lightweight GCC for Alpine
Relative path binding in docker for volumes in macOS does fail
Unable to run Angular test cases inside docker container
Build a Docker image using docker build and a tmpfs?
Dockerfile for Ruby app - why is WORKDIR specified as /usr/src/app
WARN Session 0x0 for server null, unexpected error, closing socket connection and attempting reconnect
Gitlab CI/Docker: ssh-add keeps asking for passphrase
EBUSY: resource busy or locked in Docker when trying to do npm install
How to configure logstash in docker compose?
Caching in kubernetes
docker-compose run multiple commands for a service
How to force docker-compose to download a new image when using docker hub?
unknown error after kill did not terminate sucessfully: signaling init process caused "permission denied"\n: unknown'
Issue "Could not fetch/save url https://download.docker.com/linux/centos/docker-ce.repo"
Docker container binds to port, but I am unable to ping it

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!