Reputation: 484
traefik permissions 777 for acme.json are too open, please use 600
Yes, I get this when I try to run traefik with https. Problem is I mount the dir on my Win7 machine but I cant chmod the file.
The mount is working but file permissions are off.
looks like this:
volumes
- d:/docker/traefikcompose/acme/acme.json:/etc/traefik/acme/acme.json:rw
traefik | time="2018-09-04T12:57:11Z" level=error msg="Error starting provider *acme.Provider: unable to get ACME account : permissions 777 for /etc/traefik/acme/acme.json are too open, please use 600"
If I remove the acme.json file I get this:
ERROR: for traefik Cannot start service traefik: b'OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:58: mounting \\\"/d/docker/traefikcompose/acme/acme.json\\\" to rootfs \\\"/mnt/sda1/var/lib/docker/aufs/mnt/c84d8644252848bde8f0322bafba3d206513ceb8479eb95aeee0b4cafd4a7251\\\" at \\\"/mnt/sda1/var/lib/docker/aufs/mnt/c84d8644252848bde8f0322bafba3d206513ceb8479eb95aeee0b4cafd4a7251/etc/traefik/acme/acme.json\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type'
Upvotes: 11
Views: 26260
Answers (6)
Reputation: 924
This can be solved using a Dockerfile / entrypoint.sh and works like this:
Dockerfile
FROM traefik:v2.9.4
COPY entrypoint.sh /
ENTRYPOINT [ "/entrypoint.sh" ]
CMD ["traefik"]
entrypoint.sh
#! /bin/sh
set -e
echo "Setting acme.json permissions 0600"
touch /works
touch /acme/acme.json
chmod 600 /acme/acme.json
chown root:root /acme
chown root:root /acme/acme.json
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- traefik "$@"
fi
# if our command is a valid Traefik subcommand, let's invoke it through Traefik instead
# (this allows for "docker run traefik version", etc)
if traefik "$1" --help >/dev/null 2>&1
then
set -- traefik "$@"
else
echo "= '$1' is not a Traefik command: assuming shell execution." 1>&2
fi
exec "$@"
In the docker-compose.yaml I had:
traefik:
#image: traefik:v2.9.4
build: traefik/
So a docker compose build && docker compose up -d updated the file permissions according to the script in the entrypoint.sh
Note: It is important to do the updates of the /acme/acme.json file from the entrypoint.sh as the volumes are mounted then already. This is not the case when only using a Dockerfile.
Note: I'm using docker compose but docker will also support this but with a different synatx on the commands.
Summary
I think this is also too much maintainance burden. In the docker community we should come up with a volume system which can set owners/modes on directories for the container and leave the files on the host be whatever owner/mode they have.
volumes:
- "file:acme.json:/acme.json:root:root:0600"
Also if that file does not exist on the host, just created it. Linux docker does create it on the host while Docker Windows would fails to start the docker compose up -d command.
Upvotes: 1
Reputation: 924
I have the same problem as you, wanted to have the acme.json file outside the container/volume, that is, on the host FS. This way I wanted to make backups easy since my tests would exceed the let's encrypt / ACME quota quite fast at times.
Docker Windows
Turns out on Docker Windows you get this permission inside traefik container:
-rwxrwxrwx 1 root root 0 Dec 22 15:21 acme.json and on Linux
Docker Linux (ubuntu 22.04)
If the traefik creates the file on the host side using something like:
docker run -v ./acme:/acme ... traefik
On Linux docker the container side looks different:
-rw------- 1 root root 15.7K Dec 22 15:14 acme.json
But on the host I also have this:
-rw------- 1 root root 15.7K Dec 22 15:14 acme.json
Which means that my normal user can't see/backup or modify that file.
I think there is currently no sufficient support in maintaining this file on the host FS side.
Recommendation
Store this file inside a docker volume and access it using 'docker cp':
Backup:
docker container cp traefik:/acme/acme.json .
Restore:
docker container cp acme.json traefik:/acme/
docker exec -it traefik -> chmod 0700 /acme/acme.json
docker container restart traefik
Upvotes: 1
Reputation: 382
I solved this problem with a named docker volume:
docker-compose.yml (only showing the relevant parts of the file)
services:
traefik:
environment:
- TRAEFIK_CERTIFICATESRESOLVERS_LE_ACME_STORAGE=/acme/acme.json
volumes:
- acme:/acme
volumes:
acme:
Upvotes: 5
Reputation: 105
This just solved it for me:
- Have WSL2 installed in Windows 10
- Use PowerShell and navigate to the directory where your
acme.jsonfile is - Type
wsl, this wil open the same location but now from WSL2 - Type
chmod 600 acme.json - Done!
Upvotes: 0
Reputation: 7853
In addition to the above answer, to automate the creation of the acme.json file and assign the required permissions, create a Dockerfile and call it in your docker.compose.yml
FROM traefik:2.2
RUN touch /acme.json \
&& chmod 600 /acme.json
Upvotes: 5
Reputation: 484
I did finally find the solution thanks to Cooshals kind help,
we have to ssh into the virtualbox-machine and make the file there, and then point it out right from the docker-compose.yml, in this case I did like this:
docker-machine ssh default
touch /var/acme.json
chmod 600 /var/acme.json
Then in my docker-compose:
volumes:
- /var/:/var/acme.json
Finally in traefik.toml:
[acme]
storage = "acme.json"
Upvotes: 14
Related Questions
- Traefik configuration with Docker not working
- Traefik ACME DNS challenge not working with docker
- Traefik + Docker for Windows: Failed to create a client for docker, error: protocol not available & Provider connection error protocol not available
- Traefik 2.0 and docker simple configuration doesnt work
- Running Traefik on Docker Windows Container
- Traefik v2 and Invalid Lets Encrypt Certificate
- Traefik docker image not working on Windows but working on MacOS?
- Traefik is ignoring docker with traefik.enable=true set
- Traefik SSL configuration
- Traefik authentication failed