Reputation: 4349
How do I reference a self-signed SSL certificates for traefik v2 in a docker-compose file?
There is very limited documentation for referencing self-signed certificates for Træfik v2 in the docker-compose YAML file. Here is how you can do it for Let's Encrypt:
version: "3.3"
services:
traefik:
image: "traefik:v2.0.0"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker
- --api
- --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- [email protected]
- --certificatesresolvers.leresolver.acme.storage=/acme.json
- --certificatesresolvers.leresolver.acme.tlschallenge=true
But I tried to check the documentation, and I have not seen any way to reference a self-signed certificate in the docker-compose file without having a toml file.
I have tried this:
version: "3.3"
services:
traefik:
image: "traefik:v2.0.0"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker
- --api
- --providers.docker.tls.cert=/etc/certs/server.crt
- --providers.docker.tls.key=/etc/certs/server.key
But I got the following error:
Failed to retrieve information of the docker client and server host: error during connect: Get https://%2Fvar%2Frun%2Fdocker.sock/v1.24/version: http: server gave HTTP response to HTTPS client" providerName=docker
Here are resources I have used that do not provide any way to set up self-signed certificates to enable HTTPS for Træfik v2 in the docker-compose YAML file:
I do see this on this page: https://docs.traefik.io/https/tls/#user-defined
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
But it is for file YAML configuration file, and I need to convert this to the docker-compose YAML file equivalent as it is above how they have done it for Let's Encrypt.
Upvotes: 15
Views: 21420
Answers (1)
Reputation: 299
It seems this is not doable at the moment. Someone posted a very similar question on the Træfik community forum.
The certificates you are passing as flags (providers.docker.tls.cert and providers.docker.tls.key) are useful if Træfik listen to Docker events via a secure TCP endpoint instead of a file socket, which is not what you want.
It would be cool to have everything configured in a single docker-compose file but unfortunately the self-signed related configuration must be stored in a separate file.
Here is an example for the record:
File docker-compose.yml
traefik:
image: traefik:v2.1
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --providers.file.directory=/etc/traefik/dynamic_conf
- --providers.file.watch=true
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./certs/:/certs/:ro
- ./traefik.yml:/etc/traefik/dynamic_conf/conf.yml:ro
web:
image: nginx:1.17.8-alpine
labels:
# http with redirection
- traefik.http.middlewares.redirect-middleware.redirectscheme.scheme=https
- traefik.http.routers.web-router.entrypoints=web
- traefik.http.routers.web-router.rule=Host(`your-domain.net`)
- traefik.http.routers.web-router.middlewares=redirect-middleware
# https
- traefik.http.routers.websecure-router.entrypoints=websecure
- traefik.http.routers.websecure-router.tls=true
- traefik.http.routers.websecure-router.rule=Host(`your-domain.net`)
File traefik.yml
tls:
certificates:
- certFile: /certs/awx.afone.priv.crt
keyFile: /certs/awx.afone.priv.key
Upvotes: 20
Related Questions
- Traefik with self-signed certificate
- Traefik Self Signed Certificate
- Docker, Traefik 2.2, and Default Certificate
- Traefik 2 how to refer tls certificates inside static config for routing inside docker-compose files
- Traefik v2 and Invalid Lets Encrypt Certificate
- Traefik V2.0 with Letsencrypt is unable to generate a certificate for the domains
- Issues with Traefik v2.0 to use self signed certificate
- issues running docker traefik v2.0 to use self signed certificate
- Traefik and self-signed SSL
- Error creating TLS config (v1.3.7)