-
-
Save pyrou/4f555cd55677331c742742ee6007a73a to your computer and use it in GitHub Desktop.
version: '3' | |
services: | |
traefik: | |
restart: unless-stopped | |
image: traefik:v2.0.2 | |
ports: | |
- "80:80" | |
- "443:443" | |
labels: | |
- "traefik.http.services.traefik.loadbalancer.server.port=8080" | |
volumes: | |
- ./traefik.yml:/etc/traefik/traefik.yml | |
- ./tls.yml:/etc/traefik/tls.yml | |
- /var/run/docker.sock:/var/run/docker.sock | |
- certs:/etc/ssl/traefik | |
app1: | |
image: containous/whoami | |
labels: | |
- "traefik.http.routers.app1.rule=Host(`app1.traefik.me`)" | |
- "traefik.http.routers.app1-tls.tls.domains[0].main=app1.traefik.me" | |
- "traefik.http.routers.app1-tls.tls.domains[0].sans=app1-*.traefik.me" | |
app2: | |
image: containous/whoami | |
labels: | |
- "traefik.http.routers.app2.rule=Host(`app2.traefik.me`)" | |
- "traefik.http.routers.app2-tls.tls.domains[0].main=app2.traefik.me" | |
- "traefik.http.routers.app2-tls.tls.domains[0].sans=app2-*.traefik.me" | |
reverse-proxy-https-helper: | |
image: alpine | |
command: sh -c "cd /etc/ssl/traefik | |
&& wget traefik.me/cert.pem -O cert.pem | |
&& wget traefik.me/privkey.pem -O privkey.pem" | |
volumes: | |
- certs:/etc/ssl/traefik | |
volumes: | |
certs: |
tls: | |
stores: | |
default: | |
defaultCertificate: | |
certFile: /etc/ssl/traefik/cert.pem | |
keyFile: /etc/ssl/traefik/privkey.pem | |
certificates: | |
- certFile: /etc/ssl/traefik/cert.pem | |
keyFile: /etc/ssl/traefik/privkey.pem |
logLevel: INFO | |
api: | |
insecure: true | |
dashboard: true | |
entryPoints: | |
http: | |
address: ":80" | |
https: | |
address: ":443" | |
providers: | |
file: | |
filename: /etc/traefik/tls.yml | |
docker: | |
endpoint: unix:///var/run/docker.sock | |
watch: true | |
exposedByDefault: true | |
defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`,`{{ index .Labels \"com.docker.compose.service\"}}-{dashed-ip:.*}.traefik.me`)" |
I'm also seeing the issue presented by Nasjoe.
My workaround using the mkcert
tool as described on the Arch wiki
$ mkcert -install
$ mkcert traefik.me \*.traefik.me
And pointing at the generated certs
Same error as Nasjoe on Windows hosts.
It seems that also https://traefik.me/ website is affected.
> curl https://traefik.me/
curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_REVOKED (0x80092010) - Le certificat est révoqué.
Qualys SSL labs reports with a F grade and also a REVOKED status (see https://www.ssllabs.com/ssltest/analyze.html?d=traefik.me&hideResults=on).
Maybe there was an issue when renewing certificates ?
@pyrou have you ever seen this behaviour ?
@pyrou I still have the "SEC_ERROR_REVOKED_CERTIFICATE" since august, do you know why it does that ?
Hi @pyrou, I just create a project from your code with some little mods: https://github.com/heralight/traefik-dyn-dev/
Best regards,
Thank you!
Alexandre
@pyrou - A couple weeks ago, I also created a project from this gist: https://github.com/edguy3/traefik.me
Minor tweaks to the original - a Makefile and a 'donotstart' profile for the wget helper.
Thanks!
Anyone had Traefik 3.0 version of config files ?
Anyone had Traefik 3.0 version of config files ?
it is working now with 3.0-RC3
Very convenient! It works perfectly !
I just have a problem with CURL inside a php container.
in app1 curl to app2
=> SSL certificate problem: unable to get local issuer certificate
adding curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
works but I would like to avoid having to modify the code inside my app.
I tried a lot of things without success. My knowledge of security certificates is poor...
Any ideas ?
Very convenient! It works perfectly !
I just have a problem with CURL inside a php container.
in app1 curl to app2 => SSL certificate problem: unable to get local issuer certificate
adding
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
works but I would like to avoid having to modify the code inside my app.I tried a lot of things without success. My knowledge of security certificates is poor... Any ideas ?
@scaudace download the fullchain.pem
and use it as the certFile
instead of the cert.pem
reverse-proxy-https-helper:
image: alpine
command: sh -c "cd /etc/ssl/traefik
&& wget traefik.me/fullchain.pem -O cert.pem
&& wget traefik.me/privkey.pem -O privkey.pem"
volumes:
- certs:/etc/ssl/traefik
For traefik v3.1.2
:
- defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`,`{{ index .Labels \"com.docker.compose.service\"}}-{dashed-ip:.*}.traefik.me`)"
+ defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}-.+.traefik.me`) || HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`)"
This morning :
Code d’erreur : SEC_ERROR_REVOKED_CERTIFICATE