Skip to content

Instantly share code, notes, and snippets.

@pyrou
Last active October 15, 2024 13:55
Show Gist options
  • Save pyrou/4f555cd55677331c742742ee6007a73a to your computer and use it in GitHub Desktop.
Save pyrou/4f555cd55677331c742742ee6007a73a to your computer and use it in GitHub Desktop.
Use https://traefik.me SSL certificates for local HTTPS without having to touch your /etc/hosts or your certificate CA.
version: '3'
services:
traefik:
restart: unless-stopped
image: traefik:v2.0.2
ports:
- "80:80"
- "443:443"
labels:
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml
- ./tls.yml:/etc/traefik/tls.yml
- /var/run/docker.sock:/var/run/docker.sock
- certs:/etc/ssl/traefik
app1:
image: containous/whoami
labels:
- "traefik.http.routers.app1.rule=Host(`app1.traefik.me`)"
- "traefik.http.routers.app1-tls.tls.domains[0].main=app1.traefik.me"
- "traefik.http.routers.app1-tls.tls.domains[0].sans=app1-*.traefik.me"
app2:
image: containous/whoami
labels:
- "traefik.http.routers.app2.rule=Host(`app2.traefik.me`)"
- "traefik.http.routers.app2-tls.tls.domains[0].main=app2.traefik.me"
- "traefik.http.routers.app2-tls.tls.domains[0].sans=app2-*.traefik.me"
reverse-proxy-https-helper:
image: alpine
command: sh -c "cd /etc/ssl/traefik
&& wget traefik.me/cert.pem -O cert.pem
&& wget traefik.me/privkey.pem -O privkey.pem"
volumes:
- certs:/etc/ssl/traefik
volumes:
certs:
tls:
stores:
default:
defaultCertificate:
certFile: /etc/ssl/traefik/cert.pem
keyFile: /etc/ssl/traefik/privkey.pem
certificates:
- certFile: /etc/ssl/traefik/cert.pem
keyFile: /etc/ssl/traefik/privkey.pem
logLevel: INFO
api:
insecure: true
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
file:
filename: /etc/traefik/tls.yml
docker:
endpoint: unix:///var/run/docker.sock
watch: true
exposedByDefault: true
defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`,`{{ index .Labels \"com.docker.compose.service\"}}-{dashed-ip:.*}.traefik.me`)"
@Nasjoe
Copy link

Nasjoe commented Aug 17, 2023

This morning :
Code d’erreur : SEC_ERROR_REVOKED_CERTIFICATE

@cpebble
Copy link

cpebble commented Aug 17, 2023

I'm also seeing the issue presented by Nasjoe.

My workaround using the mkcert tool as described on the Arch wiki

$ mkcert -install
$ mkcert traefik.me \*.traefik.me

And pointing at the generated certs

@tazorax
Copy link

tazorax commented Aug 29, 2023

Same error as Nasjoe on Windows hosts.
It seems that also https://traefik.me/ website is affected.

> curl https://traefik.me/
curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_REVOKED (0x80092010) - Le certificat est révoqué.

Qualys SSL labs reports with a F grade and also a REVOKED status (see https://www.ssllabs.com/ssltest/analyze.html?d=traefik.me&hideResults=on).

Maybe there was an issue when renewing certificates ?

@pyrou have you ever seen this behaviour ?

@GIorfindel
Copy link

@pyrou I still have the "SEC_ERROR_REVOKED_CERTIFICATE" since august, do you know why it does that ?

@heralight
Copy link

Hi @pyrou, I just create a project from your code with some little mods: https://github.com/heralight/traefik-dyn-dev/
Best regards,
Thank you!
Alexandre

@edguy3
Copy link

edguy3 commented Oct 19, 2023

@pyrou - A couple weeks ago, I also created a project from this gist: https://github.com/edguy3/traefik.me
Minor tweaks to the original - a Makefile and a 'donotstart' profile for the wget helper.
Thanks!

@xmlking
Copy link

xmlking commented Feb 25, 2024

Anyone had Traefik 3.0 version of config files ?

@xmlking
Copy link

xmlking commented Apr 6, 2024

Anyone had Traefik 3.0 version of config files ?

it is working now with 3.0-RC3

@scaudace
Copy link

Very convenient! It works perfectly !

I just have a problem with CURL inside a php container.

in app1 curl to app2
=> SSL certificate problem: unable to get local issuer certificate

adding curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
works but I would like to avoid having to modify the code inside my app.

I tried a lot of things without success. My knowledge of security certificates is poor...
Any ideas ?

@jizusun
Copy link

jizusun commented Aug 10, 2024

Very convenient! It works perfectly !

I just have a problem with CURL inside a php container.

in app1 curl to app2 => SSL certificate problem: unable to get local issuer certificate

adding curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); works but I would like to avoid having to modify the code inside my app.

I tried a lot of things without success. My knowledge of security certificates is poor... Any ideas ?

@scaudace download the fullchain.pem and use it as the certFile instead of the cert.pem

  reverse-proxy-https-helper:
    image: alpine
    command: sh -c "cd /etc/ssl/traefik
      && wget traefik.me/fullchain.pem -O cert.pem
      && wget traefik.me/privkey.pem -O privkey.pem"
    volumes:
      - certs:/etc/ssl/traefik

@jizusun
Copy link

jizusun commented Aug 10, 2024

For traefik v3.1.2:

-    defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`,`{{ index .Labels \"com.docker.compose.service\"}}-{dashed-ip:.*}.traefik.me`)"
+    defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}-.+.traefik.me`) || HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`)"

@xmlking
Copy link

xmlking commented Aug 11, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment