Skip to content

Instantly share code, notes, and snippets.

@x-yuri

x-yuri/traefik: automatically obtaining SSL certificates (Let's Encrypt).md

Last active May 17, 2020 23:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save x-yuri/fe1805dd4f4118aa649ea650d0df9a4a to your computer and use it in GitHub Desktop.
Save x-yuri/fe1805dd4f4118aa649ea650d0df9a4a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
traefik: automatically obtaining SSL certificates (Let's Encrypt).md

traefik: automatically obtaining SSL certificates (Let's Encrypt)

docker-compose.yml:

version: '3'

services:
    traefik:
        image: traefik:1.7
        command:
            --entryPoints='Name:http Address::80'
            --entryPoints='Name:https Address::443 TLS'
            --defaultentrypoints=http,https
            --logLevel=DEBUG
            --docker
            --docker.exposedByDefault=false
            --acme
            --acme.acmeLogging=true
            --acme.entrypoint=https
            --acme.storage=/data/acme.json
            --acme.onHostRule=true
            --acme.httpChallenge.entryPoint=http
        ports:
            - 8001:80
            - 8002:443
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - .:/data

    traefik-certs-dumper:
        image: ldez/traefik-certs-dumper:v2.7.0
        entrypoint: sh -c '
            apk add jq
            ; while ! [ -e /data/acme.json ]
                || ! [ `jq ".Certificates | length" /data/acme.json` != 0 ]; do
                    sleep 1
                ; done
            && traefik-certs-dumper file --watch 
                --source /data/acme.json --dest /data/certs'
        volumes:
            - .:/data

    whoami:
        image: containous/whoami
        labels:
            traefik.enable: true
            traefik.frontend.rule: Host:example.com

ldez/traefik-certs-dumper is needed in case you want to put traefik behind another proxy.

time="2020-05-17T16:21:51Z" level=info msg="Traefik version v1.7.24 built on 2020-03-25_04:34:11PM"

time="2020-05-17T16:21:51Z" level=debug msg="Global configuration loaded {
  "AccessLog": null,
  "TraefikLog": null,
  "LogLevel": "DEBUG",
  "EntryPoints": {
    "http": {
      "Address": ":80",
      "TLS": null,
      ...
    },
    "https": {
      "Address": ":443",
      "TLS": {...},
      ...
    }
  },
  "ACME": {
    "Email": "",
    "Domains": null,
    "Storage": "/data/acme.json",
    "OnHostRule": true,
    "EntryPoint": "https",
    "HTTPChallenge": {
      "EntryPoint": "http"
    },
    "ACMELogging": true,
    ...
  },
  "DefaultEntryPoints": [
    "http",
    "https"
  ],
  "Docker": {
    "Endpoint": "unix:///var/run/docker.sock",
    "ExposedByDefault": false,
    "SwarmMode": false,
    ...
  },
  ...
}

time="2020-05-17T16:21:51Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v1.7/basics/#collected-data\n"
time="2020-05-17T16:21:51Z" level=debug msg="Setting Acme Certificate store from Entrypoint: https"

time="2020-05-17T16:21:51Z" level=info msg="Preparing server https &{Address::443 TLS:0xc0007b1950 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0006d49a0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2020-05-17T16:21:51Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0006d48e0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2020-05-17T16:21:51Z" level=info msg="Starting server on :443"
time="2020-05-17T16:21:51Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2020-05-17T16:21:51Z" level=info msg="Starting server on :80"
time="2020-05-17T16:21:51Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15}"
time="2020-05-17T16:21:51Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"\",\"ACMELogging\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"Storage\":\"/data/acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":null,\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"TLSChallenge\":null,\"Domains\":null,\"Store\":{}}"
time="2020-05-17T16:21:51Z" level=info msg="Testing certificate renew..."
time="2020-05-17T16:21:51Z" level=debug msg="Configuration received from provider ACME: {}"
time="2020-05-17T16:21:51Z" level=debug msg="Provider connection established with docker 18.06.3-ce (API 1.38)"

time="2020-05-17T16:21:51Z" level=debug msg="Filtering disabled container /traefik-ssl_traefik_1"
time="2020-05-17T16:21:51Z" level=debug msg="Filtering disabled container /traefik-ssl_traefik-certs-dumper_1"
time="2020-05-17T16:21:51Z" level=debug msg="originLabelsmap[
    com.docker.compose.config-hash:cc8dd9859b14b96c12537af1175910291ff4d1de04eb61beb3d66ada87bdb630
    com.docker.compose.container-number:1
    com.docker.compose.oneoff:False
    com.docker.compose.project:traefik-ssl
    com.docker.compose.service:whoami
    com.docker.compose.version:1.24.1
    traefik.enable:True
    traefik.frontend.rule:Host:example.com
]"
time="2020-05-17T16:21:51Z" level=debug msg="allLabelsmap[:map[
    traefik.enable:True
    traefik.frontend.rule:Host:example.com
]]"

time="2020-05-17T16:21:51Z" level=debug msg="originLabelsmap[
    com.docker.compose.config-hash:cc8dd9859b14b96c12537af1175910291ff4d1de04eb61beb3d66ada87bdb630
    com.docker.compose.container-number:1
    com.docker.compose.oneoff:False
    com.docker.compose.project:traefik-ssl
    com.docker.compose.service:whoami
    com.docker.compose.version:1.24.1
    traefik.enable:True
    traefik.frontend.rule:Host:example.com
]"
time="2020-05-17T16:21:51Z" level=debug msg="allLabelsmap[:map[
    traefik.enable:True
    traefik.frontend.rule:Host:example.com
]]"
time="2020-05-17T16:21:51Z" level=debug msg="Backend backend-whoami-traefik-ssl: no load-balancer defined, fallback to 'wrr' method"
time="2020-05-17T16:21:51Z" level=debug msg="Configuration received from provider docker: {
  "backends": {
    "backend-whoami-traefik-ssl": {
      "servers": {
        "server-eaa0e2fdd516-traefik-ssl-whoami-1-ba08b9a6fd6a6a434ae85c28fea6f773": {
          "url": "http://172.23.0.3:80",
          "weight": 1
        }
      },
      ...
    }
  },
  "frontends": {
    "frontend-Host-example-com-0": {
      "entryPoints": [
        "http",
        "https"
      ],
      "backend": "backend-whoami-traefik-ssl",
      "routes": {
        "route-frontend-Host-example-com-0": {
          "rule": "Host:example.com"
        }
      },
      ...
    }
  }
}
time="2020-05-17T16:21:51Z" level=info msg="Server configuration reloaded on :80"
time="2020-05-17T16:21:51Z" level=info msg="Server configuration reloaded on :443"

time="2020-05-17T16:21:51Z" level=debug msg="Wiring frontend frontend-Host-example-com-0 to entryPoint http"
time="2020-05-17T16:21:51Z" level=debug msg="Creating backend backend-whoami-traefik-ssl"
time="2020-05-17T16:21:51Z" level=debug msg="Creating load-balancer wrr"
time="2020-05-17T16:21:51Z" level=debug msg="Creating server server-eaa0e2fdd516-traefik-ssl-whoami-1-ba08b9a6fd6a6a434ae85c28fea6f773 at http://172.23.0.3:80 with weight 1"
time="2020-05-17T16:21:51Z" level=debug msg="Creating route route-frontend-Host-example-com-0 Host:example.com"

time="2020-05-17T16:21:51Z" level=debug msg="Wiring frontend frontend-Host-example-com-0 to entryPoint https"
time="2020-05-17T16:21:51Z" level=debug msg="Creating backend backend-whoami-traefik-ssl"
time="2020-05-17T16:21:51Z" level=debug msg="Creating load-balancer wrr"
time="2020-05-17T16:21:51Z" level=debug msg="Creating server server-eaa0e2fdd516-traefik-ssl-whoami-1-ba08b9a6fd6a6a434ae85c28fea6f773 at http://172.23.0.3:80 with weight 1"
time="2020-05-17T16:21:51Z" level=debug msg="Creating route route-frontend-Host-example-com-0 Host:example.com"

time="2020-05-17T16:21:51Z" level=info msg="Server configuration reloaded on :443"
time="2020-05-17T16:21:51Z" level=info msg="Server configuration reloaded on :80"

time="2020-05-17T16:21:51Z" level=debug msg="Try to challenge certificate for domain [example-com] founded in Host rule"
time="2020-05-17T16:21:51Z" level=debug msg="Looking for provided certificate(s) to validate ["example.com"]..."
time="2020-05-17T16:21:51Z" level=debug msg="Domains ["example.com"] need ACME certificates generation for domains "example.com"."
time="2020-05-17T16:21:51Z" level=debug msg="Loading ACME certificates [example.com]..."
time="2020-05-17T16:21:51Z" level=info msg="The key type is empty. Use default key type 4096."
time="2020-05-17T16:21:56Z" level=debug msg="Building ACME client..."
time="2020-05-17T16:21:56Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2020-05-17T16:21:56Z" level=info msg=Register...
time="2020-05-17T16:21:57Z" level=debug msg="Using HTTP Challenge provider."
time="2020-05-17T16:21:57Z" level=info msg="legolog: [INFO] [example.com] acme: Obtaining bundled SAN certificate"
time="2020-05-17T16:21:57Z" level=info msg="legolog: [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4642384633"
time="2020-05-17T16:21:57Z" level=info msg="legolog: [INFO] [example.com] acme: Could not find solver for: tls-alpn-01"
time="2020-05-17T16:21:57Z" level=info msg="legolog: [INFO] [example.com] acme: use http-01 solver"
time="2020-05-17T16:21:57Z" level=info msg="legolog: [INFO] [example.com] acme: Trying to solve HTTP-01"
time="2020-05-17T16:21:58Z" level=debug msg="Unable to split host and port: address example.com: missing port in address. Fallback to request host."
time="2020-05-17T16:21:58Z" level=debug msg="Looking for an existing ACME challenge for token YHbdxGL9bxJeJIaCnSEkC3PMv5O5kYF-WKg8xFlQgLE..."
time="2020-05-17T16:21:58Z" level=debug msg="Unable to split host and port: address example.com: missing port in address. Fallback to request host."
time="2020-05-17T16:21:58Z" level=debug msg="Looking for an existing ACME challenge for token YHbdxGL9bxJeJIaCnSEkC3PMv5O5kYF-WKg8xFlQgLE..."
time="2020-05-17T16:21:58Z" level=debug msg="Unable to split host and port: address example.com: missing port in address. Fallback to request host."
time="2020-05-17T16:21:58Z" level=debug msg="Looking for an existing ACME challenge for token YHbdxGL9bxJeJIaCnSEkC3PMv5O5kYF-WKg8xFlQgLE..."
time="2020-05-17T16:21:58Z" level=debug msg="Unable to split host and port: address example.com: missing port in address. Fallback to request host."
time="2020-05-17T16:21:58Z" level=debug msg="Looking for an existing ACME challenge for token YHbdxGL9bxJeJIaCnSEkC3PMv5O5kYF-WKg8xFlQgLE..."
time="2020-05-17T16:22:02Z" level=info msg="legolog: [INFO] [example.com] The server validated our request"
time="2020-05-17T16:22:02Z" level=info msg="legolog: [INFO] [example.com] acme: Validations succeeded; requesting certificates"
time="2020-05-17T16:22:03Z" level=info msg="legolog: [INFO] [example.com] Server responded with a certificate."
time="2020-05-17T16:22:03Z" level=debug msg="Certificates obtained for domains [example.com]"
time="2020-05-17T16:22:03Z" level=debug msg="Configuration received from provider ACME: {}"

time="2020-05-17T16:22:03Z" level=debug msg="Wiring frontend frontend-Host-example-com-0 to entryPoint http"
time="2020-05-17T16:22:03Z" level=debug msg="Creating backend backend-whoami-traefik-ssl"
time="2020-05-17T16:22:03Z" level=debug msg="Creating load-balancer wrr"
time="2020-05-17T16:22:03Z" level=debug msg="Creating server server-eaa0e2fdd516-traefik-ssl-whoami-1-ba08b9a6fd6a6a434ae85c28fea6f773 at http://172.23.0.3:80 with weight 1"
time="2020-05-17T16:22:03Z" level=debug msg="Creating route route-frontend-Host-example-com-0 Host:example.com"

time="2020-05-17T16:22:03Z" level=debug msg="Wiring frontend frontend-Host-example-com-0 to entryPoint https"
time="2020-05-17T16:22:03Z" level=debug msg="Creating backend backend-whoami-traefik-ssl"
time="2020-05-17T16:22:03Z" level=debug msg="Creating load-balancer wrr"
time="2020-05-17T16:22:03Z" level=debug msg="Creating server server-eaa0e2fdd516-traefik-ssl-whoami-1-ba08b9a6fd6a6a434ae85c28fea6f773 at http://172.23.0.3:80 with weight 1"
time="2020-05-17T16:22:03Z" level=debug msg="Creating route route-frontend-Host-example-com-0 Host:example.com"
time="2020-05-17T16:22:03Z" level=debug msg="Adding certificate for domain(s) example.com"

time="2020-05-17T16:22:03Z" level=info msg="Server configuration reloaded on :80"
time="2020-05-17T16:22:03Z" level=info msg="Server configuration reloaded on :443"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment