Error in the certificate resolver
Raimoncoral opened this issue · 1 comments
Raimoncoral commented
Hi,
First I want to thank for this amazing work, I'm learning a lot implementing this in my homelab. But I have a problem, and I can't figure anything out.
The problem is in the certificate, I'm using Cloudflare for my CertResolver, and I get an error → Router uses a non-existent certificate resolver certificateResolver=cloudflare, and when I try to go to a website it returns a 525 error.
My last traefik docker compose, which is a generic and not secure, it works without any problems.
This is my docker compose file:
services:
dockerproxy:
image: wollomatic/socket-proxy:1 # see https://github.com/wollomatic/simple-traefik for reference
container_name: traefik-eval-1-proxy
# this image replaced https://github.com/Tecnativa/docker-socket-proxy as the socket proxy
# for an example with the tecnativa proxy refer tags before 2.10
command:
# with this configuration socket-proxy acts similar to the tecnativa proxy. For additional hardening
# please refer to the documentation of the wollomatic/socket-proxy image
- '-loglevel=info' # set to debug for far more logging
- '-allowfrom=traefik'
- '-listenip=0.0.0.0'
- '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)' # this regexp allows readonly access only for requests that traefik needs
- '-shutdowngracetime=5'
- '-watchdoginterval=600'
- '-stoponwatchdog'
restart: unless-stopped
read_only: true
mem_limit: 64M
cap_drop:
- ALL
security_opt:
- no-new-privileges
user: 65534:999 # replace <<docker-gid>> with the docker gid on your host system
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- docker-proxynet
traefik:
image: traefik:v3.0 # always look for the most recent version
container_name: traefik-eval-1
restart: on-failure:5
#read_only: true
mem_limit: 2G
cpus: 0.75
depends_on:
- dockerproxy
security_opt:
- no-new-privileges:true
environment:
CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
TZ: Europe/Madrid
volumes:
- ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro # Static Traefik Configuration
- ./config/dynamic/:/etc/traefik/dynamic/:ro # Folder to store dynamic configuration file provider
- ./config/authusers.txt:/etc/traefik/authusers.txt:ro # userfile for basic auth
- ./config/acme/acmedns.json:/etc/traefik/acmedns.json # certificate storage
user: "2000:2000"
# user traefik has to be created on the host system
# sudo useradd -u 2000 -M -s /usr/sbin/nologin traefik
labels:
- "traefik.enable=true"
# expose traefik dashboard with TLS and basic auth
# 1. create router
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.[**Redacted**].eu`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=[**Redacted**].eu"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.[**Redacted**].eu"
- "traefik.http.routers.traefik.entrypoints=web-secure"
- "traefik.http.routers.traefik.middlewares=traefik-auth, secHeaders@file"
# 2. create basic auth middleware
- "traefik.http.middlewares.traefik-auth.basicauth.removeheader=true"
- "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/etc/traefik/authusers.txt"
# this would be another possibility to create an catch-all on port 80 with redirection to https
# but we connected the unencrypted entrypoint to the redirection in the static configuration:
# - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
# - "traefik.http.routers.http-catchall.entrypoints=web"
# - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
networks:
- proxy
- docker-proxynet
ports:
- "80:10080" # use high ports inside the container so
- "443:10443" # we don't need to be root to bind the ports
networks:
proxy:
external: true # this network has to be created once before starting:
name: proxy # docker network create proxy
docker-proxynet:
driver: bridge
internal: true
And this is my traefik.yaml:
accessLog: {}
log:
level: DEBUG
providers:
docker:
exposedByDefault: false
endpoint: "tcp://dockerproxy:2375"
network: proxy
file:
directory: /etc/traefik/dynamic
watch: true
api:
dashboard: false # if you don't need the dashboard disable it
entryPoints:
web:
address: ":10080" # will be routed to port 80, see docker-compose.yaml
http:
redirections: # redirect entire entrypoint to https
entryPoint:
to: ":443"
scheme: https
web-secure:
address: ":10443" # will be routed to port 443, see docker-compose.yaml
http3:
advertisedPort: 443
certificatesResolvers:
cloudflare:
acme:
email: [**Redacted**]
storage: acmedns.json
# caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
#delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
#experimental:
#http3: true
global:
sendAnonymousUsage: false # set to false, if you don't want to send anonymous usage data
And this is one of the files stored in the dynamic folder:
http:
routers:
synology-rs1221:
entrypoints: web-secure
rule: "Host(`nas.[**Redacted**].eu`)"
tls:
certresolver: cloudflare
middlewares: secHeaders@file
service: synology-rs1221
services:
synology-rs1221:
loadBalancer:
servers:
- url: "https://192.168.1.51:5003"
passHostHeader: true
Do you have any idea ?
Raimoncoral commented
I finally fixed it. In the certresolver resolver, I had the wrong value.