5

I'm struggling with Let's Encrypt setup for my Docker Swarm. Traefik is started this way in my stack's compose file:

    image: traefik:v2.2
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    command:
      - --api
      - --log.level=DEBUG
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=traefik-public
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443

      - --certificatesResolvers.certbot=true
      - --certificatesResolvers.certbot.acme.httpChallenge=true
      - --certificatesResolvers.certbot.acme.httpChallenge.entrypoint=http
      - --certificatesResolvers.certbot.acme.email=${EMAIL?Variable EMAIL not set}
      - --certificatesResolvers.certbot.acme.storage=/certs/acme-v2.json
      - --certificatesResolvers.certbot.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

    ...networks, volumes...

    deploy:
      mode: replicated
      replicas: 1 # to avoid concurrency issues
      ...
      labels:
        - "traefik.docker.network=traefik-public"
        - "traefik.enable=true"
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
        - "traefik.http.routers.traefik.rule=Host(`traefik.my-domain.com`)"
        - "traefik.http.routers.traefik.entrypoints=http,https"
        - "traefik.http.routers.traefik.tls.certresolver=certbot"
        - "traefik.http.routers.traefik.middlewares=traefik-auth"
        - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:${HASHED_PASSWORD?Variable HASHED_PASSWORD not set}"

And I cannot get more than 

level=debug msg="No ACME certificate generation required for domains [\"traefik.my-domain.com\"]." providerName=certbot.acme routerName=traefik@docker rule="Host(`traefik.my-domain.com`)"

I wonder why no ACME certificate is required while Firefox complains of getting the "TRAEFIK DEFAULT CERT" (Chromium also btw).

I also tried:

  • Without the staging server of let's encrypt
  • With a DNS challenge as I hope to make it work with wildcard *.my-domain.com for dev purpose (which works manually with certbot).
  • Setting a traefik.my-domain.com DNS zone (to remove the wildcard case from the problem)
  • Changed the mode "replicated" of the deploy with global as suggested here Traefik + Consul not generaitng SSL certificates in replicated mode, using TRAEFIK DEFAULT CERT
  • I'm presently looking for a way to handle certificates renewal with Certbot directly on my servers...
Jean Claveau
  • 1,101
  • 1
  • 13
  • 15

2 Answers2

3

I've had same issue, and it helped me to change the volume where acme.json is stored. I think it's because Traefik sees that acme.json is not empty, he simply doesn't ask for new cert.

So if you're using something like:

command:
...
  - --certificatesResolvers.certbot.acme.storage=/certs/acme-v2.json
volumes:
  - "certs:/certs"

Try to use different volume:

command:
...
  - --certificatesResolvers.certbot.acme.storage=/letsencrypt/acme-v2.json
volumes:
  - "letsencrypt:/letsencrypt"
wokoman
  • 31
  • 4
  • I tried it multiple times without success but thanks for your insight. I would know that it may work now – Jean Claveau Oct 01 '20 at 16:48
  • I deleted the acme.json file (as it didn't have any content yet) and retried. Worked just fine this time. Good hint! – Worp Feb 07 '21 at 22:22
3

For me it was the set default (custom) Cert, that was valid for the full domain, so traefik didn't request a specific acme/letsencrypt one, because it thought it already has one.

After disabling the custom default cert it worked instantly.

Dani
  • 41
  • 4
  • how did you disable it? – Daniel Katz Dec 07 '21 at 00:33
  • @DanielKatz I just renamed the configuration file `filename.yml` to something like `filename.yml.disabled` so traefik ignores it. _(assumed in this file only the default certificate option is set)_ – Dani Dec 12 '21 at 15:23