Docker - Let's Encrypt + Traefik + Portainer

Walcze z tym od ponad miesiąca i nadal nic. Zwracam sie o pomoc do was!

portainer.yml

version: '3.7'

services:
  proxy:
    image: "traefik:latest"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - public
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/etc/timezone:/etc/timezone:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "/etc/traefik:/etc/traefik"
    deploy:
      placement:
        constraints: [node.role == manager]

  agent:
    image: portainer/agent:latest
    environment:
      # REQUIRED: Should be equal to the service name prefixed by "tasks." when
      # deployed inside an overlay network
      AGENT_CLUSTER_ADDR: tasks.agent
      # AGENT_PORT: 9001
      # LOG_LEVEL: debug
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

  app:
    image: portainer/portainer-ce:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    volumes:
      - data:/data
    networks:
      - public
      - agent_network
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=(Host(`example.com`) && PathPrefix(`/admin/portainer/`))"
      - "traefik.http.routers.portainer.entrypoints=web"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      - "traefik.http.routers.portainer.service=portainer"
      # Edge
      - "traefik.http.routers.edge.rule=Host(`edge.example.com`)"
      - "traefik.http.routers.edge.entrypoints=web"
      - "traefik.http.services.edge.loadbalancer.server.port=8000"
      - "traefik.http.routers.edge.service=edge"

networks:
  public:
    external: true
  agent_network:
    external: true

volumes:
   data:

traefik.toml

################################################################
# Global configuration
################################################################
[global]
  checkNewVersion = true
  sendAnonymousUsage = false

[log]
  filePath = "/etc/traefik/logs/traefik.log"
  level = "DEBUG"
################################################################
# Entrypoints configuration
################################################################

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
          to = "websecure"
          scheme = "https"

  [entryPoints.websecure]
    address = ":443"


[certificatesResolvers.letsencrypt.acme]
    email = "my-domain@example.com"
    storage = "/etc/letsencrypt/acme.json"
    [certificatesResolvers.letsencrypt.acme.httpChallenge]
        entryPoint = "web"

################################################################
# Docker configuration backend
################################################################

[providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    swarmMode = true
    network = "public"
    exposedByDefault = false
    watch = true
[providers.file]
    directory = "/etc/traefik"

A jaki masz problem?

No to pobierz certyfikat i dodaj go sobie do zaufanych bo zapewne jest tzw. self-signed bez możliwości zweryfikowania go przez CA.

Nie rozumiem jak mam to zrobic. Powinno byc to automatycznie.
Dodam jeszcze ze jest to docker swarm na serwerach cloud ionos

Przeglądarka dostaje domyślny certyfikat od traefika, utworzony w celach deweloperskich
obraz
Z jakiegoś powodu nie jest to certyfikat Let’s Encrypt. Przeszukaj logi traefika i zobacz czy nie ma tam czegoś związanego Let’s Encrypt

Tutaj SSL with Traefik and Let's Encrypt Tutorial piszą, że:

Note that per the Traefik documentation, you must specify that a service requires the certificate resolver – it doesn’t automatically get used.

Jednym słowem certyfikat nie zostanie użyty do czasu aż nie wskażesz na niego (sekcja ‘whoami’ we wklejonym powyżej linku. Nie widzę jej w twoim konfigu. Przerób sobie tylko notację, na tą której używasz)

Logi:
Imgur
Imgur
Imgur
Imgur

Jestem zielony w te sprawy :frowning:

po dodaniu tls

Niestety nie mam tyle czasu, żeby Ci to rozpracować. Używam treaefika do celów deweloperskich więc nie generowałem certyfikatu. Może ktoś inny? Podążaj za wklejonym przeze mnie tutorialem. Na deweloperce mam traefika i tam są dwa kontenery. Tj traefik oraz whoami. Sprawdź czy ten drugi masz uruchomiony.

No a za tym wszystkim solidny stoi kawał wiedzy.

Kolejna sciana: 404 page not found

time="2022-09-25T15:07:09+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2022-09-25T15:07:09+02:00" level=debug msg="Adding route for snobby.dev with TLS options default" entryPointName=web
time="2022-09-25T15:07:09+02:00" level=debug msg="Adding route for edge.snobby.dev with TLS options default" entryPointName=web
time="2022-09-25T15:07:09+02:00" level=debug msg="Try to challenge certificate for domain [snobby.dev] found in HostSNI rule" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=portainer@docker rule="(Host(`snobby.dev`) && PathPrefix(`/admin/portainer/`))"
time="2022-09-25T15:07:09+02:00" level=debug msg="Try to challenge certificate for domain [edge.snobby.dev] found in HostSNI rule" routerName=edge@docker rule="Host(`edge.snobby.dev`)" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2022-09-25T15:07:09+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"edge.snobby.dev\"]..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=edge@docker rule="Host(`edge.snobby.dev`)"
time="2022-09-25T15:07:09+02:00" level=debug msg="No ACME certificate generation required for domains [\"edge.snobby.dev\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=edge@docker rule="Host(`edge.snobby.dev`)"
time="2022-09-25T15:07:09+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"snobby.dev\"]..." routerName=portainer@docker rule="(Host(`snobby.dev`) && PathPrefix(`/admin/portainer/`))" providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2022-09-25T15:07:09+02:00" level=debug msg="No ACME certificate generation required for domains [\"snobby.dev\"]." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=portainer@docker rule="(Host(`snobby.dev`) && PathPrefix(`/admin/portainer/`))"
time="2022-09-25T15:07:21+02:00" level=debug msg="Serving default certificate for request: \"\""
time="2022-09-25T15:40:14+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2022-09-25T15:40:14+02:00" level=debug msg="No default certificate, generating one" tlsStoreName=default
time="2022-09-25T15:40:14+02:00" level=debug msg="Adding certificate for domain(s) snobby.dev"
time="2022-09-25T15:40:14+02:00" level=debug msg="Adding certificate for domain(s) edge.snobby.dev"
time="2022-09-25T15:40:14+02:00" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareType=TracingForwarder entryPointName=web routerName=web-to-websecure@internal middlewareName=tracing
time="2022-09-25T15:40:14+02:00" level=debug msg="Creating middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme entryPointName=web
time="2022-09-25T15:40:14+02:00" level=debug msg="Setting up redirection to https 443" entryPointName=web routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
time="2022-09-25T15:40:14+02:00" level=debug msg="Adding tracing to middleware" routerName=web-to-websecure@internal middlewareName=redirect-web-to-websecure@internal entryPointName=web
time="2022-09-25T15:40:14+02:00" level=debug msg="Added outgoing tracing middleware acme-http@internal" middlewareType=TracingForwarder middlewareName=tracing entryPointName=web routerName=acme-http@internal
time="2022-09-25T15:40:14+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery

Krok po kroku kiedys to ruszy :frowning:

A jak dodałeś ten certyfikat w mianowicie konkretnie krok po kroku jak to zrobiłeś?

U mnie niby dodaje a jednak nie dodaje bo plik acme.json jest pusty.

time="2022-10-16T11:46:46Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme
time="2022-10-16T11:46:46Z" level=info msg="Testing certificate renew..." providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2022-10-16T11:46:46Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"acme-http\":{\"entryPoints\":[\"web\"],\"service\":\"acme-http@internal\",\"rule\":\"PathPrefix(`/.well-known/acme-challenge/`)\",\"priority\":2147483647}},\"services\":{\"acme-http\":{},\"noop\":{}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2022-10-16T11:46:46Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=letsencrypt.acme
time="2022-10-16T11:46:46Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2022-10-16T11:46:46Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=acme-http@internal
time="2022-10-16T11:46:46Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
time="2022-10-16T11:46:46Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2022-10-16T11:46:46Z" level=debug msg="Added outgoing tracing middleware acme-http@internal" entryPointName=web routerName=acme-http@internal middlewareName=tracing middlewareType=TracingForwarder
time="2022-10-16T11:46:46Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery

Nie mam pojęcia o co chodzi.