What is the name of the domain?
a2va.dev
What is the issue you’re encountering
Certificate validation error
What are the steps to reproduce the issue?
My goal is to host my website in my house using a cloudflare tunnel and traefik reverse proxy, and this blog helped me to do that.
First setup
With that, I ended up with a first setup that works (based on the above blog)
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
command:
- --api.dashboard=true
- --api.debug=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --certificatesresolvers.cloudflare.acme.email=${EMAIL}
- --certificatesresolvers.cloudflare.acme.storage=acme.json
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --providers.docker.exposedbydefault=false
- --log.level=DEBUG
- --log.filepath=/var/log/traefik/traefik.log
networks:
- proxy
ports:
- 80:80
- 443:443
- 8080:8080
environment:
- PUID=${UID}
- PGID=${GID}
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/data/traefik.yml:/traefik.yml:ro
- ./traefik/data/acme.json:/acme.json
- ./traefik/data/config.yml:/config.yml:ro
- ./traefik/data/log:/var/log/traefik/
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.tls.certresolver=cloudflare"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.routers.whoami.rule=Host(`a2va.dev`)"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
networks:
- proxy
networks:
proxy:
external: true
Cloudflare tunnel configuration
tunnel: tunnel-id
credentials-file: /home/a2va/.cloudflared/tunnel-id.json
ingress:
- hostname: a2va.dev
service: https://127.19.0.2:443
originRequest:
originServerName: "a2va.dev"
- service: http_status:404
And some commands that I used:
docker network create proxy
cloudflared login
cloudflared tunnel create setup-1
cloudflared tunnel run
Second setup
In the second setup, I wanted to put cloudflared directly into the compose file. I ended up doing this:
services:
traefik:
image: traefik:v3
container_name: traefik2
command:
- --api.dashboard=true
- --api.debug=true
- --api.insecure=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --certificatesresolvers.cloudflare.acme.email=${EMAIL}
- --certificatesresolvers.cloudflare.acme.storage=acme.json
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --providers.docker.exposedbydefault=false
- --log.level=DEBUG
- --log.filepath=/var/log/traefik/traefik.log
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`a2va.dev`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik.tls.domains[0].main=a2va.dev"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.a2va.dev"
- "traefik.http.routers.traefik.service=api@internal"
ports:
- 80:80
- 443:443
- 8080:8080
networks:
test:
ipv4_address: 174.20.0.100
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/a2va/traefik-cloudflare-tunnel/example/acme.json:/acme.json
- ./traefik/data/log:/var/log/traefik/
environment:
- CF_API_EMAIL=${EMAIL}
- CF_DNS_API_TOKEN=${CLOUDFLARE_API_TOKEN}
- PUID=${UID}
- PGID=${GID}
whoami:
image: traefik/whoami
container_name: simple-service2
labels:
- traefik.enable=true
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.rule=Host(`${DOMAIN_NAME}`)
- traefik.http.routers.whoami.entrypoints=https
- traefik.http.routers.whoami.tls.certresolver=cloudflare
- traefik.http.services.whoami.loadbalancer.server.port=80
environment:
- PUID=${UID}
- PGID=${GID}
cloudflared:
image: cloudflare/cloudflared:latest
container_name: cloudflared2
command:
- tunnel
- --no-autoupdate
- run
- --token=${CLOUDFLARED_TOKEN}
environment:
- PUID=${UID}
- PGID=${GID}
dns:
- 1.1.1.1
- 1.0.0.1
networks:
- test
# traefik-cloudflare-tunnel:
# image: "testlocal/traefik-cloudflare-tunnel"
# environment:
# - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
# - CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}
# - CLOUDFLARE_TUNNEL_ID=${CLOUDFLARE_TUNNEL_ID}
# - CLOUDFLARE_ZONE_ID=${CLOUDFLARE_ZONE_ID}
# - TRAEFIK_SERVICE_ENDPOINT=https://174.20.0.100:443
# - TRAEFIK_API_ENDPOINT=http://174.20.0.100:8080
# - TRAEFIK_ENTRYPOINT=https
# networks:
# - test
networks:
test:
driver: bridge
ipam:
config:
- subnet: 174.20.0.0/16
gateway: 174.20.0.1
The `traefik-cloudflare-tunnel’ image is simply used to make some requests to the traefik api, then create the DNS records for each domain mentioned in the traefik labels, and also configure the tunnel to point to the traefik url.
But with this setup, the certification validation step fails.
cloudflared2 | 2024-11-20T14:37:21Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: cannot validate certificate for 174.20.0.100 because it doesn't contain any IP SANs" connIndex=2 dest=https://a2va.dev/ event=0 ip=198.41.200.63 type=http
I’ve come to the conclusion that this is because in the first setup, a certificate was generated by cloudflared when I logged in. So how can I make the certificate valid? (I know there is No TSL Verify but I want a solution that works without it)