Hi and thanks for any help you can provide.
I’m in the process from trying to switch reverse proxies from nginx->traefik. Previously I was using acme.sh via DNS challenge with Cloudflare for SSL certificate generation/renewal. From what I’ve read with traefik is that acme is “built-in” with this reverse proxy which should eliminate one step.
My setup consists of an Ubuntu 20.04 host running docker. My test containers are traefik and whoami.
I’m running a home setup with a single WAN address. My router is pfsense which intercepts all DNS port 53 lookup forwarding them to DOH via port 853. This is unchanged and working with my previous acme.sh/nginx reverse proxy setup.
I’ve setup up two test domains within CF – traefik.xxxxx.com and whoam.xxxxx.com. My docker-compose file is the following:
networks:
docker-net:
name: docker-net
driver: bridge
ipam:
config:
- subnet: 10.30.0.0/24
secrets:
CF_DNS_API_TOKEN_secret:
file: /etc/docker/compose/CF_DNS_API_TOKEN.secret
CF_ZONE_API_TOKEN_secret:
file: /etc/docker/compose/CF_ZONE_API_TOKEN.secret
CF_API_KEY_secret:
file: /etc/docker/compose/CLOUDFLARE_API_KEY.secret
services:
traefik:
image: traefik:latest
container_name: traefik
hostname: traefik
restart: unless-stopped
secrets:
- CF_DNS_API_TOKEN_secret
- CF_ZONE_API_TOKEN_secret
- CF_API_KEY_secret
networks:
- docker-net
ports:
- 80:80
- 443:443
- 8080:8080
labels:
- "traefik.enable=true"
- "traefik.network=docker-net"
- "traefik.http.routers.dashboard.rule=Host(`traefik.xxxxxx.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.tls.certresolver=le"
- "[email protected]"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$284N9gdE$$HN3oNn0.D82qAFFXsusu00"
environment:
- TZ
- CLOUDFLARE_EMAIL
- CLOUDFLARE_API_KEY
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
- /etc/letsencrypt/certificates:/etc/letsencrypt
whoami:
image: containous/whoami
container_name: whoami
restart: unless-stopped
networks:
- docker-net
labels:
- "traefik.enable=true"
- "traefik.network=docker-net"
- "traefik.http.routers.whoami.rule=Host(`whoami.xxxx.com`)"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.tls.certresolver=le"
ports:
- 81:80
My traefik.yml file is the following:
entryPoints:
web:
address: :80
websecure:
address: :443
certificatesResolvers:
le:
acme:
email: [email protected]
#Staging Server
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
#Production Server
caServer: https://acme-v02.api.letsencrypt.org/directory
storage: /etc/letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 0
resolvers:
- "1.1.1.1:53"
- "9.9.9.9:53"
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
mintls13:
minVersion: VersionTLS13
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedbydefault: false
network: docker-net
api:
debug: true
dashboard: true
log:
level: DEBUG
I’m getting the following error however when trying to start contains with docker-compose regarding the SSL certificate generation:
time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [INFO] [whoami.xxxxx.com] acme: Preparing to solve DNS-01"
time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [INFO] [traefik.xxxxx.com] acme: Cleaning DNS-01 challenge"
time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [INFO] [whoami.xxxxx.com] acme: Cleaning DNS-01 challenge"
time="2020-11-09T08:56:44-06:00" level=debug msg="legolog: [WARN] [traefik.xxxxx.com] acme: cleaning up failed: cloudflare: failed to find zone com.: Zone could not be found "
I’m not sure why cloudflare couldn’t find zone. Any help with this one?