So, I want to implement the SSL wildcard that I got from DigiCert to my running Traefik container (v2.4.8). Currently, I use Let’s Encrypt as my certificates resolvers, and my dashboard Traefik and Portainer can be accessed on HTTPS.
But after I implement the SSL wildcard, both dashboard Traefik and Portainer can’t be accessed, instead, it shows me “404 page not found” but I can see the cert implemented.
This is my docker-compose.yml file:
version: "3"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
environment:
- TZ=Asia/Jakarta
command:
- --accesslog.fields.names.StartUTC=drop
- --providers.docker
- --providers.file.directory=/traefik-data/tls.yml
- --providers.file.watch=true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik-data/traefik.yml:/traefik.yml:ro
- ./traefik-data/acme.json:/acme.json
- ./traefik-data/configurations:/configurations
- ./traefik-data/cert:/cert
- ./traefik-data/tls.yml:/tls.yml:ro
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.com)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
#- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.service=api@internal"
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./portainer-data:/data
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.portainer-secure.entrypoints=websecure"
- "traefik.http.routers.portainer-secure.rule=Host(`portainer.mydomain.com`)"
- "traefik.http.routers.portainer-secure.service=portainer"
#- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
networks:
proxy:
external: true
My static configuration (traefik.yml):
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
http:
middlewares:
- secureHeaders@file
# tls:
# certificates:
# - certFile: "/cert/bundle.crt"
# keyFile: "/cert/mydomain.key"
# certResolver: letsencrypt
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
filename: tls.yml
#certificatesResolvers:
# letsencrypt:
# acme:
# email: me@example.com
# storage: acme.json
# keyType: EC384
# httpChallenge:
# entryPoint: web
My dynamic configuration (tls.yml):
tls:
certificates:
- certFile: "/cert/bundle.crt"
keyFile: "/cert/mydomain.key"
options:
default:
sniStrict: true
stores:
default:
defaultCertificate:
certFile: "/cert/bundle.crt"
keyFile: "/cert/mydomain.key"
(dynamic.yml):
http:
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
user-auth:
basicAuth:
users:
- "admin:$apr1$UdkaACnx$IBAWRG7vIoTbHGRMolFq4q."
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
Or should I put the TLS configuration under provider docker like so as the doc said here:
providers:
docker:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
Can you tell me what did I do wrong? I appreciate any help!
Thanks!