Question

How to setup TLS Challenge with Let'sEncrypt, Traefik and Docker Compose

Posted on September 18, 2023
Docker
Asked by ch3njus

I’m getting the following error when I visit my domain https://<mydomain>:

Warning: Potential Security Risk Ahead Firefox detected a potential security threat and did not **continue** **to** mydomain.com. **If** you visit this site, attackers could **try** **to** steal information like your passwords, emails, or credit card details.

This is my docker-compose.yaml:

version: '3'
services:
  upload:
    image: mydomain-upload:v3-staging
    build:
      context: .
      dockerfile: src/services/upload/Dockerfile.upload
    restart: always
    ports:
      - "8004:8004"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.upload.entrypoints=web"
      - "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
      - "traefik.http.services.upload.loadbalancer.server.port=8004"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
      - "traefik.http.routers.upload.middlewares=upload-cors"
    environment:
      - MODE=staging
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
    command:
      - --provider=oidc
      - --email-domain=*
      - --oidc-issuer-url=https://accounts.google.com
      - --cookie-secure=false
      - --cookie-secret=COOKIE_SECRET
      - --client-id=CLIENT_ID
      - --client-secret=CLIENT_SECRET
      - --upstream=http://traefik:80
      - --pass-access-token=true
      - --pass-authorization-header=true
      - --set-authorization-header=true
    labels:
      - "traefik.enable=true"
  nginx:
    image: mydomain-nginx:v3-staging
    build:
      context: .
      dockerfile: src/static/Dockerfile.nginx.development
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
      - "traefik.http.routers.nginx.entrypoints=web"
  traefik:
    image: traefik:v3.0
    restart: always
    depends_on:
      - oauth2-proxy
      - nginx
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - letsencrypt:/letsencrypt
      - /var/log:/var/log
    command:
      - --providers.docker.network=proxy
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/var/log/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - "traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$QWHGoM/N$$me9nau/f2g6O4W9Y2MqRH0"

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt

Here is part of my traefik.log:

2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:49 > Setting up customHeaders/Cors from {map[] map[] true [*] [GET POST OPTIONS] [*] [] [] 0 false [] [] map[] 0 false false false false  false false      false} entryPointName=web middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=web middlewareName=upload-cors@docker routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=mydashboard@docker serviceName=api@internal
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:33 > Creating middleware entryPointName=websecure middlewareName=myauth@docker middlewareType=BasicAuth routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=myauth@docker routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for monitor.mydomain.com with TLS options default entryPointName=websecure
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [monitor.mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["monitor.mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["monitor.mydomain.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:37062: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:23486: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:12Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:4290: remote error: tls: unknown certificate
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:51854: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:42874: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:28030: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Mohamed Ibrahim • May 16, 2024

Check this https://www.digitalocean.com/community/tutorials/how-to-secure-your-site-in-kubernetes-with-cert-manager-traefik-and-let-s-encrypt