Question

How to setup TLS Challenge with Let'sEncrypt, Traefik and Docker Compose

I’m getting the following error when I visit my domain https://<mydomain>:

Warning: Potential Security Risk Ahead Firefox detected a potential security threat and did not **continue** **to** mydomain.com. **If** you visit this site, attackers could **try** **to** steal information like your passwords, emails, or credit card details.

This is my docker-compose.yaml:

version: '3'
services:
  upload:
    image: mydomain-upload:v3-staging
    build:
      context: .
      dockerfile: src/services/upload/Dockerfile.upload
    restart: always
    ports:
      - "8004:8004"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.upload.rule=Host(`mydomain.com`) && PathPrefix(`/upload`)"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.address=http://oauth2-proxy:4180"
      - "traefik.http.middlewares.oauth2-proxy.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.upload.entrypoints=web"
      - "traefik.http.routers.upload.middlewares=cors,oauth2-proxy"
      - "traefik.http.services.upload.loadbalancer.server.port=8004"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowMethods=GET, POST, OPTIONS"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowHeaders=*"
      - "traefik.http.middlewares.upload-cors.headers.accessControlAllowCredentials=true"
      - "traefik.http.routers.upload.middlewares=upload-cors"
    environment:
      - MODE=staging
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
    command:
      - --provider=oidc
      - --email-domain=*
      - --oidc-issuer-url=https://accounts.google.com
      - --cookie-secure=false
      - --cookie-secret=COOKIE_SECRET
      - --client-id=CLIENT_ID
      - --client-secret=CLIENT_SECRET
      - --upstream=http://traefik:80
      - --pass-access-token=true
      - --pass-authorization-header=true
      - --set-authorization-header=true
    labels:
      - "traefik.enable=true"
  nginx:
    image: mydomain-nginx:v3-staging
    build:
      context: .
      dockerfile: src/static/Dockerfile.nginx.development
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`mydomain.com`)"
      - "traefik.http.routers.nginx.entrypoints=web"
  traefik:
    image: traefik:v3.0
    restart: always
    depends_on:
      - oauth2-proxy
      - nginx
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - letsencrypt:/letsencrypt
      - /var/log:/var/log
    command:
      - --providers.docker.network=proxy
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/var/log/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=admin@mydomain.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`monitor.mydomain.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - "traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$QWHGoM/N$$me9nau/f2g6O4W9Y2MqRH0"

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt

Here is part of my traefik.log:

2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/headers/headers.go:49 > Setting up customHeaders/Cors from {map[] map[] true [*] [GET POST OPTIONS] [*] [] [] 0 false [] [] map[] 0 false false false false  false false      false} entryPointName=web middlewareName=upload-cors@docker middlewareType=Headers routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=web middlewareName=upload-cors@docker routerName=upload@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=mydashboard@docker serviceName=api@internal
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:33 > Creating middleware entryPointName=websecure middlewareName=myauth@docker middlewareType=BasicAuth routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/wrapper.go:32 > Adding tracing to middleware entryPointName=websecure middlewareName=myauth@docker routerName=mydashboard@docker
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for monitor.mydomain.com with TLS options default entryPointName=websecure
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:385 > Trying to challenge certificate for domain [monitor.mydomain.com] found in HostSNI rule acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:847 > Looking for provided certificate(s) to validate ["monitor.mydomain.com"]... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:43:34Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:891 > No ACME certificate generation required for domains acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["monitor.mydomain.com"] providerName=myresolver.acme routerName=mydashboard@docker rule=Host(`monitor.mydomain.com`)
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:37062: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:23486: remote error: tls: unknown certificate
2023-09-17T20:44:01Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:12Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=myauth@docker middlewareType=BasicAuth
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:4290: remote error: tls: unknown certificate
2023-09-17T20:44:17Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:51854: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:42874: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG log/log.go:194 > http: TLS handshake error from 123.456.78.910:28030: remote error: tls: unknown certificate
2023-09-17T20:44:21Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:220 > Serving default certificate for request: "mydomain.com"
Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Featured on Community
Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
DigitalOcean Products
CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.