As I’m starting to play with Flask, I had to deal with several backend servers and decided to use traefik proxy for them.
I wanted to use two web servers, one for HTTP/HTTPS for the frontend, and another one on 8000 for some backend work. Everything is done in a Docker composer YAML file, launched by:
docker stack deploy file.yml
Unfortunately, I couldn’t make it work by adding the entry point like this:
--entrypoints='Name:backend Address::8000'
The reason is simple: the default entry points must then be added. As traefik can handle SSL certificate, I decided to let it handle the redirection as well. So the definition needed to add:
--entrypoints='Name:http Address::80 Redirect.EntryPoint:https' \ --entrypoints='Name:https Address::443 TLS' \
Now to the SSL configuration with Let’s Encrypt on traefik. I needed to configure the ACME records. The first part is the command line arguments (like for the entry points).
My servers are just test servers, inside a domain I use as a front for my official projects, but the servers are hosted on my box. I didn’t want to mess up my DNS records for this, except for the new subdomain. So I went for the HTTP challenge. This becomes very easy:
--acme=true \ --acme.storage=/etc/traefik/acme/acme.json \ --acme.ondemand=true \ --acme.onhostrule=true \ --acme.entrypoint=https \ --acme.httpchallenge \ --acme.httpchallenge.entrypoint=http \ --acme.domains="subdomain.domain.com" \ --acme.email="myemailaddress@server.com"
Some trick here, the storage location must exist or be available. In my case, I added a volume on the traefik container so that the storage location exists and so that I could reuse this certificate when restarting the server.
- /etc/traefik/acme:/etc/traefik/acme
And this is it.
This is what happens then in the logs:
2019-03-18T17:08:00.848130803Z time="2019-03-18T17:08:00Z" level=info msg="Testing certificate renew..." 2019-03-18T17:08:00.848210687Z time="2019-03-18T17:08:00Z" level=debug msg="Looking for provided certificate(s) to validate [\"subdomain.domain.com\"]..." 2019-03-18T17:08:00.848221064Z time="2019-03-18T17:08:00Z" level=debug msg="Domains [\"subdomain.domain.com\"] need ACME certificates generation for domains \"subdomain.domain.com\"." 2019-03-18T17:08:00.848225816Z time="2019-03-18T17:08:00Z" level=debug msg="Loading ACME certificates [subdomain.domain.com]..." 2019-03-18T17:08:00.848230433Z time="2019-03-18T17:08:00Z" level=info msg="The key type is empty. Use default key type 4096." 2019-03-18T17:08:00.848399515Z time="2019-03-18T17:08:00Z" level=debug msg="Configuration received from provider ACME: {}"
Once this is done, you can point your browser to “http://subdomain.domain.com” and see that it gets redirected to “https://subdomain.domain.com”. The certificate there is now good. One point to note is that if you get to the server without this address, you get the default/invalid traefik certificate, as it would not have been configured in the ACME commands. And yes, I forgot that point for a while, testing only locally with a local address!