TransWikia.com

Provide valid & dynamic certs with a Traefik instance behind another one

Server Fault Asked by Logan Mzz on December 30, 2021

Context

I’ve a "particular" setup where I have a first frontend server (server0) that receive all public web traffic and at least one another host (server1) on a private network only.

I don’t know how to enable HTTPS for services hosted on private network host(s) (server1).

Here’s a scheme of my architecture:


[ Internet ] --- [ Server 0 ]              --- [ Server 1]
                 +-----------------------+     +-----------------------+
                 | Docker                |     | Docker                |
                 | +-------------------+ |     | +-------------------+ |
                 | | Traefik           | |     | | Traefik           | |
                 | | Service A         | |     | | Service B         | |
                 | +-------------------+ |     | +-------------------+ |
                 +-----------------------+     +-----------------------+

I basically use wildcard DNS (all pointing to server0) to expose services on each host. For example:

  • traefik.server0.mydomain
  • servicea.server0.mydomain
  • traefik.server1.mydomain
  • serviceb.server1.mydomain

My attempts:

server0(http,https), server1(http)

On server0:

  • http, https and traefik entrypoints
  • docker enabled
  • static rules for server1
    • http, https entrypoints
    • pass header
    • rule: HostRegexp:{subdomain:.*}.server1.mydomain
    • target: http://server1

On server1:

  • http, traefik entrypoints
  • docker enabled
# server0:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
        [entryPoints.http.redirect]
            entryPoint = "https"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]
[file]
directory = "/etc/traefik/config.d"

[docker]
watch = true
exposedByDefault = false
network = "traefik"

[acme]
email = "[email protected]"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
    [acme.httpChallenge]
    entryPoint = "http"


# server0:/etc/traefik/config.d/server1.toml
[frontends]
    [frontends.server1]
        entryPoints = ["http", "https"]
        backend = "server1"
        passHostHeader = true
        [frontends.server1.routes]
            [frontends.server1.routes.main]
                rule = "HostRegexp:{subdomain:.*}.server1.mydomain"
[backends]
    [backends.server1]
        [backends.server1.servers]
            [backends.server1.servers.main]
                url = "http://server1.local"


# server1:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]

[docker]
watch = true
exposedByDefault = false
network = "traefik"

Result:

  • traefik.server0.mydomain: OK, valid certificate (Let’s Encrypt)
  • serviceA.server0.mydomain: OK, valid certificate (Let’s Encrypt)
  • traefik.server1.mydomain: OK, invalid certificate (Traefik default cert)

server0(http,https), server1(http,https)

On server0:

  • http, https and traefik entrypoints
  • docker enabled
  • static rules for server1
    • http, https entrypoints
    • pass header
    • rule: HostRegexp:{subdomain:.*}.server1.mydomain
    • target: https://server1

On server1:

  • http,https,traefik entrypoints
  • docker enabled
# server0:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
        [entryPoints.http.redirect]
            entryPoint = "https"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]
[file]
directory = "/etc/traefik/config.d"

[docker]
watch = true
exposedByDefault = false
network = "traefik"

[acme]
email = "[email protected]"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
    [acme.httpChallenge]
    entryPoint = "http"


# server0:/etc/traefik/config.d/server1.toml
[frontends]
    [frontends.server1]
        entryPoints = ["http", "https"]
        backend = "server1"
        passHostHeader = true
        [frontends.server1.routes]
            [frontends.server1.routes.main]
                rule = "HostRegexp:{subdomain:.*}.server1.mydomain"
[backends]
    [backends.server1]
        [backends.server1.servers]
            [backends.server1.servers.main]
                url = "https://server1.local"


# server1:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]

[docker]
watch = true
exposedByDefault = false
network = "traefik"

[acme]
email = "[email protected]"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
    [acme.httpChallenge]
    entryPoint = "http"

Result:

* `traefik.server0.mydomain`: OK, valid certificate (Let's Encrypt)
* `serviceA.server0.mydomain`: OK, valid certificate (Let's Encrypt)
* `traefik.server1.mydomain`: internal server error (no log), invalid certificate (Traefik default cert)
 


I don't know which options to use to have correct behavior ...
dockerlets encrypt

One Answer

Lets-encrypt won't let you verify internal domain because it can't see it/access it. So you need to validate it on public IP. But I'm not sure you'll be able to do exactly what you're asking, you may need to change your DNS a bit.

This article shall help you understand the general issue.

Answered by Geeky Masters on December 30, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP