Pass traffic directly to container to answer LetsEncrypt challenge in Traefik

Question

I have a container ('matrix'), based on https://github.com/silvio/docker-matrix (though that's probably not important).

It runs a service on port 8448 and 3478 (not 80 or 443).

Without running traefik, and only running the 'matrix' container, inside of the 'matrix' container, I can run LetsEncrypt's certbot, which requests tells LetsEncrypt to try to contact me on port 443 and provide a ssl cert, like so:

certbot certonly --standalone --test-cert --email [email protected] --agree-tos -d m.amazing.site

The challenge is made, the challenge is accepted, certs get saved in dir /etc/letsencrypt in the container.

Ok now I want to do this when running Traefik.

I pass my parameters for Traefik for this container in my docker-compose file, like so:

labels:
  - "traefik.acme=false"
  - "traefik.enable=true"
  - "traefik.backend=matrix"
  - "traefik.frontend.rule=Host:m.amazing.site"
  - "traefik.port=443"
restart: always
expose:
 - 443
ports:
  - "8448:8448"
  - "3478:3478"

When I run the challenge in the container (same command as above)

certbot certonly --standalone --test-cert --email [email protected] --agree-tos -d m.amazing.site

I get the following in my Traefik logs

time="2017-07-14T01:04:35Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 453.949201ms" time="2017-07-14T01:04:35Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 808.788592ms" time="2017-07-14T01:04:36Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 1.138006833s" time="2017-07-14T01:04:37Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 2.436785791s" time="2017-07-14T01:04:40Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 3.055167113s" time="2017-07-14T01:04:43Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 4.856677044s" time="2017-07-14T01:04:48Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 7.544878611s" time="2017-07-14T01:04:55Z" level=error msg="Error getting cert: Cannot find challenge cert for domain b374a9118f855cacdb0096846a3dfa0c.f7c92b61d040f9ba250f14cc533ba4b8.acme.invalid, retrying in 6.313970727s" time="2017-07-14T01:05:01Z" level=error msg="Error getting cert: Cannot find challenge cert for domain 8b1e27af665c4676b47236f25c3ccc73.1313b1cc8ceaaa7467ba2e5845c08fde.acme.invalid" time="2017-07-14T01:05:01Z" level=debug msg="ACME got nothing 8b1e27af665c4676b47236f25c3ccc73.1313b1cc8ceaaa7467ba2e5845c08fde.acme.invalid" 2017/07/14 01:05:01 server.go:2753: http: TLS handshake error from 66.133.109.36:55264: EOF

Note these are real logs. No mention of the actual domain name I am trying to verify.

What am I doing wrong?

Michael Wyraz Michael Wyraz · Accepted Answer · 2019-01-12T15:24:42

You cannot disable acme for a particular host out of the box since acme installs a route that is executed before all the rules.

I figured out a way to solve this:

https://gist.github.com/micw/67faf5cd3d4a6f64568ca2bb9a051230

Best regards, Michael.

Pass traffic directly to container to answer LetsEncrypt challenge in Traefik

1 Answers