I've set up Traefik with Docker and a service behind it. The basic setup works. I can browse to port 80 using the domain name I'm redirected to https and then see "invalid certificate" - since the let's encrypt part is broken.
[ router ] <-:80/:443-> [linux/docker [Traefik:80/:443][Service:8080]]
Here is the entry in the log (edited domain.)
Logs:
acme: Error -> One or more domains had a problem:\n[xyz.example.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://xyz.example.net/.well-known/acme-challenge/eIAFZqaGMHMWaBjINjzk4m8PuWiYfuCHCTnSU9M: Error getting validation data, url: \n"
The error message is accurate, I can not browse to that URL. I have noticed that I can go to that URL using the internal IP http://10.0.0.21/.well-known/acme-challenge/key and Traefik responds with this in the log:
traefik | time="2019-05-28T21:20:52Z" level=error msg="Error getting challenge for token retrying in 542.914495ms"
I suspect the problem is the domain name redirect setup. My service is at xyz.example.net (and so is Traefik.) I suspect the problem is that Traefik is redirecting all traffic coming in on xyz.example.net:80/:443 to the service, and not handling the ./well-known/acme-challenge itself. Do I need to give the gateway itself a name? (E.g. zzz.example.net is Traefik and xyz.example.net is the service?)
How can I fix this?
My TOML file:
debug = false
logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
[entryPoints]
[entryPoints.http]
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.net"
watch = true
exposedbydefault = false
[acme]
email = "[email protected]"
storage = "acme.json"
entryPoint = "https"
onDemand = false
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
