Setup a Let's encrypt certificate with Traefik

May 23, 2018
Docker traefik

Setup a Let’s Encrypt certificate with Traefik

In this post, i will explain you how to setup your first Let’s Encrypt certificate with Traefik. You need to know a little about Traefik. You can read my first post about it.

For the curious, you can find more informations about Let’s Encrypt here.

Now launch traefik:

docker run --rm --name traefik --network test --publish 80:80 --publish 443:443 --publish 8080:8080 \
       -v /var/run/docker.sock:/var/run/docker.sock \
       traefik:1.6-alpine \
       --entryPoints="Name:http Address::80" \
       --entryPoints="Name:https Address::443 TLS"  \
       --api --docker --docker.endpoint="unix:///var/run/docker.sock" --loglevel=debug \
       --acme=true --acme.entrypoint=https --acme.httpchallenge --acme.httpchallenge.entrypoint=http \
       --acme.domains="xxx.raveland.org" --acme.email="xxx@raveland.org" --acme.storage=/tmp/acme.json

I will now explain the new options used here :

WARNING : i will explain why you will need to change acme.storage later.

Wait a few seconds and you should see something like this in the logs:

time="2018-05-23T08:59:29Z" level=debug msg="Building ACME client..."
time="2018-05-23T08:59:29Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2018-05-23T08:59:29Z" level=info msg=Register...
time="2018-05-23T08:59:32Z" level=debug msg="Using HTTP Challenge provider."
time="2018-05-23T08:59:33Z" level=debug msg="Unable to split host and port: address xxx.raveland.org: missing port in address. Fallback to request host."
time="2018-05-23T08:59:33Z" level=debug msg="Looking for an existing ACME challenge for token e-d4CY0MHvtZkZT0VSR7DSEF-Kz2bgrXmBGEneTFjJY0..."
time="2018-05-23T08:59:38Z" level=debug msg="Challenge CleanUp for domain xxx.raveland.org"
time="2018-05-23T09:00:18Z" level=debug msg="Certificates obtained for domains [xxx.raveland.org]"
time="2018-05-23T09:00:18Z" level=debug msg="Configuration received from provider ACME: ....

Now your certifcate is generated and you can access the URL with https.

It’s best to store it (them) on a docker volume and to mount this volume on the container.

Here are the small optimizations we can do :

These options are setup by frontend :

docker run --rm --network test --label traefik.backend=nginx1 --label traefik.port=80 \
           --label traefik.frontend.rule="Host:xxx.raveland.org" \
           --label traefik.frontend.entryPoints=https \
           --label traefik.frontend.headers.forceSTSHeader=true \
           --label traefik.frontend.headers.STSSeconds=315360000 \
           --label traefik.frontend.headers.STSIncludeSubdomains=true \
           --label traefik.frontend.headers.STSPreload=true \
           nginx:latest

The explanations :

You can find more informations about HTTP Strict Transport Security here

Enjoy 😏

Use constraints with Swarm

September 4, 2018
Docker

Traefik for the beginners

May 4, 2018
Docker traefik

Docker LEMP stack: get your logs with rsyslog

February 21, 2018
Docker