Traefik: Allow the ACME challenge to be solved by the backend('s)

Created on 17 May 2018  路  3Comments  路  Source: traefik/traefik

Do you want to request a feature or report a bug?

Feature

What did you expect to see?

I'll describe a simple use case, that lots of people can have, but where there is no easy solution.
I have smtp server running in a docker container, and in that smtp server, I want to run certbot to generate valid certificates. Right now, Traefik is intercepting traffic that goes to /.well-know/* URLs (ACME challenge) and because of this, certbot can't validate the requests made in the container.
What I'd like to see is a way to make traefik ignore this URLs on a per-container basis, so that it can handle all the other certificate requests for all the other hosts, except one or two, where this will be managed by the container.

Just a little more info:
This is my traefik config:

debug = false

logLevel = "INFO"
defaultEntryPoints = ["https","http"]

[entryPoints]
    [entryPoints.http]
        address = ":80"
    [entryPoints.https]
        address = ":443"
    [entryPoints.https.tls]
        minVersion = "VersionTLS11"
        cipherSuites = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"]

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "valid.domain"
watch = true
swarmMode = true
usebindportip = true
exposedByDefault = true

[acme]
email = "[email protected]"
storage = "/acme/acme.json"
entryPoint = "https"
OnHostRule = true

[acme.httpChallenge]
entryPoint = "http"

(I tried this same configuration but disabling the [acme*] sections the certbot worked nicelly)

Container labels:

        deploy:
            replicas: 1
            labels:
                - "traefik.frontend.rule=Host:host.valid.domain"
                - "traefik.frontend.entryPoints=http"
                - "traefik.frontend.headers.SSLRedirect=false"
                - "traefik.backend=host"
                - "traefik.port=80"
                - "traefik.docker.network=traefik_net"

Traefik logs while I try to use certbot on the container:

time="2018-05-16T18:03:06Z" level=error msg="Error getting challenge for token: cannot find challenge for token FI-YW9EClYtszo9aDo5nWdNzVvQqt6Rtq6oNR6JIAxg",
time="2018-05-16T18:03:10Z" level=error msg="Error getting challenge for token: cannot find challenge for token FI-YW9EClYtszo9aDo5nWdNzVvQqt6Rtq6oNR6JIAxg"

docker-compose service part:

services:
  daemon:
    image: traefik:alpine
    networks:
      - net
    ports:
      - "80:80"
      - "443:443"
      - "8090:8080"
    deploy:
        replicas: 1
        restart_policy:
            condition: on-failure
        placement:
            constraints:
                - node.role == manager
    configs:
        - source: traefik_config
          target: /etc/traefik/traefik.toml
    volumes: 
        - /var/run/docker.sock:/var/run/docker.sock:ro
        - type: volume
          source: acme_json
          target: /acme
          volume:
              nocopy: true
areacme resolutiodeclined statu5-frozen-due-to-age
Source
picture r3pek

Most helpful comment

@emilevauge as far as i found out on slack, it really isn't that specific. Anyone that has smtp servers on the swarm and is using traefik for "manage" http(s) connections, has this problem.
Also, I really don't know the code base, but this should be as simple as ignore the ACME URLs for a certain fronted/backend instead of intercepting them.
Also, modifiying the DNS just for that is a non-solution. I would need to do it every 3 months?! And need to rent a new VPS just to renew the certificate? That seams uterly over-kill.

picture r3pek on 17 May 2018
👍2

All 3 comments

Hi @r3pek, thanks for you contribution!
We discussed this with the maintainers team and we tend to think your use case is really specific and would lead to a complex implementation.
I suggest to modify your DNS entry during the TLS cert generation to another server running certbot.
I think we can close this one, as I don't see any simple way to do this within Traefik.

emilevauge picture emilevauge on 17 May 2018
👎2

@emilevauge as far as i found out on slack, it really isn't that specific. Anyone that has smtp servers on the swarm and is using traefik for "manage" http(s) connections, has this problem.
Also, I really don't know the code base, but this should be as simple as ignore the ACME URLs for a certain fronted/backend instead of intercepting them.
Also, modifiying the DNS just for that is a non-solution. I would need to do it every 3 months?! And need to rent a new VPS just to renew the certificate? That seams uterly over-kill.

r3pek picture r3pek on 17 May 2018
👍2

Hello,
have a look at my solution. At the monent it's just a POC, I'll test it in the wild the next few days.

https://gist.github.com/micw/67faf5cd3d4a6f64568ca2bb9a051230

Basicy it moves acme to it's own backend and adds a frontend rule. This allows other rules to override it with higher priority.

micw picture micw on 12 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pjebs picture pjebs  路  3Comments
OndroNR picture OndroNR  路  3Comments
mikaelmorvan picture mikaelmorvan  路  3Comments
saschagrunert picture saschagrunert  路  3Comments
rogeriollacerda picture rogeriollacerda  路  3Comments