如何在 docker-compose 文件中引用 traefik v2 的自签名 SSL 证书？

Question

There is very limited documentation for referencing self-signed certificates for Træfik v2 in the docker-compose YAML file. Here is how you can do it for Let's Encrypt :

https://github.com/containous/blog-posts/blob/master/2019_09_10-101_docker/docker-compose-07.yml#L11-L14

version: "3.3"

services:
  traefik:
    image: "traefik:v2.0.0"
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --api
      - --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.leresolver.acme.email=your@email.com
      - --certificatesresolvers.leresolver.acme.storage=/acme.json
      - --certificatesresolvers.leresolver.acme.tlschallenge=true

But I tried to check the documentation, and I have not seen any way to reference a self-signed certificate in the docker-compose file without having a toml file.

I have tried this:

version: "3.3"

services:
  traefik:
    image: "traefik:v2.0.0"
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --api
      - --providers.docker.tls.cert=/etc/certs/server.crt
      - --providers.docker.tls.key=/etc/certs/server.key

But I got the following error:

Failed to retrieve information of the docker client and server host: error during connect: Get https://%2Fvar%2Frun%2Fdocker.sock/v1.24/version: http: server gave HTTP response to HTTPS client" providerName=docker

Here are resources I have used that do not provide any way to set up self-signed certificates to enable HTTPS for Træfik v2 in the docker-compose YAML file:

• https://docs.traefik.io/reference/static-configuration/cli/

• https://docs.traefik.io/https/tls/#user-defined

I do see this on this page: https://docs.traefik.io/https/tls/#user-defined

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key

But it is for file YAML configuration file, and I need to convert this to the docker-compose YAML file equivalent as it is above how they have done it for Let's Encrypt.

Answer 1

It seems this is not doable at the moment. Someone posted a very similar question on the Træfik community forum .

The certificates you are passing as flags (providers.docker.tls.cert and providers.docker.tls.key) are useful if Træfik listen to Docker events via a secure TCP endpoint instead of a file socket, which is not what you want.

It would be cool to have everything configured in a single docker-compose file but unfortunately the self-signed related configuration must be stored in a separate file.

Here is an example for the record:

File docker-compose.yml

traefik:
  image: traefik:v2.1
  command:
    - --entrypoints.web.address=:80
    - --entrypoints.websecure.address=:443
    - --providers.docker=true
    - --providers.file.directory=/etc/traefik/dynamic_conf
    - --providers.file.watch=true
  ports:
    - 80:80
    - 443:443
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - ./certs/:/certs/:ro
    - ./traefik.yml:/etc/traefik/dynamic_conf/conf.yml:ro

web:
  image: nginx:1.17.8-alpine
  labels:
    # http with redirection
    - traefik.http.middlewares.redirect-middleware.redirectscheme.scheme=https
    - traefik.http.routers.web-router.entrypoints=web
    - traefik.http.routers.web-router.rule=Host(`your-domain.net`)
    - traefik.http.routers.web-router.middlewares=redirect-middleware
    # https
    - traefik.http.routers.websecure-router.entrypoints=websecure
    - traefik.http.routers.websecure-router.tls=true
    - traefik.http.routers.websecure-router.rule=Host(`your-domain.net`)

File traefik.yml

tls:
  certificates:
    - certFile: /certs/awx.afone.priv.crt
      keyFile: /certs/awx.afone.priv.key