How to fix ... Unable to obtain ACME certificate ... thanks to rule \"Host:myhost.mydomain.com;PathPrefix:/app1{id:[0-9]?}\" - lets-encrypt
I have a set of meteor apps running as a docker stack along with traefik proxy, mongo and an http server. I had to do some redirection to pass traefik to each individual app so the client requests can be handled properly in response to the meteor ROOT URL. I do not understand the traefik log output that is telling me 'Unable to obtain ACME certificate for domains .... ' because of '... detected thanks to rule \"Host:myhost.mydomain.com;PathPrefix:/app2{id:[0-9]?}\"' Can someone please help me understand this log output? I am including the sanitized debug log, and sanitized traefik.toml and docker-compose.yml files. I don't think this is a bug, it is probably a misconfiguration.
I cannot use DNS challenge because I do not have control over the dns server. I have tried several configuration options. I suspect it has to do with the PathPrefix in the Host rule but don't think I understand enough about ACME to know how to properly change it.
Traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.dashboard]
address = ":8090"
[entryPoints.dashboard.auth]
[entryPoints.dashboard.auth.basic]
users = ["admin:$2y$05$rd9MRJG/w0ugxIzmYy3L8.WpRheZfzPTTm17y.zq3cHKtZvMQ4OdW"]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.redirect]
regex = "^(https://ip-205-156-8-94.ec2.internal)/?$"
replacement = "$1/"
permanent = true
[api]
entrypoint="dashboard"
[acme]
caServer = "https://acme-v02.api.letsencrypt.org/directory"
email = "myemail#mydomain.com"
storage = "acme.json"
OnHostRule = true
entryPoint = "https"
[acme.tlsChallenge]
[docker]
domain = "myhost.mydomain.com"
watch = true
network = "web"
exposedbydefualt = false
[traefikLog]
filePath = "/logs/traefik.log"
[accessLog]
filePath = "/logs/access.log"
***** docker-compose ****
version: "3.2"
networks:
web:
external: true
backend:
external: false
services:
traefik:
image: traefik
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
networks:
- web
ports:
- "443:443"
- "80:80"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/myhome/container_deployment/traefik.toml:/traefik.toml
- /home/myhome/container_deployment/logs:/logs
- /home/myhome/container_deployment/acme.json:/acme.json
labels:
- traefik.frontend.rule=Host:myhost.mydomain.com;PathPrefixStrip:/proxy
- traefik.port=8090
mats-http:
image: myapps/production:mats-http
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 20s
volumes:
- /home/myhome/container_deployment/web:/web
labels:
- traefik.backend=mats-http/index.html
- traefik.frontend.rule=Host:myhost#mydomain.com;PathPrefixStrip:/
- traefik.docker.network=web
- traefik.port=8080
networks:
- web
mongo:
image: mongo
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 30s
command: -nojournal
ports:
- "27017:27017"
volumes:
- /home/myhome/mongodata:/data/db
networks:
- backend
- web
app1:
image: myapps/production:app1-2.2.0
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 60s
environment:
- DELAY=6
- ROOT_URL=https://myhost.mydomain.com/app1
volumes:
- /home/myhome/container_deployment/settings:/usr/app/settings
depends_on:
- mongo
labels:
- traefik.backend=app1
- traefik.frontend.rule=Host:myhost.mydomain.com;PathPrefix:/app1{id:[0-9]?}
- traefik.docker.network=web
- traefik.port=80
networks:
- web
- backend
app2:
image: myapps/production:app2-2.2.0
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 60s
environment:
- DELAY=6
- ROOT_URL=https://myhome.mydomain.com/app2
volumes:
- /home/myhome/container_deployment/settings:/usr/app/settings
depends_on:
- mongo
labels:
- traefik.backend=app2
- traefik.frontend.rule=Host:myhome.mydomain.com;PathPrefix:/app2{id:[0-9]?}
- traefik.docker.network=web
- traefik.port=80
networks:
- web
- backend
app3:
image: myapps/production:app3-2.2.0
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 60s
environment:
- DELAY=6
- ROOT_URL=https://myhome.mydomain.com/app3
volumes:
- /home/myhome/container_deployment/settings:/usr/app/settings
depends_on:
- mongo
labels:
- traefik.backend=app3
- traefik.frontend.rule=Host:myhome.mydomain.com;PathPrefix:/app3{id:[0-9]?}
- traefik.docker.network=web
- traefik.port=80
networks:
- web
- backend
***** truncated traefik debug log file *****
time="2019-07-11T16:03:38Z" level=info msg="Traefik version v1.7.12 built on 2019-05-29_07:35:02PM"
...
...
time="2019-07-11T16:03:38Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-mats-http-index-html\":{\"servers\":{\"server-matsStack-mats-http-1-vpaeunxj6xif75dt61peb62an-695b347dcd588d1d0b320f01e5644738\":{\"url\":\"http://10.0.45.14:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-matsStack-mongo-1-kjoekf19fyw5ru0fr1azazzu5\":{\"servers\":{\"server-matsStack-mongo-1-kjoekf19fyw5ru0fr1azazzu5-e29723ab5c75dde0eaf988caf77e50b2\":{\"url\":\"http://10.0.45.3:27017\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-matsStack-traefik-1-o1t2x6w1a0i3qu9nqwx6x67x1\":{\"servers\":{\"server-matsStack-traefik-1-o1t2x6w1a0i3qu9nqwx6x67x1-546c661a91789b6ce7fef697cc38e588\":{\"url\":\"http://10.0.45.12:8090\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-app3\":{\"servers\":{\"server-matsStack-app3-1-71g3c7hr2qz1frc5paqn1y52i-382f1bea7ec466d09871b7dff5c5a47c\":{\"url\":\"http://10.0.45.8:80\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-app2\":{\"servers\":{\"server-matsStack-app2-1-dvj9reft0nql50mp4jqxb9mx6-318c26e13ba26230fc29459a7f72c3aa\":{\"url\":\"http://10.0.45.10:80\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-app1\":{\"servers\":{\"server-matsStack-app1-1-nk6ax8rfo9d3tly953huzrvb0-cb78098740da4a0710dfc1b9067e7842\":{\"url\":\"http://10.0.45.6:80\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-matsStack-mongo-1-kjoekf19fyw5ru0fr1azazzu5-myhost.mydomain.com-4\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-matsStack-mongo-1-kjoekf19fyw5ru0fr1azazzu5\",\"routes\":{\"route-frontend-Host-matsStack-mongo-1-kjoekf19fyw5ru0fr1azazzu5-myhost.mydomain.com-4\":{\"rule\":\"Host:matsStack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"frontend-Host-myhost.mydomain.com-PathPrefix-app3-id-0-9-3\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-app3\",\"routes\":{\"route-frontend-Host-myhost.mydomain.com-PathPrefix-app3-id-0-9-3\":{\"rule\":\"Host:myhost.mydomain.com;PathPrefix:/app3{id:[0-9]?}\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"frontend-Host-myhost.mydomain.com-PathPrefix-app2-id-0-9-2\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-app2\",\"routes\":{\"route-frontend-Host-myhost.mydomain.com-PathPrefix-app2-id-0-9-2\":{\"rule\":\"Host:myhost.mydomain.com;PathPrefix:/app2{id:[0-9]?}\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"frontend-Host-myhost.mydomain.com-PathPrefix-app1-id-0-9-5\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-app1\",\"routes\":{\"route-frontend-Host-myhost.mydomain.com-PathPrefix-app1-id-0-9-5\":{\"rule\":\"Host:myhost.mydomain.com;PathPrefix:/app1{id:[0-9]?}\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"frontend-Host-myhost.mydomain.com-PathPrefixStrip-0\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-mats-http-index-html\",\"routes\":{\"route-frontend-Host-myhost.mydomain.com-PathPrefixStrip-0\":{\"rule\":\"Host:myhost.mydomain.com;PathPrefixStrip:/\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"frontend-Host-myhost.mydomain.com-PathPrefixStrip-proxy-1\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-matsStack-traefik-1-o1t2x6w1a0i3qu9nqwx6x67x1\",\"routes\":{\"route-frontend-Host-myhost.mydomain.com-PathPrefixStrip-proxy-1\":{\"rule\":\"Host:myhost.mydomain.com;PathPrefixStrip:/proxy\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}"
time="2019-07-11T16:03:39Z" level=info msg="Server configuration reloaded on :80"
time="2019-07-11T16:03:39Z" level=info msg="Server configuration reloaded on :80"
...
...
time="2019-07-11T16:03:39Z" level=info msg="Server configuration reloaded on :443"
time="2019-07-11T16:03:39Z" level=info msg="Server configuration reloaded on :8090"
time="2019-07-11T16:03:39Z" level=debug msg="Try to challenge certificate for domain [myhost.mydomain.com] founded in Host rule"
time="2019-07-11T16:03:39Z" level=debug msg="Try to challenge certificate for domain [myhost.mydomain.com] founded in Host rule"
time="2019-07-11T16:03:39Z" level=debug msg="Try to challenge certificate for domain [myhost.mydomain.com] founded in Host rule"
time="2019-07-11T16:03:39Z" level=debug msg="Try to challenge certificate for domain [matsstack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com] founded in Host rule"
time="2019-07-11T16:03:39Z" level=debug msg="Try to challenge certificate for domain [myhost.mydomain.com] founded in Host rule"
time="2019-07-11T16:03:39Z" level=debug msg="Try to challenge certificate for domain [myhost.mydomain.com] founded in Host rule"
time="2019-07-11T16:03:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"myhost.mydomain.com\"]..."
time="2019-07-11T16:03:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"myhost.mydomain.com\"]..."
time="2019-07-11T16:03:39Z" level=debug msg="Domains [\"myhost.mydomain.com\"] need ACME certificates generation for domains \"myhost.mydomain.com\"."
time="2019-07-11T16:03:39Z" level=debug msg="Domains [\"myhost.mydomain.com\"] need ACME certificates generation for domains \"myhost.mydomain.com\"."
time="2019-07-11T16:03:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"myhost.mydomain.com\"]..."
time="2019-07-11T16:03:39Z" level=debug msg="Domains [\"myhost.mydomain.com\"] need ACME certificates generation for domains \"myhost.mydomain.com\"."
time="2019-07-11T16:03:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"myhost.mydomain.com\"]..."
time="2019-07-11T16:03:39Z" level=debug msg="Domains [\"myhost.mydomain.com\"] need ACME certificates generation for domains \"myhost.mydomain.com\"."
time="2019-07-11T16:03:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"matsstack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com\"]..."
time="2019-07-11T16:03:39Z" level=debug msg="Domains [\"matsstack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com\"] need ACME certificates generation for domains \"matsstack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com\"."
time="2019-07-11T16:03:39Z" level=debug msg="Loading ACME certificates [myhost.mydomain.com]..."
time="2019-07-11T16:03:39Z" level=info msg="The key type is empty. Use default key type 4096."
time="2019-07-11T16:03:39Z" level=debug msg="Looking for provided certificate(s) to validate [\"myhost.mydomain.com\"]..."
time="2019-07-11T16:03:39Z" level=debug msg="No ACME certificate generation required for domains [\"myhost.mydomain.com\"]."
time="2019-07-11T16:03:39Z" level=debug msg="Loading ACME certificates [myhost.mydomain.com]..."
time="2019-07-11T16:03:39Z" level=debug msg="Loading ACME certificates [myhost.mydomain.com]..."
time="2019-07-11T16:03:39Z" level=debug msg="Loading ACME certificates [myhost.mydomain.com]..."
time="2019-07-11T16:03:39Z" level=debug msg="Loading ACME certificates [matsstack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com]..."
time="2019-07-11T16:03:40Z" level=debug msg="Building ACME client..."
time="2019-07-11T16:03:40Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-07-11T16:03:40Z" level=error msg="Unable to obtain ACME certificate for domains \"myhost.mydomain.com\" detected thanks to rule \"Host:myhost.mydomain.com;PathPrefixStrip:/\" : cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp 23.55.128.36:443: connect: connection refused"
time="2019-07-11T16:03:40Z" level=debug msg="Building ACME client..."
time="2019-07-11T16:03:40Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-07-11T16:03:40Z" level=error msg="Unable to obtain ACME certificate for domains \"myhost.mydomain.com\" detected thanks to rule \"Host:myhost.mydomain.com;PathPrefix:/app1{id:[0-9]?}\" : cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp 23.55.128.36:443: connect: connection refused"
ime="2019-07-11T16:03:40Z" level=debug msg="Building ACME client..."
time="2019-07-11T16:03:40Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-07-11T16:03:40Z" level=error msg="Unable to obtain ACME certificate for domains \"myhost.mydomain.com\" detected thanks to rule \"Host:myhost.mydomain.com;PathPrefix:/app3{id:[0-9]?}\" : cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp 23.55.128.36:443: connect: connection refused"
time="2019-07-11T16:03:40Z" level=debug msg="Building ACME client..."
time="2019-07-11T16:03:40Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-07-11T16:03:40Z" level=error msg="Unable to obtain ACME certificate for domains \"myhost.mydomain.com\" detected thanks to rule \"Host:myhost.mydomain.com;PathPrefix:/app2{id:[0-9]?}\" : cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp 23.55.128.36:443: connect: connection refused"
time="2019-07-11T16:03:40Z" level=debug msg="Building ACME client..."
time="2019-07-11T16:03:40Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory"
time="2019-07-11T16:03:40Z" level=error msg="Unable to obtain ACME certificate for domains \"matsstack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com\" detected thanks to rule \"Host:matsStack-mongo.1.kjoekf19fyw5ru0fr1azazzu5.myhost.mydomain.com\" : cannot get ACME client get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp 23.55.128.36:443: connect: connection refused"
I expected the certificates to be obtained and for the challenge to work, instead SSL does not work properly.
Related
Change host protocol from http to https with kafka
I have a problem with kafka when I work with http protocol kafka run with me without any problem but after upgrading the protocol from http to https after upgrade it all services return the same error 2021-10-28 23:16:26.367 WARN 1 --- [ad | producer-1] org.apache.kafka.clients.NetworkClient : [Producer clientId=producer-1] Connection to node 1 (/206.189.178.228:9092) could not be established. Broker may not be available. 2021-10-28 23:18:02.623 WARN 1 --- [ntainer#1-0-C-1] org.apache.kafka.clients.NetworkClient : [Consumer clientId=consumer-2, groupId=groupId] Connection to node 1 (/206.189.178.228:9092) could not be established. Broker may not be available. in producer and consumer i dont know what happens or if this error appeared from SSL but i did not change any configuration about Kafka this is my kafak.yml file kafka.yml version: '2' services: zookeeper: image: confluentinc/cp-zookeeper:5.5.0 environment: ZOOKEEPER_CLIENT_PORT: 2181 ZOOKEEPER_TICK_TIME: 2000 networks: - food_default kafka: image: confluentinc/cp-kafka:5.5.0 ports: - 9092:9092 environment: KAFKA_BROKER_ID: 1 KAFKA_ADVERTISED_HOST_NAME: kafka LISTENERS: PLAINTEXT://206.189.178.228:9092 KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://206.189.178.228:9092 KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 networks: - food_default networks: food_default: external: true and this is service config this config existing in each other service version: '2' services: food-order-service: image: altshiftcreative/food-app-order-service:v1.5 environment: # - _JAVA_OPTIONS=-Xmx512m -Xms256m - SPRING_PROFILES_ACTIVE=prod,swagger - MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED=false - EUREKA_CLIENT_SERVICE_URL_DEFAULTZONE=http://admin:$${jhipster.registry.password}#jhipster-registry:8761/eureka - SPRING_CLOUD_CONFIG_URI=http://admin:$${jhipster.registry.password}#jhipster-registry:8761/config - SPRING_DATASOURCE_URL=jdbc:mysql://food-mysql:3306/food_db?useUnicode=true&characterEncoding=utf8&useSSL=false&allowPublicKeyRetrieval=true&useLegacyDatetimeCode=false&serverTimezone=UTC&createD> - SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI=https://shopbia.shop/auth/realms/jhipster - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID=internal - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET=internal # - JHIPSTER_SLEEP=30 # gives time for other services to boot before the application - KAFKA_BOOTSTRAPSERVERS=kafka:9092 ports: - 8082:8082 networks: - food_default networks: food_default: external: true
Kafka isn't an HTTP protocol, so your problem has nothing to do with that You've set KAFKA_BOOTSTRAPSERVERS=kafka:9092 i did not change any configuration about Kafka I think you did. That IP address is not the default of anything. To revert to expected behavior within the same Docker network, you need to set LISTENERS: PLAINTEXT://0.0.0.0:9092 KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092 Unclear where you're getting the IP address from, but if you want to expose the Docker container to an external network in that subnet, then you will need other settings
Kong with Docker Compose on Windows: failed loading initial list of upstreams: failed to get from node cache: could not acquire callback lock
I am experimenting with Kong deployed via Docker using Docker Compose and Docker Desktop for Windows. When I start the container I seee a bunch of Lua errors, which from reading other posts around the net seem to maybe indicate some issue with the Nginx proxy that Kong uses under the hood. Strangely enough I am still able to hit Kong, and I'm not aware of what actual issues this might be presenting at runtime, but I'm suspicious of any startup errors like this. Does this suggest an issue that should be addressed? Thanks Errors: kong_1 | 2021/10/08 19:51:58 [crit] 1119#0: *43 [lua] balancers.lua:240: create_balancers(): failed loading initial list of upstreams: failed to get from node cache: could not acquire callback lock: timeout, context: ngx.timer kong_1 | 2021/10/08 19:51:58 [crit] 1106#0: *45 [lua] balancers.lua:240: create_balancers(): failed loading initial list of upstreams: failed to get from node cache: could not acquire callback lock: timeout, context: ngx.timer kong_1 | 2021/10/08 19:51:58 [crit] 1110#0: *39 [lua] balancers.lua:240: create_balancers(): failed loading initial list of upstreams: failed to get from node cache: could not acquire callback lock: timeout, context: ngx.timer kong_1 | 2021/10/08 19:51:58 [crit] 1116#0: *42 [lua] balancers.lua:240: create_balancers(): failed loading initial list of upstreams: failed to get from node cache: could not acquire callback lock: timeout, context: ngx.timer kong_1 | 2021/10/08 19:51:58 [crit] 1102#0: *38 [lua] balancers.lua:240: create_balancers(): failed loading initial list of upstreams: failed to get from node cache: could not acquire callback lock: timeout, context: ngx.timer kong_1 | 2021/10/08 19:51:58 [crit] 1117#0: *50 [lua] balancers.lua:240: create_balancers(): failed loading initial list of upstreams: failed to get from node cache: could not acquire callback lock: timeout, context: ngx.timer Docker compose file: version: "3" networks: kong-net: driver: bridge services: ####################################### # Postgres: The database used by Kong ####################################### kong-database: image: postgres:9.6 restart: always networks: - kong-net environment: POSTGRES_PASSWORD: kong POSTGRES_USER: kong POSTGRES_DB: kong ports: - "5432:5432" healthcheck: test: ["CMD", "pg_isready", "-U", "kong"] interval: 5s timeout: 5s retries: 5 ####################################### # Kong database migration ####################################### kong-migration: image: kong:2.6.0-alpine command: "kong migrations bootstrap" networks: - kong-net restart: on-failure environment: KONG_PG_HOST: kong-database KONG_DATABASE: postgres KONG_PG_PASSWORD: kong links: - kong-database depends_on: - kong-database ####################################### # Kong: The API Gateway ####################################### kong: image: kong:2.6.0-alpine restart: always networks: - kong-net environment: KONG_DATABASE: postgres KONG_PG_HOST: kong-database KONG_PG_USER: kong KONG_PG_PASSWORD: kong KONG_PROXY_LISTEN: 0.0.0.0:8000 KONG_PROXY_LISTEN_SSL: 0.0.0.0:8443 KONG_ADMIN_LISTEN: 0.0.0.0:8001 depends_on: - kong-migration - kong-database healthcheck: test: ["CMD", "curl", "-f", "http://kong:8001"] interval: 5s timeout: 2s retries: 15 ports: - "8001:8001" - "8000:8000" ####################################### # Konga database prepare ####################################### konga-prepare: image: pantsel/konga:next command: "-c prepare -a postgres -u postgresql://kong:kong#kong-database:5432/konga_db" environment: DB_ADAPTER: postgres DB_HOST: kong-database DB_USER: kong DB_PASSWORD: kong networks: - kong-net restart: on-failure links: - kong-database depends_on: - kong-database ####################################### # Konga: Kong GUI ####################################### konga: image: pantsel/konga:next restart: always networks: - kong-net environment: DB_ADAPTER: postgres DB_HOST: kong-database DB_USER: kong DB_PASSWORD: kong TOKEN_SECRET: km1GUr4RkcQD7DewhJPNXrCuZwcKmqjb DB_DATABASE: konga_db NODE_ENV: production depends_on: - kong-database ports: - "1337:1337"
Cannot get wildcard certificate with traefik v2 and godaddy
I'm trying to set up a wildcard certificate mechanism with traefik v2.2 and GoDaddy. What I want to do is generating a valid certificate for the URLs pattern *.example.org. Here there is my docker-compose: version: '3.7' services: traefik: image: traefik:v2.2 container_name: traefik restart: always env_file: - .provider.env # .provider.env contains `GODADDY_API_KEY` and `GODADDY_API_SECRET` volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./tls-certificates:/tls-certificates ports: # http - 8080:80 # https - 443:443 command: - --api.dashboard=true - --providers.docker=true - --providers.docker.exposedbydefault=false - --providers.docker.network=proxy - --entrypoints.webinsecure.address=:80 - --entrypoints.websecure.address=:443 # --certificatesresolvers.<name> Certificates resolvers configuration # ACME V2 supports wildcard certificates. # Wildcard certificates can only be generated through a DNS-01 challenge. - --certificatesresolvers.wildcard-godaddy.acme.tlschallenge=true - --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.provider=godaddy - --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.delayBeforeCheck=0 # Email address used for registration. - --certificatesresolvers.wildcard-godaddy.acme.email=foo#example.org # Certificates storage - --certificatesresolvers.wildcard-godaddy.acme.storage=/tls-certificates/acme.json networks: - proxy labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=webinsecure" - "traefik.http.routers.traefik.rule=Host(`traefik.example.org`)" - "traefik.http.middlewares.traefik-auth.basicauth.users=${DASHBOARD_USERNAME}:${DASHBOARD_PASSWORD}" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=websecure" - "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.org`)" - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=wildcard-godaddy" - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.org" - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.org" - "traefik.http.routers.traefik-secure.service=api#internal" networks: proxy: external: true In my dns I have an A record * pointing to my ip address. However when I start the compose I get the following error: traefik | time="2020-04-15T16:40:50Z" level=debug msg="No default certificate, generating one" traefik | time="2020-04-15T16:40:51Z" level=debug msg="Looking for provided certificate(s) to validate [\"example.org\" \"*.example.org\"]..." providerName=wildcard-godaddy.acme traefik | time="2020-04-15T16:40:51Z" level=debug msg="Domains [\"example.org\" \"*.example.org\"] need ACME certificates generation for domains \"example.org,*.example.org\"." providerName=wildcard-godaddy.acme traefik | time="2020-04-15T16:40:51Z" level=debug msg="Loading ACME certificates [example.org *.example.org]..." providerName=wildcard-godaddy.acme traefik | time="2020-04-15T16:40:51Z" level=debug msg="Building ACME client..." providerName=wildcard-godaddy.acme traefik | time="2020-04-15T16:40:51Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=wildcard-godaddy.acme traefik | time="2020-04-15T16:40:51Z" level=debug msg="Using DNS Challenge provider: godaddy" providerName=wildcard-godaddy.acme traefik | time="2020-04-15T16:40:51Z" level=debug msg="Using TLS Challenge provider." providerName=wildcard-godaddy.acme traefik | time="2020-04-15T16:40:51Z" level=debug msg="legolog: [INFO] [example.org, *.example.org] acme: Obtaining bundled SAN certificate" traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [*.example.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1" traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2" traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [*.example.org] acme: use dns-01 solver" traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] acme: use tls-alpn-01 solver" traefik | time="2020-04-15T16:40:52Z" level=debug msg="TLS Challenge Present temp certificate for example.org" providerName=acme traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] acme: Trying to solve TLS-ALPN-01" traefik | time="2020-04-15T16:40:58Z" level=debug msg="TLS Challenge CleanUp temp certificate for example.org" providerName=acme traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Preparing to solve DNS-01" traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Trying to solve DNS-01" traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Checking DNS record propagation using [127.0.0.11:53]" traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]" traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:00Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:02Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:04Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:06Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:08Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:10Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:12Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:14Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation." traefik | time="2020-04-15T16:41:21Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Cleaning DNS-01 challenge" traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1" traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1" traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2" traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2" traefik | time="2020-04-15T16:41:22Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org,*.example.org\" : unable to generate a certificate for the domains [example.org *.example.org]: acme: Error -> One or more domains had a problem:\n[*.example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.example.org, url: \n[example.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: \n" providerName=wildcard-godaddy.acme I do not understand either I'm misconfiguring something or if there's a problem on the let's encrypt/godaddy side. Edit: On port 80 I have another nginx instance up & running
Turned out it was a bug (fixed in v.2.2.1). See here: https://github.com/go-acme/lego/issues/1113
Eureka, ZUUL, Docker Compose on bridge network java.net.ConnectException: Connection refused
I'm running a Zuul service and Eureka service on separate docker containers with minimalistic configurations (both are spring boot projects). Eureka: docker-compose.xml: version: '2' services: app: build: context: ./ image: eureka environment: eureka.client.serviceUrl.defaultZone: http://eurekaserver_app_1:8070/eureka/ tty: false network_mode: bridge ports: - 8070:8070 DockerFile: FROM java:8 COPY ./build/libs/eureka-server-0.0.1-SNAPSHOT.jar /usr/src/eureka/ WORKDIR /usr/src/eureka EXPOSE 8070 CMD ["java","-jar","eureka-server-0.0.1-SNAPSHOT.jar"] Zuul: docker-compose.xml: version: '2' services: app: build: context: ./ image: zuul-service environment: eureka.client.serviceUrl.defaultZone: http://eurekaserver_app_1:8070/eureka/ tty: false ports: - 8069:8069 network_mode: bridge DockerFile: FROM java:8 COPY ./build/libs/zuul-service-0.0.1-SNAPSHOT.jar /usr/src/item/ WORKDIR /usr/src/item EXPOSE 8069 ENTRYPOINT ["java","-jar","zuul-service-0.0.1-SNAPSHOT.jar"] I used the network ls --no-trunc Docker command to make sure they are not spinning up a new network: NETWORK ID NAME DRIVER SCOPE ba216f3e01bb168848074a99875666fe382a4eda15daad0c428a8102707ee49f bridge bridge local a63a8adf0fd162d9b99bdf77bc4a13c0bfcfb8a9aca3c5375e60d5df5c5e305d host host local 2debbe96f8a96fdd8d6da983877609e0bdb7a1df6b25537f35f1608de0739fc7 none null local Which seems alright, The problem is that Eureka container starts up properly, however zuul-service isn't when I used docker-compose up. It throws: com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException: Connection refused (Connection refused) app_1 | at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) ~[jersey-apache-client4-1.19.1.jar!/:1.19.1] app_1 | at com.sun.jersey.api.client.filter.GZIPContentEncodingFilter.handle(GZIPContentEncodingFilter.java:123) ~[jersey-client-1.19.1.jar!/:1.19.1] app_1 | at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27) ~[eureka-client-1.8.6.jar!/:1.8.6] app_1 | at com.sun.jersey.api.client.Client.handle(Client.java:652) ~[jersey-client-1.19.1.jar!/:1.19.1] app_1 | at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) ~[jersey-client-1.19.1.jar!/:1.19.1] app_1 | at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) ~[jersey-client-1.19.1.jar!/:1.19.1] app_1 | at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:509) ~[jersey-client-1.19.1.jar!/:1.19.1] app_1 | at com.netflix.discovery.shared.transport.jersey.AbstractJerseyEurekaHttpClient.getApplicationsInternal(AbstractJerseyEurekaHttpClient.java:194) ~[eureka-client-1.8.6.jar!/:1.8.6] I am quite unsure on what I could be missing here?
The official Docker Compose docamantation says: By default Compose sets up a single network for your app. Each container for a service joins the default network and is both reachable by other containers on that network, and discoverable by them at a hostname identical to the container name. I suggest you to create one docker-compose.yaml file for both applications, properly name them and separate Dockerfiles to different folders: version: '2' services: eureka: build: context: ./eureka/ image: eureka environment: eureka.client.serviceUrl.defaultZone: http://eureka:8070/eureka/ tty: false ports: - 8070:8070 zuul: build: context: ./zuul/ image: zuul-service environment: eureka.client.serviceUrl.defaultZone: http://eureka:8070/eureka/ tty: false ports: - 8069:8069 When containers are up, they will be able to communicate between each other by eureka:8070 and zuul:8069 accordingly.
traefik: hangs after msg="Server configuration reloaded on :80"
I am attempting to deploy a traefik app via docker-machine to an EC2 instance using the following commands: docker-machine scp include/traefik.toml swarm-master:/home/ubuntu/traefik.toml docker-machine scp include/acme.json swarm-master:/home/ubuntu/acme.json docker $(docker-machine config swarm-master) run \ -v /var/run/docker.sock:/var/run/docker.sock \ -v $PWD/traefik.toml:/traefik.toml \ -v $PWD/acme.json:/acme.json \ -p 80:80 \ -p 443:443 \ -l traefik.frontend.rule=Host:traefik.domain.com \ -l traefik.port=8080 \ --network swarm-net \ --name traefik \ traefik:1.4.3-alpine \ -l DEBUG \ --docker However, my application hangs after the following output: traefik.toml 100% 503 29.4KB/s 00:00 acme.json 100% 0 0.0KB/s 00:00 time="2017-11-21T21:39:44Z" level=info msg="Traefik version v1.4.3 built on 2017-11-14_11:14:24AM" time="2017-11-21T21:39:44Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":false,"CheckNewVersion":true,"AccessLogsFile":"","AccessLog":null,"TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":null,"DefaultEntryPoints":["http"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":0,"InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":30000000000},"RespondingTimeouts":null,"ForwardingTimeouts":null,"Docker":{"Watch":true,"Filename":"","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Endpoint":"unix:///var/run/docker.sock","Domain":"","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":false},"File":null,"Web":null,"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}" time="2017-11-21T21:39:44Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc42008bae0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s" time="2017-11-21T21:39:44Z" level=info msg="Starting provider *docker.Provider {"Watch":true,"Filename":"","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Endpoint":"unix:///var/run/docker.sock","Domain":"","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":false}" time="2017-11-21T21:39:44Z" level=info msg="Starting server on :80" time="2017-11-21T21:39:44Z" level=debug msg="Provider connection established with docker 17.05.0-ce (API 1.29)" time="2017-11-21T21:39:44Z" level=debug msg="Filtering container with empty frontend rule /swarm-agent" time="2017-11-21T21:39:44Z" level=debug msg="Filtering container with empty frontend rule /swarm-agent-master" time="2017-11-21T21:39:44Z" level=debug msg="Validation of load balancer method for backend backend-traefik failed: invalid load-balancing method ''. Using default method wrr." time="2017-11-21T21:39:44Z" level=debug msg="Configuration received from provider docker: {"backends":{"backend-traefik":{"servers":{"server-traefik":{"url":"http://172.31.48.2:8080","weight":0}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-Host-traefik-domain-com-0":{"entryPoints":["http"],"backend":"backend-traefik","routes":{"route-frontend-Host-traefik-domain-com-0":{"rule":"Host:traefik.domain.com"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}}}}" time="2017-11-21T21:39:44Z" level=debug msg="Last docker config received more than 2s, OK" time="2017-11-21T21:39:44Z" level=debug msg="Creating frontend frontend-Host-traefik-domain-com-0" time="2017-11-21T21:39:44Z" level=debug msg="Wiring frontend frontend-Host-traefik-domain-com-0 to entryPoint http" time="2017-11-21T21:39:44Z" level=debug msg="Creating route route-frontend-Host-traefik-domain-com-0 Host:traefik.domain.com" time="2017-11-21T21:39:44Z" level=debug msg="Creating backend backend-traefik" time="2017-11-21T21:39:44Z" level=debug msg="Creating load-balancer wrr" time="2017-11-21T21:39:44Z" level=debug msg="Creating server server-traefik at http://172.31.48.2:8080 with weight 0" time="2017-11-21T21:39:44Z" level=info msg="Server configuration reloaded on :80" ^Ctime="2017-11-21T21:39:59Z" level=info msg="I have to go... interrupt" time="2017-11-21T21:39:59Z" level=info msg="Stopping server" time="2017-11-21T21:39:59Z" level=debug msg="Waiting 10s seconds before killing connections on entrypoint http..." time="2017-11-21T21:39:59Z" level=debug msg="Entrypoint http closed" time="2017-11-21T21:39:59Z" level=info msg="Server stopped" time="2017-11-21T21:39:59Z" level=info msg="Shutting down" time="2017-11-21T21:39:59Z" level=error msg="Error creating server: http: Server closed" traefik.toml: debug = false checkNewVersion = true logLevel = "DEBUG" defaultEntryPoints = ["http", "https"] [web] address = ":8080" [web.auth.basic] users = ["admin:alkdsjfalkdjflakdsjfalkdjfalkdjfaldkjf"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [acme] email = "name#domain.com" storage = "acme.json" entryPoint = "https" onHostRule = true onDemand = false and acme.json has permissions 600. However, when I run the following (seemingly same) command after logging into my EC2 instance, traefik is successfully deployed: docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ -v $PWD/traefik.toml:/traefik.toml \ -v $PWD/acme.json:/acme.json \ -p 80:80 \ -p 443:443 \ -l traefik.frontend.rule=Host:traefik.domain.com \ -l traefik.port=8080 \ --network swarm-net \ --name traefik \ traefik:1.4.3-alpine \ -l DEBUG \ --docker Any reason why I am not deploying with docker-machine are greatly appreciated. Thanks!