The original post: /r/homelab by /u/LordWurstbrot on 2024-05-03 07:59:21.
Need help with my traefik stack & letsencrypt dns challenge
Hello, I am trying to get letsencrypt certs for my traefik stack using the dns challenge. I can’t figure out what I did wrong. I would really appreciate your help, thanks.
docker compose
version: "3.8"
services:
authelia:
image: authelia/authelia
container\_name: authelia
volumes:
- /home/pi/src/core/authelia-data:/config
networks:
- proxy
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=proxy'
- 'traefik.http.routers.authelia.rule=Host(`sub.domain.de`)'
- 'traefik.http.routers.authelia.entrypoints=websecure'
- 'traefik.http.routers.authelia.tls=true'
- 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=<https://sub.domain.de>'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
expose:
- 9091
restart: unless-stopped
environment:
- TZ=Europe/Berlin
healthcheck:
disable: true
traefik:
image: "traefik:latest"
container\_name: traefik
restart: unless-stopped
security\_opt:
- "no-new-privileges:true"
networks:
- proxy
ports:
- "80:80"
- "443:443"
depends\_on:
- authelia
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik-data/traefik.yml:/traefik.yml:ro"
- "./traefik-data/acme.json:/acme.json"
- "./traefik-data/configurations:/configurations"
- "./traefik-data/logs:/logs"
environment:
- NETCUP\_CUSTOMER\_NUMBER=
- NETCUP\_API\_KEY=
- NETCUP\_API\_PASSWORD=
labels:
- traefik.enable=true
- traefik.docker.network=proxy
- traefik.http.routers.traefik-secure.entrypoints=websecure
# - traefik.http.routers.traefik-secure.rule=Host(`sub.domain.de`)
- traefik.http.routers.traefik-secure.service=api@internal
# - traefik.http.routers.portainer-secure.middlewares=authelia@docker
portainer:
image: "portainer/portainer-ee:linux-arm"
container\_name: portainer
restart: unless-stopped
security\_opt:
- "no-new-privileges:true"
networks:
- proxy
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./portainer-data:/data"
labels:
- traefik.enable=true
- traefik.docker.network=proxy
- traefik.http.routers.portainer-secure.entrypoints=websecure
- traefik.http.routers.portainer-secure.rule=Host(`sub.domain.de`)
- traefik.http.routers.portainer-secure.service=portainer
- traefik.http.routers.portainer-secure.middlewares=authelia@docker
- traefik.http.services.portainer.loadbalancer.server.port=9000
crowdsec:
image: "crowdsecurity/crowdsec:latest"
container\_name: crowdsec
environment:
GID: "${GID-1000}"
COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
depends\_on: #uncomment if running traefik in the same compose file
- traefik
volumes:
- "/home/pi/src/core/crowdsec-data/config/:/etc/crowdsec/"
- "/home/pi/src/core/crowdsec-data/crowdsec-db:/var/lib/crowdsec/data/"
- "/home/pi/src/core/traefik-data/logs:/var/log/traefik/:ro"
networks:
- proxy
restart: unless-stopped
bouncer-traefik:
image: "docker.io/fbonalair/traefik-crowdsec-bouncer:latest"
container\_name: bouncer-traefik
environment:
CROWDSEC\_BOUNCER\_API\_KEY:
CROWDSEC\_AGENT\_HOST:
networks:
- proxy # same network as traefik + crowdsec
depends\_on:
- crowdsec
restart: unless-stopped
goaccess:
image: 'xavierh/goaccess-for-nginxproxymanager:latest'
container\_name: goaccess
restart: unless-stopped
ports:
- '7880:7880'
environment:
- TZ=Europe/Berlin
- LOG\_TYPE=TRAEFIK #optional
volumes:
- "/home/pi/src/core/traefik-data/logs:/opt/log"
labels:
- traefik.enable=false
networks:
proxy:
external: true
traefik.yml
api:
dashboard: false
# insecure: true
log:
level: "debug"
filePath: "/logs/traefik.log"
Configuring Multiple Filters
============================
accessLog:
filePath: "/logs/access.log"
filters:
statusCodes:
- "200"
- "300-302"
retryAttempts: true
minDuration: "10ms"
# collect logs as in-memory buffer before writing into log file
bufferingSize: 0
fields:
headers:
defaultMode: drop # drop all headers per default
names:
User-Agent: keep # log user agent strings
entryPoints:
web:
address: ":80"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"
http:
middlewares:
- secureHeaders@file
- crowdsec-bouncer@file
tls:
certResolver: letsencrypt
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
certificatesResolvers:
letsencrypt:
acme:
email: [[email protected]](mailto:[email protected])
storage: acme.json
keyType: EC256
caServer: <https://acme-v02.api.letsencrypt.org/directory>
certificatesDuration: 2160
dnsChallenge:
provider: netcup
delayBeforeCheck: 1200
resolvers:
- "root-dns.netcup.net:53"
- "second-dns.netcup.net:53"
- "third-dns.netcup.net:53"
- "8.8.8.8:53"
- "1.1.1.1:53"
dynamic.yml
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
middlewares:
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
nextcloud-redirectregex: redirectRegex: regex: “https://(.*)/.well-known/(card|cal)dav” replacement: “https://${1}/remote.php/dav/”
secureHeaders: headers: forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000
user-auth: basicAuth: users: - “xxxxxx”
routers:
nextcloud-secure:
entryPoints:
- websecure
rule: Host(`sub.domain.de`)
middlewares:
- nextcloud-redirectregex
service: nextcloud
hass-secure: entryPoints:
- websecure
rule: Host(
sub.domain.de
) service: hass
services:
nextcloud:
loadBalancer:
servers:
- url: "<http://192.168.178.72:80/>"
hass: loadBalancer: servers: - url: “http://192.168.178.23:8123/”
tls:
options:
default:
cipherSuites:
- TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384
- TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
- TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
- TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
- TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305
- TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305
minVersion: VersionTLS12
You must log in or # to comment.