search

fastapi / full-stack-fastapi-template

Full stack, modern web application template. Using FastAPI, React, SQLModel, PostgreSQL, Docker, GitHub Actions, automatic HTTPS and more.
MIT License
27.57k stars 4.91k forks source link

How to use own certificate? #271

Closed Koschi13 closed 4 years ago

Koschi13 commented 4 years ago

Hey, I have the rare use case of needing to use my own certificate and not the generated one from Let's Encrypt. I searched the docs and everything, but I can't find out how to provide this to the proxy.

What I know so far is, that I can configure some sort of pool with traefik.http.routers.${STACK_NAME?Variable not set}-proxy-https.certresolver=le, where le is the identifier.

From the docker.rocks docs I fond out, that this --certificatesresolvers.le will configure the pool with the given settings. But in the cli docs I find only ways to configure acme with that option.

Mounting the certificates is done with - traefik-public-certificates:/certificates under volumes I think.

I have two questions now:

I'm a noob regarding Traefik and deployment in general, so a answer for dummys would be nice 😋

Koschi13 commented 4 years ago

Ok, after some trial and error I managed to get it working.

Traefik v2 does not support providing the certificate config via cli nor labels. Instead you have to provide a conf.toml to /etc/traefik/dynamic_conf/. The contents of my file are here:

[[tls.certificates]]
  certFile = "/certs/example.com.crt"
  keyFile = "/certs/example.com.key"

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/certs/example.com.crt"
      keyFile = "/certs/example.com.key"

You then have to remove the following lines from the main traefik (the one from dockerswarm.rocks):

version: '3.3'

services:

  traefik:
    # [...]
    command:
      - --entrypoints.https.address=:443
      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
      - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
      # Store the Let's Encrypt certificates in the mounted volume
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      # Use the TLS Challenge for Let's Encrypt
      - --certificatesresolvers.le.acme.tlschallenge=true

Therefore the resolver le isn't valid any longer and can be removed from the docker-compose.yml. First remove it from the proxy:

        # Use the "le" (Let's Encrypt) resolver created below
        - traefik.http.routers.${STACK_NAME?Variable not set}-proxy-https.tls.certresolver=le

and then from pgadmin and flower:

        - traefik.http.routers.${STACK_NAME?Variable not set}-pgadmin-https.tls.certresolver=le
        - traefik.http.routers.${STACK_NAME?Variable not set}-flower-https.tls.certresolver=le

That's it! For me this solution is working at the moment and I did not experience any problems yet.

tiangolo commented 3 years ago

Thanks for reporting back and closing the issue :+1: