Setup-TraefikContainerForNavContainers | Use my own certificate | traefik.toml missing link to certificate

[hvandenborn]

Freddy,

I setup Traefik with this "Setup-TraefikContainerForNavContainers" command, Then Started a container with traefik and that worked, Only. if i access the URL in our domain, you get the message that the HTTPS is not OK, hackers are stealing your passwords etc etc. So i try to use our Wildcard certificate of our domain to make this work. this server is only accessible on our internal domain,

but if i call Setup-TraefikContainerForNavContainers: Setup-TraefikContainerForBcContainers -PublicDnsName $PublicDNS -CrtFile $CrtFile -CrtKeyFile $CrtKeyFile [-Recreate] it will copy the certificates to And recreate the traefik container, then i make a new BCcontainer Still the certificate is not used,

now if i check the article https://www.axians-infoma.de/techblog/traefik-support-for-navcontainerhelper-the-nav-arm-templates-for-azure-vms-and-local-environments/ It points out that traefik.toml needs to be eddited with: is this something the Setup-TraefikContainerForNavContainers forgets? because its not in my traefik.toml It would be very nice if this part of the setup is also done, or if there is a switch or something to do this automaticly for using your own Certificate.

the only way i can make it work with my certificate is like https://www.axians-infoma.de/techblog/traefik-support-for-navcontainerhelper-the-nav-arm-templates-for-azure-vms-and-local-environments/ says, change the certificate filenames from certificate to traefik and add the TLS section and remove the [acme] section including [[acme.domains]] then it works.

I also tried NOT to change te certificate filenames but changed the reference path in the TLS setion of traefik.toml from traefik.crt and .key to certificate.crt and .key, but that does not work.

My traefik.toml after generation

------ domainname is replaced with MyDomain -------

------------------------------
debug = false
defaultEntryPoints = ["https","http"]
insecureSkipVerify = true

[api]
# Check https://docs.traefik.io/v1.7/configuration/api/#security
# to enable authentication on the dashboard for extra security

[docker]
domain = "msbuild15.myDomain.nl"
watch = true
endpoint = "npipe:////./pipe/docker_engine"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
  minVersion = "VersionTLS12"

[acme]
email = ""
storage = "c:/etc/traefik/acme.json"
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
   main = "msbuild15.myDomain.nl"

[file]
[backends]
  [backends.host]
    [backends.host.servers.server1]
       url = "http://SOMEIP:8180"

 [frontends]
  [frontends.host]
    backend = "host"
    [frontends.host.routes.route1]
      rule = "PathPrefix:/" 
------------------------

---My traefik.toml after altering it for using my own certificate---

debug = false
defaultEntryPoints = ["https","http"]
insecureSkipVerify = true

[api]
# Check https://docs.traefik.io/v1.7/configuration/api/#security
# to enable authentication on the dashboard for extra security

[docker]
domain = "msbuild15.mydomain.nl"
watch = true
endpoint = "npipe:////./pipe/docker_engine"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
  minVersion = "VersionTLS12"
    [[entryPoints.https.tls.certificates]]
    certFile = "c:/etc/traefik/traefik.crt"
    keyFile = "c:/etc/traefik/traefik.key"

[file]
[backends]
  [backends.host]
    [backends.host.servers.server1]
       url = "http://SOMEIP:8180"

 [frontends]
  [frontends.host]
    backend = "host"
    [frontends.host.routes.route1]
      rule = "PathPrefix:/" 

---

and my C:\ProgramData\BcContainerHelper\traefikforbc\config folder after changing it:

Can this be buildin? of fixed to work with a certificate that i give this function to setup with?

-- Creation of new-bccontainer --

Removing container SC1
Removing msbuild1 from host hosts file
Removing msbuild1-* from host hosts file
Removing C:\ProgramData\BcContainerHelper\Extensions\SC1
Actual imagename is  bcimage:onprem-17.4.21491.21531-nl
MemoryLimit set to 6G
SQL MemoryLimit set to 50%
BcContainerHelper is version 2.0.7
BcContainerHelper is running as administrator
Host is Microsoft Windows Server 2019 Datacenter - ltsc2019
Docker Client Version is 19.03.14
Docker Server Version is 19.03.14
Fetching all docker images
Fetching all docker volumes
ArtifactUrl and ImageName specified
Image bcimage:onprem-17.4.21491.21531-nl already exists
Enabling SSL as otherwise all clients will see mixed HTTP / HTTPS request, which will cause problems e.g. on the mobile and modern windows clients
Using image bcimage:onprem-17.4.21491.21531-nl
PublicDnsName is msbuild15.MyDomain.nl
Creating Container SC1
Version: 17.4.21491.21531-nl
Style: onprem
Multitenant: No
Platform: 17.0.21485.21516
Generic Tag: 1.0.1.4
Container OS Version: 10.0.17763.1817 (ltsc2019)
Host OS Version: 10.0.17763.1790 (ltsc2019)
WARNING: Host OS and Base Image Container OS doesn't match and Hyper-V is not installed. If you encounter issues, you could try to install Hyper-V.
Using process isolation
Using locale nl-NL
Adding special CheckHealth.ps1 to enable Traefik support
Disabling the standard eventlog dump to container log every 2 seconds (use -dumpEventLog to enable)
Using license file C:\Users\admin.hvandenborn\Desktop\17.flf
Additional Parameters:
--hostname msbuild15
-e webserverinstance=SC1
-e publicdnsname=msbuild15.mydomain.nl
-l "traefik.protocol=https"
-l "traefik.web.frontend.rule=PathPrefix:/SC1"
-l "traefik.web.port=443"
-l "traefik.soap.frontend.rule=PathPrefix:/SC1soap;ReplacePathRegex: ^/SC1soap(.*) /BC$1"
-l "traefik.soap.port=7047"
-l "traefik.rest.frontend.rule=PathPrefix:/SC1rest;ReplacePathRegex: ^/SC1rest(.*) /BC$1"
-l "traefik.rest.port=7048"
-l "traefik.dev.frontend.rule=PathPrefix:/SC1dev;ReplacePathRegex: ^/SC1dev(.*) /BC$1"
-l "traefik.dev.port=7049"
-l "traefik.snap.frontend.rule=PathPrefix:/SC1snap;ReplacePathRegex: ^/SC1snap(.*) /BC$1"
-l "traefik.snap.port=7083"
-l "traefik.dl.frontend.rule=PathPrefixStrip:/SC1dl"
-l "traefik.dl.port=8080"
-l "traefik.dl.protocol=http"
-l "traefik.enable=true"
-l "traefik.frontend.entryPoints=https"
--env customNavSettings=PublicODataBaseUrl=https://msbuild15.mydomain.nl/SC1rest/odata,PublicSOAPBaseUrl=https://msbuild15.mydomain.nl/SC1soap/ws,PublicWebBaseUrl=https://msbuild15.mydomain.nl/SC1
Files in C:\ProgramData\BcContainerHelper\Extensions\SC1\my:
- AdditionalOutput.ps1
- CheckHealth.ps1
- license.flf
- MainLoop.ps1
- SetupVariables.ps1
- updatehosts.ps1
Creating container SC1 from image bcimage:onprem-17.4.21491.21531-nl
562e1914ecd2017b2c4951c02e1ca7010d9abd341e9f638aa0e1686eeac74f52
Waiting for container SC1 to be ready
Initializing...
Setting host.containerhelper.internal to 172.18.208.1 in container hosts file
Starting Container
Hostname is msbuild15
PublicDnsName is msbuild15.MyDomain.nl
Using NavUserPassword Authentication
Starting Local SQL Server
Starting Internet Information Server
Creating Self Signed Certificate
Self Signed Certificate Thumbprint F9DEDF67BA4D65A293A244EF0B16B08BC09E303D
Modifying Service Tier Config File with Instance Specific Settings
Modifying Service Tier Config File with settings from environment variable
Setting PublicODataBaseUrl to https://msbuild15.mydomain.nl/SC1rest/odata
Setting PublicSOAPBaseUrl to https://msbuild15.mydomain.nl/SC1soap/ws
Setting PublicWebBaseUrl to https://msbuild15.mydomain.nl/SC1
Starting Service Tier
Registering event sources
Creating DotNetCore Web Server Instance
Using license file 'c:\run\my\license.flf'
Import License
Creating http download site
Setting SA Password and enabling SA
Creating Build as SQL User and add to sysadmin
Creating SUPER user
Container IP Address: 172.18.215.229
Container Hostname  : msbuild15
Container Dns Name  : msbuild15.mydomain.nl
Web Client          : https://msbuild15.mydomain.nl/SC1/
Dev. Server         : https://msbuild15.mydomain.nl
Dev. ServerInstance : BC
Setting msbuild15 to 172.18.215.229 in host hosts file

Files:
http://msbuild15.mydomain.nl:8080/ALLanguage.vsix
http://msbuild15.mydomain.nl:8080/certificate.cer

Container Total Physical Memory is 8.0Gb
Container Free Physical Memory is 0.5Gb

Initialization took 420 seconds
Ready for connections!
Reading CustomSettings.config from SC1
Set SQL Server memory limit to 3072 MB
Set TimeZone in Container to W. Europe Standard Time
Creating Desktop Shortcuts for SC1
Container SC1 successfully created
Because of Traefik, the following URLs need to be used when accessing the container from outside your Docker host:
Web Client:        https://msbuild15.MyDomain.nl/SC1
SOAP WebServices:  https://msbuild15.MyDomain.nl/SC1soap
OData WebServices: https://msbuild15.MyDomain.nl/SC1rest
Dev Service:       https://msbuild15.MyDomain.nl/SC1dev
Snapshot Service:  https://msbuild15.MyDomain.nl/SC1snap
File downloads:    https://msbuild15.MyDomain.nl/SC1dl

Use:
Get-BcContainerEventLog -containerName SC1 to retrieve a snapshot of the event log from the container
Get-BcContainerDebugInfo -containerName SC1 to get debug information about the container
Enter-BcContainer -containerName SC1 to open a PowerShell prompt inside the container
Remove-BcContainer -containerName SC1 to remove the container again
docker logs SC1 to retrieve information about URL's again

[freddydk]

The Setup-TraefikContainerForNavContainers was actually added by @tfenster and it was primarily intended to work with AzureVMs and letsencrypt certificates (which is what you see). I am not too familiar with the function, but it does have a parameter called -traefikToml, where you can specify your own .toml template.

The default template looks like this:

debug = false
defaultEntryPoints = ["https","http"]

[api]
# Check https://docs.traefik.io/v1.7/configuration/api/#security
# to enable authentication on the dashboard for extra security

[docker]
domain = "$PublicDnsName"
watch = true
endpoint = "npipe:////./pipe/docker_engine"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
  minVersion = "VersionTLS12"

[acme]
email = "$ContactEMailForLetsEncrypt"
storage = "c:/etc/traefik/acme.json"
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
   main = "$PublicDnsName"

[file]
[backends]
  [backends.host]
    [backends.host.servers.server1]
       url = "http://${IP}:8180"

 [frontends]
  [frontends.host]
    backend = "host"
    [frontends.host.routes.route1]
      rule = "PathPrefix:/" 

if you save this to a file (my.toml), modify it as you need and add -traefiktoml c:....\my.toml to the Setup-TraefikContainerForNavContainers call, then it should use your new toml template.

Looking at the code though - it looks like it should support an own certificate, maybe @tfenster can shed some light on that?

[freddydk]

I created a branch with what I think is a fix for this: https://github.com/microsoft/navcontainerhelper/tree/Issue1793 I am not certain that the fix works - I am a bit on thin ice here:-)

You could try to download the code from that - and run BcContainerHelper.ps1 in the root folder - that makes you use the BcContainerHelper from that folder in that session.

[hvandenborn]

Cool, ill test it on monday👍

[hvandenborn]

Yes, it works, Thanks!

i stopped my traefik container and removed it,

i run Setup-TraefikContainerForBcContainers with recreate and my certificates: Setup-TraefikContainerForBcContainers -PublicDnsName $PublicDNS -CrtFile $CrtFile -CrtKeyFile $CrtKeyFile -Recreate

and it uses my certificates, great!

[freddydk]

Shipped in 2.0.9