Closed ntaranov closed 5 years ago
Hi! I'm Træfiker :robot: the bot in charge of communication regulation.
Thanks for your interest in Traefik!
We dedicate the issue tracker to bug reports and feature requests only. My advanced AI tells me this one is neither of them.
I encourage your to seek community support: join our Slack workspace and reach out to us on the #support channel.
Another option is to use Stack Overflow and tag your question traefik
.
You can of course double check Traefik's documentation :sweat_smile:
This is a bug report.
Please reopen.
OK, so I went to #support slack channel, and had a research session with @dduportal .
manual
provider works when launched like docker run -i -t ...
. manual
provider does not really work under docker stack (or the scenario is not supported), IMO would be great if this were documented. Presumably this is because redirecting STDIN and STDOUT/STDERR is not quite the same as TTY you get with docker run -it ..
I used this command to debug the cert generation
docker run -it \
-p 80:80 -p 443:443 \
-v acme-certs:/acme \
-v /var/run/docker.sock:/var/run/docker.sock \
traefik:alpine \
--entrypoints='Name:http Address::80 Redirect.EntryPoint:https Redirect.Permanent:true' \
--entrypoints='Name:https Address::443 TLS' \
--defaultentrypoints='http,https' \
--docker \
--docker.watch \
--docker.exposedbydefault=false \
--docker.domain=eng.kindrobots.com \
--acme \
--acme.entryPoint=https \
--acme.dnsChallenge \
--acme.onDemand=false \
--acme.email='n@kindrobots.ru' \
--acme.acmelogging=true \
--acme.storage='/acme/acme.json' \
--acme.dnsChallenge.provider=manual \
--acme.domains='eng.kindrobots.com,api.kindrobots.com,auth.kindrobots.com,eng-api.kindrobots.com,eng-auth.kindrobots.com,finance.kindrobots.com' \
--logLevel=DEBUG
I made sure my "stack" container in fact uses the same acme.json
(beware, docker stack prefixes things with stack name).
I got a working cert in place.
@ldez , thanks for the comment and the perspective. In our scenario DNS provider is not under our control, and is not willing to take any actions. I guess, this is 90+% of internet scenarios. As I understand exec
provider might be helpful if I'll be interested in automating the routine with a 3rd party tool, which I'll consider, but httpreq
and acme-dns
both require collaboration from DNS-server side.
Do you want to request a feature or report a bug?
Bug
What did you do?
I'm trying to set up Let's Encrypt authentication using dnsChallenge. I've done this with certbot before.
I set up the challenge using traefik command line arguments in docker-compose file. Then I deployed the configuraiton using
docker stack deploy
. I read the logs (noted that the container didn't wait for input on the initial occasion.I added the TXT records required. Then I restared the container like this:
When I restart the container, the TXT records required are the same all the
lego:
messages have new current timestamps.This might be a traefik issue or LEGO issue or I might do something wrong.
What did you expect to see?
Either traefik container/LEGO waiting for input ("press ENTER") on initial deploy or successful check completion on restart.
What did you see instead?
Output of
traefik version
: (What version of Traefik are you using?)Version: v1.7.9 Codename: maroilles Go version: go1.11.5 Built: 2019-02-11_11:36:32AM OS/Arch: linux/amd64
What is your environment & configuration (arguments, toml, provider, platform, ...)?
docker-compose file
The configuration itself is tested with docker-compose and TLS with my own (not the Traefik default, which is issued when something goes wrong) self-signed certificates.
Am I missing something, or there is a problem?