Docker, Traefik, LetsEncrypt, ACME Automatic SSL?

Loving to see Docker become more popular here!
I was able to get the kcollins image up and running.

I am not a wizard with Docker by any means, but I’ve been using Portainer and Compose, and using labels to automatically get my certificates. This works for almost every container I use, but I’m oblivious to how I can make this work for Ignition.

- "traefik.http.routers.ignition.tls.certresolver=letsencrypt"

Do I need to specify a location within the filesystem for the certs?

I had tried to manually import the default cert that comes into the designer, but it keeps saying invalid.

It looks like you’ve got Traefik standing in front of your containers, handling the TLS termination. From there, you’ve got it piped into the Docker socket and able to observe labels applied to various containers to drive the configuration.

If you’ve got this already working for other containers, then it is probably just a matter of setting up your label configuration for Ignition. It looks like your certificate resolver configured in Traefik is called letsencrypt, so I’d think this set of labels should get you close:

labels:
  - ...
  // "websecure" should match the name of your entrypoint listening on 443 in Traefik.
  - "traefik.http.routers.ignition.entrypoints=websecure"  
  // "letsencrypt" should match the configuration for your ACME resolver in Traefik.
  - "traefik.http.routers.ignition.tls.certresolver=letsencrypt"
  // You need to probably explicitly configure your service port target, so lets point it at 8088 (i.e. standard http behind Traefik's TLS termination)
  - "traefik.http.services.ignition.loadbalancer.server.port=8088"
  // And finally, a rule to match against for the DNS name you want to pipe into this gateway container
  - "traefik.http.routers.ignition.rule=Host(`my-ignition.dev`)"

If you’re on 8.1.6+, then you won’t need the path rewrite discussed here.

Hopefully this helps a bit…

Thanks Kevin! love your work.

I am on the latest image.
I do have most of those labels already with the exception of the loadbalancer (I dont think I need that right now?)

I am using a wildcard *.example.com certificate. Could that also be an issue?

      - "traefik.http.routers.ignition.rule=Host(`ignition.example.com`)"
      - "traefik.http.routers.ignition.entrypoints=websecure"
      - "traefik.http.routers.ignition.tls=true"
      - "traefik.http.routers.ignition.tls.certresolver=letsencrypt"

When I inspect the certificate in a browser it comes up as the traefik default certificate.

You are a genius.

Load balancer was the key!

- "traefik.http.services.ignition.loadbalancer.server.port=8088"

Glad this got it done! The reason why you need the loadbalancer port explicitly defined is that there may be multiple exposed ports (in kcollins/ignition, the default EXPOSE declaration was constricted for 8.1.9, as seen here, but this list could obviously grow based on how your container is configured).

Without an explicit declaration, Traefik will pick the first port in the expose list (which ends up as an alpha-sorted list since under the hood it is maintained as a Go map datatype that doesn’t track insertion order as image layers get merged).

2 Likes