We have traefik (v2.9.9) running in a Docker Container with a number of services using Let's Encrypt to request certificates and traefik's basicAuth middelware to secure access to this services.
When traefik tries to update the certs error 403 appears. Our traefik configuration: traefik.yml
# Info von
# https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
webservice:
address: ":8080"
api:
dashboard: true
# https://doc.traefik.io/traefik/https/acme/
certificatesResolvers:
lets-encrypt:
# Enable ACME (Let's Encrypt): automatic SSL
acme:
# Email address used for registration.
#
# Required
#
email: "<valid email adress>"
# File or key used for certificates storage.
#
# Required
#
storage: "acme.json"
# tlsChallenge:
httpChallenge:
# used during the challenge, hier kummt evtl. webservice hin. Bin aber nicht Sicher.
entryPoint: web
providers:
docker:
watch: true
network: "web"
file:
filename: "traefik_dynamic.yml"
# Configuring a buffer of 100 lines
log:
filePath: "/var/log/traefik.log"
level: DEBUG
format: json
accessLog:
filePath: "/var/log/access.log"
bufferingSize: 100
format: json
fields:
defaultMode: keep
traefik_dynamic.yml:
# Info von
# https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04
http:
middlewares:
simpleAuth:
basicAuth:
users:
- <USER1>
- <USER2>
routers:
api:
rule: "Host(`traefik.our.Domain`)"
entrypoints:
- "websecure"
middlewares:
- "simpleAuth"
service: "api@internal"
tls:
certResolver: "lets-encrypt"
Excerpt from docker-compose.yml:
version: "3"
services:
traefik:
image: traefik:latest
command:
--acme.acmelogging=true
--accessLog
environment:
- TZ=Europe/Berlin
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik/traefik.yml:/traefik.yml:ro
- $PWD/traefik/traefik_dynamic.yml:/traefik_dynamic.yml:ro
- /opt/traefik/acme.json:/acme.json:rw
- /opt/traefik/logs:/var/log:rw
networks:
- web
...
phpmyadmin:
image: phpmyadmin:5
restart: unless-stopped
depends_on:
- database
labels:
- traefik.http.routers.phpmyadmin.rule=Host(`phpmyadmin.our.Domain`)
- traefik.http.routers.phpmyadmin.tls=true
- traefik.http.routers.phpmyadmin.tls.certresolver=lets-encrypt
- traefik.http.routers.phpmyadmin.middlewares=simpleAuth@file
- traefik.port=80
environment:
- PMA_ARBITRARY=1
- PMA_ABSOLUTE_URI=https://phpmyadmin.our.Domain
- PMA_HOST=database
networks:
- internal
- web
The problem seems to be the basicAuth Login for our Services. I need a rule or exception for the Let's Encrypt path (https://phpmyadmin.our.Domain/.well-known/acme-challenge/
) or some other way to renew the certificates.