SSL Certs

[phortonssf]

Deploying to ec2 works great, however the default traefic docker image image doesn't seem to support HTTPS. When loading the traefik dashboard it doesn't show HTTPS and SSL endabled.

From the README.md

Traefik integration, including Let's Encrypt HTTPS certificates automatic generation.

How do we use the included certs for HTTPS? Thank you.

[paxcodes]

One option is to follow the instructions in https://dockerswarm.rocks. Note that the traefik container mentioned here is a separate container from the traefik container included in this cookiecutter.

[phortonssf]

@paxcodes Ty got it up but ran into a different SSL issue. Most of my calls to the backend are working however one route in particular we added is getting mixed content errors. The headers from uvicorn are returning with http://mydomain.com vs https://mydomain.com. Our other endpoints work perfect. Any ideas on why univicorn is setting them to http on a specific route?

[wolfieorama]

@paxcodes did you manage to solve this, i run in to the same issue, the issue looks like the certification getting issued is the default one by Traefik,

in my case: CN=TRAEFIK DEFAULT CERT

[paxcodes]

I was able to have SSL for my domains when I followed the instructions in https://dockerswarm.rocks and then the deployment instructions in the README generated by this cookiecutter.

One way to troubleshoot is checking the traefik logs as mentioned here.

If there's a specific step in the process that you're having trouble with, I will try to help.

[paxcodes]

@paxcodes Ty got it up but ran into a different SSL issue. Most of my calls to the backend are working however one route in particular we added is getting mixed content errors. The headers from uvicorn are returning with http://mydomain.com vs https://mydomain.com. Our other endpoints work perfect. Any ideas on why univicorn is setting them to http on a specific route?

Sorry, no, not off the top of my head. If I were to encounter that, first thing I would check is my docker-compose files: making sure that everything is set up correctly there. Next would be how uvicorn is configured. But this is coming from someone who don't have a lot of experience with ssl certs / docker / uvicorn so I'm covering a lot of ground, instead of targeting something specific.

[wolfieorama]

I got my issue fixed: after adding the docker.network label and tls on both services it works now

        - traefik.docker.network=${TRAEFIK_PUBLIC_NETWORK?Variable not set}
        - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.tls=true
        - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.tls.certresolver=le   ```

Also you many need to check if there are any conflicting `http` and `https` redirection rules .. I had that in my `docker-compose` file

[MariusMez]

Hi,

I encounter the same issue than @wolfieorama. All the certificates for the services (pgadmin, flower, and the other required traefik from the dockerswarm.rocks doc) where generated with success using the LetsEncrypt certresolver.

But for the main app wich use the proxy service, it seems traefik didn't success to use letsencrypt and default to the self signed TRAEFIK DEFAULT CERT wich is not good on production...

The logs provided by docker service logs mystack-proxy are not very usefull (level=debug msg="No default certificate, generating one")

By adding the docker.network label and tls on the frontend service it allows traefik to generate the letsencrypt certificate successfully.

But I don't understand why precisely? If someone as a clue?

[tiangolo]

This project has gone through several refactors that happened after this conversation. It currently targets Docker Compose, with Traefik on top handling HTTPS and certs. If anyone comes here, the latest docs in the repo have the info.