Configuring LetsEncrypt with Traefik to use DNS01 Challenge Breaks traefik.yml
Description
As the title says, my service provider does not allow traffic through port 80 so I have to authenticate through a TLS channel. I was attempting to do this by configuring the traefik config within vault.yml and config.yml within my homelabos settings directory.
After adjusting my vault.yml to the configuration below hlos deploy was then creating an invalid traefik.yml and I was unable to start my homelabos docker image. The current resolution I've had for this is I've manually adjusted my traefik.yml to remove the invalid configurations and restarted the docker container.
Another separate issue that will also cause failure, when attempting to add environment variables to additional_env_vars in vault.yml these values are destroyed on hlos deploy. The workaround I have for this is after hlos deploy I add the variables into the traefik docker-compose.yml and restart the container.
I'm all of two days into HomelabOS so please let me know if I'm configuring something improperly, I wasn't able to find much documentation on this and have been digging into ansible templates to get most of my answers. If you need more information than provided I'm happy to provide it, thanks for your help.
Logs / Config Files
vault.yml
traefik:
https_only: False
domain: False
subdomain: traefik
auth: False
expose_internally: True
expose_externally: False
# Enable sendAnonymousUsage?
# Reference: https://docs.traefik.io/master/contributing/data-collection/
send_anonymous_usage: False
# this value transfers successfully over to traefik.yaml
dns_challenge_provider: namecheap
# use key:value pairs here to add additional environment variables to your traefik docker image.
# for instance, if you're using a dns challenge provider place your api keys etc here.
additional_env_vars:
# DUMMY_KEY: DUMMY_VALUE
# these values get squashed everytime hlos deploy runs
# i.e. they're deleted here and not migrated to the docker-compose.yml
NAMECHEAP_API_KEY: API_KEY
NAMECHEAP_API_USER: API_USER
CF_API_EMAIL: EMAIL
CF_API_KEY: API_KEYtraefik.yaml
---
global:
checkNewVersion: true
sendAnonymousUsage: False
log:
level: INFO
filePath: /var/log/traefik/traefik.log
format: json
accessLog:
filePath: /var/log/traefik/access.log
format: json
fields:
defaultMode: keep
names:
clientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: keep
Authorization: drop
Content-Type: keep
entryPoints:
http:
address: :80
https:
address: :443
# all of this is added and is invalid vvvvv
http:
tls:
options: default
certResolver: dns domains:
- main: "mydomain.com"
sans:
- "*.mydomain.com"
# all of this is added and is invalid ^^^^^
smtp: # for healthchecks incoming emails
address: :25
ssh:
address: ":2222"
#ping@internal
ping:
address: ":8081"
#metrics@internal
metrics:
address: ":8082"
#Health
ping:
entryPoint: "ping"
manualRouting: false
#Metrics
metrics:
prometheus:
entryPoint: metrics
addEntryPointsLabels: true
addServicesLabels: true
manualRouting: false
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
providers:
providersThrottleDuration: 2s
docker:
watch: true
exposedByDefault: false
endpoint: unix:///var/run/docker.sock
swarmModeRefreshSeconds: 15s
file:
directory: /conf.d
watch: true
api:
dashboard: true
insecure: true
log:
level: ERROR
certificatesResolvers:
dns:
acme:
caServer: https://acme-v02.api.letsencrypt.org/directory
email: myemail@domain.com
keyType: EC256
storage: acme.json
dnsChallenge:
delayBeforeCheck: 10
# pulls successfully from vault.yml
provider: namecheap
resolvers:
- '1.1.1.1:53'
- '1.0.0.1:53'
http:
acme:
caServer: https://acme-v02.api.letsencrypt.org/directory
email: myemail@domain.com
keyType: EC256
storage: acme.json
httpChallenge:
# used during the challenge
entryPoint: httphomelogos logs on boot
2020/07/15 21:02:21 command traefik error: yaml: line 33: mapping values are not allowed in this context
2020/07/15 21:02:21 command traefik error: yaml: line 33: mapping values are not allowed in this context
2020/07/15 21:02:22 command traefik error: yaml: line 33: mapping values are not allowed in this context