Use Traefik to generate Let's Encrypt certificates

[beagleboys]

Hi,
just updated to Trueness scale and I have to mention that I'm a total noob about anything that involves containers, traefik and similar. I'm experimenting on my home server and I'm happy to learn new things.

The preface:
I have a domain on google domains, I can't move it and I'm stuck there(long different reasons) and I need a certificate so my nextcloud apps don't go crazy when they detect the default traefik certificate.
As you probably just guessed I can't use the very easy guide from truecharts. that would be too easy.

What I think I should do:
I found this guide on traefik official website (https://doc.traefik.io/traefik/https/acme/) and after some wild guessing I imagine I need to do this:
- in the traefik app>setting> extra args I added this:

(I created in the traefik container a acme.json file and disabled read only for the system)

- the nextcloud app>settings>label I added this:

I took the liberty to assume that the label

Code:

- traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)

was already automatically generated so I did not add it.

Things I think I'm doing wrong:
- the name of the routers in the nextcloud app, there's always an alphanumeric sequence afterwards, it changes after every reboot. so that may be an error
- the extra args formatting
-EVERYTHING?

Thanks to whomever tries to kill my current headache/proves that I'm a fool.

 

[truecharts]

You are NOT running docker.
You're running kubernetes, docker labels are not the same as kubernetes labels.

Generally speaking you cannot use "the docker way" with Traefik on TrueNAS SCALE.

---
"As you probably just guessed I can't use the very easy guide from truecharts. that would be too easy."

You could at least try using our App and not use the guide. There is more going into the Traefik side than "just" loading the container, we pre-configure a lot of things and it's running as "Traefik ingress provider" not "docker-traefik".

While you could, in theory, run Traefik ingress provider using Launch Docker for the most part, there are issues that you cannot resolve using Launch Docker and a number of serieus security flaws when doing this.

Please for the sake of the security of your data: Don't try to DIY Traefik using Launch Docker.

 

[beagleboys]

You are NOT running docker.
You're running kubernetes, docker labels are not the same as kubernetes labels.

Generally speaking you cannot use "the docker way" with Traefik on TrueNAS SCALE.

---
"As you probably just guessed I can't use the very easy guide from truecharts. that would be too easy."

You could at least try using our App and not use the guide. There is more going into the Traefik side than "just" loading the container, we pre-configure a lot of things and it's running as "Traefik ingress provider" not "docker-traefik".

While you could, in theory, run Traefik ingress provider using Launch Docker for the most part, there are issues that you cannot resolve using Launch Docker and a number of serieus security flaws when doing this.

Please for the sake of the security of your data: Don't try to DIY Traefik using Launch Docker.

Thanks for the quick reply!
I did use your app (both for traefik and nextcloud) and used your video guides for everything except the certificate.

I had an inkling that this was Kubernetes(possibly by the facts that the traefik dashboard says Kubernetes on every corner?) and not docker but... the fact that I could set labels made me hope I was on the correct path.
So am I on the correct path with the extra args settings but WAY out with the labels? how do I get this:

to fit into the app settings?

or even better: is it even possible to do what I'm trying to do?

 

[truecharts]

Thanks for the quick reply!
I did use your app (both for traefik and nextcloud) and used your video guides for everything except the certificate.

I had an inkling that this was Kubernetes(possibly by the facts that the traefik dashboard says Kubernetes on every corner?) and not docker but... the fact that I could set labels made me hope I was on the correct path.
So am I on the correct path with the extra args settings but WAY out with the labels? how do I get this:
View attachment 55131
to fit into the app settings?

or even better: is it even possible to do what I'm trying to do?

You seem to be thinking that Launch Docker is somehow a complete solution. It's not.
It's a short-cut solution to run basic Docker-Containers on kubernetes.

There is a reason organisations like us, k8s-at-home and bitnami, write Helm Charts. If it all fitted in a small standardised GUI we wouldn't even exist. For many Applications a good solid deployment takes more than Launch-Docker is going to offer.

But definately it's not made for intricate kubernetes system additions like: IngressProviders, CRD's, CNI's etc.

Simply put:
You should not even be trying anything in this direction without a above-average understanding of Native kubernetes and Helm, without complications from trying to do things on SCALE.

We'll leave it at this, as you litterally would have to duplicate the work done in one of them available Helm Charts or SCALE Apps, like ours of the official Helm chart. We do not have the manpower to walk you through redoing one of our most intricate projects.

We're not saying this to discourage you from messing around with the system a bit, but trying to take on something that is this complicated, without even a basic understanding what you're dealing with on a high level, is just going to only be confusing yourself and others.

Simply put: At this time you're not even able to ask the right questions, let alone get the right answers.
Just be like any good devops engineer and work from what already exists. There is a reason even we and other big Helm Chart/SCALE App builders do this. It's not a show of a lack of skill, it's just that some things are rather hard to get right.

---
To answer your questions:
No you cannot completely deploy Traefik as an ingress provider including CRD's etc using launch docker. As it's (both Launch Docker and Traefik) not meant to be sued that way.

 

[beagleboys]

thanks again,
so if I'm doing it all wrong how do I do it? is there an easier way to get any parts of the system to handle the https certificates for my apps?
(of course without using either cloudflare or route53)

 

[stavros-k]

thanks again,
so if I'm doing it all wrong how do I do it? is there an easier way to get any parts of the system to handle the https certificates for my apps?
(of course without using either cloudflare or route53)

Without any knowledge for k8s/helm, the best way is to ask iX Systems to add support for your provider :)

 

[Riediekel]

thanks again,
so if I'm doing it all wrong how do I do it? is there an easier way to get any parts of the system to handle the https certificates for my apps?
(of course without using either cloudflare or route53)

You could do it as i have set it up, create a free account at Cloudflare, add your domain and use it for DNS only (you toggle pause cloudflare on site to disable everything but DNS), you get 2 nameservers from cloudflare that you need to change with google domains, after that has been confirmed by Cloudflare as working (you get an email) you can use the certificates from Truenas as from the tutorial at Truecharts, your domain stays at Google, just the DNS is switched.

 

[truecharts]

You could do it as i have set it up, create a free account at Cloudflare, add your domain and use it for DNS only (you toggle pause cloudflare on site to disable everything but DNS), you get 2 nameservers from cloudflare that you need to change with google domains, after that has been confirmed by Cloudflare as working (you get an email) you can use the certificates from Truenas as from the tutorial at Truecharts, your domain stays at Google, just the DNS is switched.

Please do not give wrong information.
DNS validation of certificates requires the nameserver validating DNS ownership to be your actuall DNS server.

If this was not the case, everyone could make certificates for your sites ;-)

 

[Riediekel]

Please do not give wrong information.
DNS validation of certificates requires the nameserver validating DNS ownership to be your actuall DNS server.

If this was not the case, everyone could make certificates for your sites ;-)

There is nothing wrong with the information i have given, only the domain owner can change the nameservers in their account at the domain registrar, you do not have to use the DNS servers of you're domain registrar if you don't want to as you can change those in your account at the domain registrar, that's how i use it and no one but myself can create certificates for my domains.
I use Transip (dutch registrar) as my domain registrar so i changed the nameservers there to point to Cloudflare, nothing wrong with that.

 

[truecharts]

There is nothing wrong with the information i have given, only the domain owner can change the nameservers in their account at the domain registrar, you do not have to use the DNS servers of you're domain registrar if you don't want to as you can change those in your account at the domain registrar, that's how i use it and no one but myself can create certificates for my domains.
I use Transip (dutch registrar) as my domain registrar so i changed the nameservers there to point to Cloudflare, nothing wrong with that.

Ahh, misunderstanding then...
It looked like you explained one coudl go back and forth between cloudlfare an another dns provider while keeping auto-renewal support.

 

[alugowski]

Just to summarize for folks like me who found this thread trying to do what OP is trying to do:
Official TrueCharts automatic SSL is only possible if your DNS is managed by CloudFlare or Route53. The quick start guide implies you have other options and those two are just the easiest, but practically you don't. Your only alternative is to manually manage certificates, or host your apps elsewhere.

The reason is that TrueCharts configures Traefik to use a TrueNAS certificate. TrueNAS only supports certificates via DNS challenges via those two providers.

Yes Traefik itself can manage certificates itself with options similar to what OP is trying. But it's impossible to actually pass those options to the Traefik binary. The options OP is setting do not get passed to the binary (I can't find any docs that say where they do get passed).

The arguments to the traefik binary get constructed here. There is no mechanism to add any arbitrary args, you can only use what the web form will let you.

I don't see a reason why it couldn't be made to work, but the truecharts folks would have to add support for those switches.

 

[danb35]

Your only alternative is to manually manage certificates, or host your apps elsewhere.

...or use other automation to manage your certs, like this:

GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to FreeNAS servers

Python script to automate deploying TLS certificates to FreeNAS servers - danb35/deploy-freenas

github.com

 

[alugowski]

...or use other automation to manage your certs, like this:

GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to FreeNAS servers

Python script to automate deploying TLS certificates to FreeNAS servers - danb35/deploy-freenas

github.com

So semi-manually :P
Thank you for the link, and thank you even more for your nextcloud jail setup script. Fittingly the best thing about your nextcloud script is Caddy and its automatic SSL :)

This is still only a part of a working setup, though. It still needs a place to run acme.sh, and that requires a place it can write that a webserver will host. So in this case it would have to be somewhere behind Traefik (because port 80 is directed there), which needs to be configured in a non-trivial way. I'm sure this is possible to set up as a Docker container or a helm chart, but I wouldn't call it a trivial task without seeing a working setup.

Option B is to use acme.sh with a DNS challenge. In my and OP's case they do support Google, but require `gcloud init` for authentication and in my experience that gets deauthenticated over time. So this won't be automatic long term.

To add insult to injury, TrueNAS doesn't support Cloudflare or Route53 as DDNS providers.

 

[danb35]

So semi-manually :P

Not at all. Whatever client you use to get/renew the cert, tell it to use my deploy script after the fact to deploy the cert. Every major ACME client supports this.

To add insult to injury, TrueNAS doesn't support Cloudflare or Route53 as DDNS providers.

Yeah, I was kind of annoyed when my two-year-old ticket to add this to CORE was closed with "sure, we'll add it to SCALE." And they want us to believe CORE is going to continue to be actively developed and maintained.

 

[alugowski]

Not at all. Whatever client you use to get/renew the cert, tell it to use my deploy script after the fact to deploy the cert. Every major ACME client supports this.

OP and I don't have such a client, that's why we're here. Traefik is sold as a tool to do this for us. On FreeNAS I was using your Caddy setup.

I'm happy to set up a client somewhere, but it's not immediately clear how to best do that without making it a future support nightmare. Like I bet most home users, the TrueNAS box is my only always-on device that can handle this role.

 

[mgoulet65]

This isn't a solution for everone, but my broader needs dictated this approach. I purchased a low(ish) cost wildcard cert. Once that cert is imported into Scale, it can be used anywhere it is needed, including Traefik for ssl.

 

[truecharts]

Yes Traefik itself can manage certificates itself with options similar to what OP is trying. But it's impossible to actually pass those options to the Traefik binary. The options OP is setting do not get passed to the binary (I can't find any docs that say where they do get passed).

No, not really.
The way traefik is normally used with kubernetes is with Cert-Manager, not with their own certificate solution. Because traefik is usually run Highly Available on Kubernetes. However, their certificate solution does not work safely/cleanly when ran that way.

 

[alugowski]

No, not really.
The way traefik is normally used with kubernetes is with Cert-Manager, not with their own certificate solution. Because traefik is usually run Highly Available on Kubernetes. However, their certificate solution does not work safely/cleanly when ran that way.

TrueCharts default is 1 replica, so no HA. A simple config if statement could disable ACME if more than one replica is selected. This hardly seems like a roadblock.

Is that really the only downside?

 

[alugowski]

Just for fun I hacked the chart to add the following command lines that ask Traefik to use a TLS Challenge against Let's Encrypt's staging servers:

Code:

--certificatesresolvers.le.acme.tlsChallenge=true
--certificatesresolvers.le.acme.storage=/shared/acme.json
--certificatesresolvers.le.acme.email=test@gmail.com
--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
--entrypoints.websecure.http.tls.certResolver=le

SSL then works great on every endpoint.

That's all it seems to take to have automatic SSL for all your public TrueCharts apps. A text field for the email, a dropdown to choose staging/prod, and mounting a storage location for acme.json. That's hardly any config options to add a hugely important feature.

Can someone explain if there's a downside to this? Besides the afore-mentioned HA concerns.

 

[alugowski]

Not at all. Whatever client you use to get/renew the cert, tell it to use my deploy script after the fact to deploy the cert. Every major ACME client supports this.

Do you mind sharing how you run yours?