Auto-generate a certificate and configure Traefik to use SSL locally 🔐
Sommaire
Hello everyone! 👋
After seeing in a previous post how to use Traefik with Docker to have custom domain names, we will now see how to generate a certificate and then configure Traefik to use it. Once this is done we will then be able to access our applications via https.
Creating the configuration files
To easily generate the necessary files, you will need to create these two configuration files.
root.cnf
[ req ]
prompt = no
string_mask = default
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
countryName = fr
organizationName = MyLocalDev
commonName = MyLocalDev Root CA
[ x509_ext ]
basicConstraints=critical,CA:true,pathlen:0
keyUsage=critical,keyCertSign,cRLSign
server.cnf
[ req ]
prompt = no
string_mask = default
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
countryName = fr
organizationName = MyLocalDev
commonName = Certificat Applications MyLocalDev
[ x509_ext ]
keyUsage=critical,digitalSignature,keyAgreement
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = traefik.test
Some additional notes about organizationName and commonName: these are the details that will appear in the certificate details (when you inspect it with your browser).
The alt_names section allows you to define the list of DNS names that will be validated by the certificate. For the example, we will use the DNS "traefik.test". This is where you should add the domain names you want to include.
Generating the SSL certificate
Once our configuration files are created, we will use the following commands:
openssl req -x509 -new -keyout root.key -out root.cer -config root.cnf
openssl req -nodes -new -keyout server.key -out server.csr -config server.cnf
openssl x509 -days 825 -req -in server.csr -CA root.cer -CAkey root.key -set_serial 123 -out server.cer -extfile server.cnf -extensions x509_ext
from this point, I will describe the method to follow on mac
Once this step is complete:
open .
You will need to double-click the file "server.cer". A system window will appear and you will then need to double-click the entry "MyLocalDev Applications Certificate".
Once that is done, you will need to click on the small "trust" arrow and change the select value to "Always Trust". You will then need to enter your system password to confirm.
Here are some pointers for performing this step on unix
Updating the docker-compose file
traefik-ssl.toml
defaultEntryPoints = ["https", "http"]
[accessLog]
[traefikLog]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.defaultCertificate]
certFile = "/certs/server.cer"
keyFile = "/certs/server.key"
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:$apr1$o1HmXW0i$wWgVewL1kLu9gaqmMDh6u/"]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "test"
watch = true
exposedbydefault = true
docker-compose.traefik.yml
version: "3"
services:
proxy:
image: traefik
networks:
- traefik
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./traefik-ssl.toml:/traefik.toml"
- "./certs/:/certs/"
restart: unless-stopped
labels:
- "traefik.frontend.rule=Host:traefik.test"
- "traefik.frontend.entryPoints=http,https"
- "traefik.backend=traefik"
- "traefik.port=8080"
networks:
traefik:
external:
name: traefik
Some clarifications:
- I assume that the files server.cer and server.key are located in a "certs" folder at the root of the docker-compose file.
- Likewise, the traefik-ssl.toml file should be located at the same level as the docker-compose file.
Running Traefik via docker-compose
All that's left is to run this final command:
docker-compose -f docker-compose.traefik.yml up
You can now visit the following addresses:
- Traefik ( https://traefik.test/ )
And that's it! 👏
Resources and useful links
Comments
Loading...