traefik: [Docker] Cannot forward request to backend
Hello there,
I am having difficulties setting up SSL termination in my current docker-compose.
# Docker compose
version: '2'
services:
node-1:
container_name: node-1
# using custom httpd image
image: httpd
labels:
- "traefik.frontend.rule=Host:node1.domain.local"
- "traefik.frontend.entryPoints=http"
- "traefik.backend=node-1"
- "traefik.protocol=http"
- "traefik.port=8443"
- "traefik.docker.network=mycompose_web-tier"
networks:
- web-tier
volumes:
- ./ssl/ca.pem:/usr/local/apache2/conf/server-ca.crt
- ./ssl/domain.local.pem:/usr/local/apache2/conf/server.crt
- ./ssl/domain.local.key:/usr/local/apache2/conf/server.key
environment:
- EXTERNAL_URL=node1.domain.local
node-2:
container_name: node-2
# using custom httpd image
image: httpd
labels:
- "traefik.frontend.rule=Host:node2.domain.local"
- "traefik.frontend.entryPoints=https"
- "traefik.backend=node-2"
- "traefik.protocol=https"
- "traefik.port=443"
- "traefik.docker.network=mycompose_web-tier"
networks:
- web-tier
volumes:
- ./ssl/ca.pem:/usr/local/apache2/conf/server-ca.crt
- ./ssl/domain.local.pem:/usr/local/apache2/conf/server.crt
- ./ssl/domain.local.key:/usr/local/apache2/conf/server.key
environment:
- EXTERNAL_URL=node2.domain.local
node-3:
container_name: node-3
# using custom httpd image
image: httpd
labels:
- "traefik.frontend.rule=Host:node3.domain.local"
- "traefik.frontend.entryPoints=https"
- "traefik.backend=node-3"
- "traefik.protocol=https"
- "traefik.port=443"
- "traefik.docker.network=mycompose_web-tier"
networks:
- web-tier
volumes:
- ./ssl/ca.pem:/usr/local/apache2/conf/server-ca.crt
- ./ssl/domain.local.pem:/usr/local/apache2/conf/server.crt
- ./ssl/domain.local.key:/usr/local/apache2/conf/server.key
environment:
- EXTERNAL_URL=node2.domain.local
traefik:
container_name: traefik
image: traefik
command: --web --docker --logLevel=DEBUG
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- web-tier
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./conf/traefik.toml:/traefik.toml
- ./ssl/domain.local.pem:/etc/ssl/certs/domain.local.cert
- ./ssl/domain.local.key:/etc/ssl/certs/domain.local.key
networks:
web-tier:
driver: bridge
Current toml configuration :
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/certs/domain.local.cert"
keyFile = "/etc/ssl/certs/domain.local.key"
The SSL certificat only contains a wildcard for *.domain.local.
And when requesting https://node1.domain.local :
time="2016-07-04T09:12:23Z" level=warning msg="Error forwarding to https://172.18.0.3:443, err: x509: cannot validate certificate for 172.18.0.3 because it doesn't contain any IP SANs"
But directly accessing the IP in the browser does work …
Has anyone already got this issue ? Any clue on how to fix it ?
By the way, wouldn’t it be better to use Docker’s internal DNS (available since 1.10) for container resolution instead of IPs ?
Thanks 😃
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 7
- Comments: 15 (4 by maintainers)
Google sent me here, and I may be totally off the mark but for the fellow googlers like me: I had the same issue:
Error forwarding to https://172.18.0.3:443, err: x509: cannot validate certificate for 172.18.0.3 because it doesn't contain any IP SANs"with self signed certificats and https (nginx) backend (with no auth though).The solution was to set
InsecureSkipVerify = truein traefik.toml.BTW for the traefik dev team: keep up the good work - you’re awesome 👍
Same problem on my side. Finaly is there any solution for production with real valid certificates (not autosigned) ? Using InsecureSkipVerify = true is not safe. Please see original post here https://github.com/containous/traefik/issues/2770#issuecomment-374926137 Thanks!
@alexsandro-xpt
I solved this kind of use case by using self signed certificates which are generated automatically when I start my containers (In a pre script executed as the container entry-point).
In this script I get all the IP addresses of my container (on all the networks) and I add these addresses as IP SAN into my certificate.
The other solution may be to set an alias to you containers into the Traefik network (you can do it in the docker-compose file for example) and add this alias as a DNS SAN into your certificate (as @BastienM proposed). I didn’t try it but it can work.
I hope that can help you, otherwise don’t hesitate to join us on the Traefik community Slack channel.
So, there are no solution? using self signed certs or any other solution…
Well, if there are no solutions, I should leve Traefik and use another reverse proxy.
Just don’t use that in a production environment. There may be troubles ahead if you do so.
Nice @nmengin, but how can I set an alias to my container at my docker-compose? Probabily I will set something like www.mydomain.com which in DNS SAN certificate, but how is the syntax? Any ideia @BastienM ?
Thank you so much!
I didn’t really tried to reproduce this use-case since last year, so sadly no, I got not solution.
The best solution would be using Docker’s internal DNS resolution with a certificate containing SAN names of the containers.