Issuing TLS Certificates on Traefik Using Let's Encrypt Pebble ACME Test Server

.0instructions.md

Issuing TLS Certificates on Traefik Using Let's Encrypt Pebble ACME Test Server

Prerequisites

• Docker with the Docker Compose plugin

Steps

1. Download the following files:

   • compose.yaml which contains a sample production Docker Compose file.
   • compose.override.yaml which includes development configurations. More information is available here.
   • .env which is a sample environment file. The file is named .env so the docker compose can read it automagically for interpolation of variables in compose yaml files.

2. Download the Pebble test CA certificate from this link and save it as pebble.minica.pem. Place this file in the same directory as compose.override.yaml, or update the volume mount path in compose.override.yaml accordingly.

3. Update the .env file:

   • Set ACME_CA_SERVER to https://pebble_acme:14000/dir which points to pebble docker service acme directory
   • Replace example.local with your own domain for WHOAMI_HOST.

4. Run docker compose up to start the services. Whoami host should be assigned cert automagically.

.env

TRAEFIK_DEBUG_LEVEL=WARN

ACME_CA_SERVER=https://pebble_acme:14000/dir
[email protected]


WHOAMI_HOST=whoami.local

compose.override.yaml

services:
  gateway_proxy:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./pebble.minica.pem:/pebble.minica.pem
    environment:
      LEGO_CA_CERTIFICATES: /pebble.minica.pem
      LEGO_CA_SERVER_NAME: pebble
    networks:
      - gateway_proxy
    depends_on:
      pebble_acme:
        condition: service_started
        required: true

  pebble_acme:
    image: ghcr.io/letsencrypt/pebble:latest
    expose:
      - 14000
    environment:
      PEBBLE_VA_NOSLEEP: 1
      PEBBLE_VA_ALWAYS_VALID: 1
    networks:
      - gateway_proxy
  
  whoami:
    image: traefik/whoami
    labels:
      
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=HOST(`${WHOAMI_HOST?err}`)
      - traefik.http.routers.whoami.middlewares=whoami-https-redirect-middleware
      - traefik.http.middlewares.whoami-https-redirect-middleware.redirectscheme.scheme=https
      - traefik.http.middlewares.whoami-https-redirect-middleware.redirectscheme.permanent=true
      
      - traefik.http.routers.whoami-secure.rule=Host(`${WHOAMI_HOST?err}`)
      - traefik.http.routers.whoami-secure.entrypoints=websecure
      - traefik.http.routers.whoami-secure.tls=true
      - traefik.http.routers.whoami-secure.tls.certresolver=http-challenge-resolver
    networks:
      - gateway_proxy

compose.yaml

name: gateway

services:
  gateway_proxy:
    image: traefik:v3.1.0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 443:443
      - 80:80
    networks:
      - gateway_proxy
    command:

      # entry points
      - --entrypoints.webinsecure.address=:80
      - --entrypoints.websecure.address=:443

      # providers
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false

      # TLS cert resolvers: example resolver for staging and dev environments
      - --certificatesresolvers.http-challenge-resolver.acme.httpchallenge=true
      - --certificatesresolvers.http-challenge-resolver.acme.httpchallenge.entrypoint=webinsecure
      - --certificatesresolvers.http-challenge-resolver.acme.caserver=${ACME_CA_SERVER?Err}
      - --certificatesresolvers.http-challenge-resolver.acme.email=${ACME_EMAIL?Err}

      # miscellaneous
      - --log.level=${TRAEFIK_DEBUG_LEVEL:-WARN}
  
networks:
  gateway_proxy:
    driver: bridge
    name: gateway_proxy