coollabsio
[Bug]: Unable to use custom SSL certificates from letsencrypt
Error Message and Logs
Followed all the guides. Changed the certs in /data/coolify/ssl and even tried /data/proxy/certs/, not sure which documentation is accurate.
Pasted in the cert in the GUI too.
Restarted proxy.
SSL cert still says "TRAEFIK DEFAULT CERT".
Nothing works.
Can anyone provide up2date accurate documentation on how I can get foobar.example.com to resolve to an internal tailscale IP using HTTPS?
The cloudflare DNS CNAME is already pointing to the tailscale hostname.
Steps to Reproduce
- Install custom SSL certs
- Restart proxy
- ???
Example Repository URL
No response
Coolify Version
v4.0.0-beta.418
Are you using Coolify Cloud?
No (self-hosted)
Operating System and Version (self-hosted)
Ubuntu 22.04
Additional Information
No response
@Zyles if you want traefik to use your custom certificate, can you paste here, what you used in your dynamic file to load the certificate
@Zyles if you want traefik to use your custom certificate, can you paste here, what you used in your dynamic file to load the certificate
I am not using dynamic, I am using the configuration:
networks:
coolify:
external: true
jokc0g04cgc0ccww8gs0osog:
external: true
services:
traefik:
container_name: coolify-proxy
image: 'traefik:v3.1'
restart: unless-stopped
environment:
- CF_DNS_API_TOKEN=<token>
extra_hosts:
- 'host.docker.internal:host-gateway'
networks:
- coolify
- jokc0g04cgc0ccww8gs0osog
ports:
- '80:80'
- '443:443'
- '443:443/udp'
- '8080:8080'
healthcheck:
test: 'wget -qO- http://localhost:80/ping || exit 1'
interval: 4s
timeout: 2s
retries: 5
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- '/data/coolify/proxy/:/traefik'
command:
- '--ping=true'
- '--ping.entrypoint=http'
- '--api.dashboard=true'
- '--entrypoints.http.address=:80'
- '--entrypoints.https.address=:443'
- '--entrypoints.http.http.encodequerysemicolons=true'
- '--entryPoints.http.http2.maxConcurrentStreams=250'
- '--entrypoints.https.http.encodequerysemicolons=true'
- '--entryPoints.https.http2.maxConcurrentStreams=250'
- '--entrypoints.https.http3'
- '--providers.file.directory=/traefik/dynamic/'
- '--providers.file.watch=true'
# use dnschallenge instead of httpchallenge
# - '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
# - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
- '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
- '--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0'
- '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
- '--api.insecure=false'
- '--providers.docker=true'
- '--providers.docker.exposedbydefault=false'
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.service=api@internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.tls.domains[0].main=example.com
- traefik.http.routers.traefik.tls.domains[0].sans=*.example.com
- traefik.http.routers.traefik.tls.domains[1].main=internal.example.com
- traefik.http.routers.traefik.tls.domains[1].sans=*.internal.example.com
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
- coolify.managed=true
- coolify.proxy=true
Multiple issues:
- We get a letsencrypt SSL for
example.comand*.example.combut not forinternal.example.com. it "Can't find the zone", which is a CNAME in Cloudflare - HTTPS is not working for coolify itself
http://internal.example.com:8000 -> Coolify login pagehttps://internal.example.com:8000 -> "Secure Connection Failed"
Coolify URL on the Servers option is set to https://internal.example.com:8000
Then for our containers the resolve is not working either:
https://container-name.example.com -> "no available server"- The "Domains" field in the container is configured to
https://container-name.example.com:3300
Is the 2nd level subdomain using the cloudflare dns proxy, if so you need to pay cloudflare a monthly fee to use this feature.
Also double check what perms the api key has for zone/zone/read and zone/dns/edit and check the scopes, you would need to add both example.com and internal.example.com
Traefik only handles traffic on port 80 and port 443, so going to port 8000 bypasses traefik and just goes direct to the container so this will always be http only unless the container itself has a valid certificate and is configured to accept tls connections.
For the last part was the domain changed after the container was built? If so you need to rebuild it in order for it to be picked up by traefik.
Is the 2nd level subdomain using the cloudflare dns proxy, if so you need to pay cloudflare a monthly fee to use this feature.
Also double check what perms the api key has for zone/zone/read and zone/dns/edit and check the scopes, you would need to add both example.com and internal.example.com
Traefik only handles traffic on port 80 and port 443, so going to port 8000 bypasses traefik and just goes direct to the container so this will always be http only unless the container itself has a valid certificate and is configured to accept tls connections.
For the last part was the domain changed after the container was built? If so you need to rebuild it in order for it to be picked up by traefik.
No the Cloudflare proxy button is turned off. It is just a CNAME record pointing to tailscale internal machine that runs coolify.
And everything has been restarted and rebuilt hundreds of times.
Well the can't find zone error is cf api key related
For your last container is it binding to 0.0.0.0 to allow external connections? Is it failing a healthcheck?
I'd need to see logs to see what the issue is
We are going to close this issue for now, as OP hasn't responded anymore and made this issue stale. If anyone else is facing the same problem, we can re-open it again.
