Group items tagged

Docker under the hood creates IPTable rules so containers can't reach other containers unless you'd want to

Træfik can listen to Docker events and reconfigure its own internal configuration when containers are created (or shut down).

Enable the Docker provider and listen for container events on the Docker unix socket we've mounted earlier.

Enable automatic request and configuration of SSL certificates using Let's Encrypt. These certificates will be stored in the acme.json file, which you can back-up yourself and store off-premises.

there isn't a single container that has any published ports to the host -- everything is routed through Docker networks.

Thanks to Docker labels, we can tell Træfik how to create its internal routing configuration.

container labels and service labels

With the traefik.enable label, we tell Træfik to include this container in its internal configuration.

Service labels allow managing many routes for the same container.

When both container labels and service labels are defined, container labels are just used as default values for missing service labels but no frontend/backend are going to be defined only with these labels.

Always specify the correct port where the container expects HTTP traffic using traefik.port label.

With the traefik.frontend.auth.basic label, it's possible for Træfik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.

The first time the agent software interacts with Let’s Encrypt, it generates a new key pair and proves to the Let’s Encrypt CA that the server controls one or more domains.

The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges

different ways that the agent can prove control of the domain

Once the agent has an authorized key pair, requesting, renewing, and revoking certificates is simple—just send certificate management messages and sign them with the authorized key pair.

A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames.

a Renewal Exemption to the Certificates per Registered Domain limit.

The Duplicate Certificate limit and the Renewal Exemption ignore the public key and extensions requested

You can issue 20 certificates in week 1, 20 more certificates in week 2, and so on, while not interfering with renewals of existing certificates.

Revoking certificates does not reset rate limits

If you’ve hit a rate limit, we don’t have a way to temporarily reset it.

get a list of certificates issued for your registered domain by searching on crt.sh

If you have a large number of pending authorization objects and are getting a rate limiting error, you can trigger a validation attempt for those authorization objects by submitting a JWS-signed POST to one of its challenges, as described in the ACME spec.

If you do not have logs containing the relevant authorization URLs, you need to wait for the rate limit to expire.

having a large number of pending authorizations is generally the result of a buggy client