How To Obtain An A Grade Lets Encrypt Certificate With Traefik

01 Jan 2021 - sj, tags: insights

Nowadays a secure https connection is a must. I show you in this article how to obtain an A-grade https certificate with the traefik edge router for your archive. And the best part? Traefik automatically renews the certificate before it expires!

To spare you from typing too much, the configuration files are available in the piler-examples github repo.

Setup traefik

wget https://github.com/traefik/traefik/releases/download/v2.3.6/traefik_v2.3.6_linux_amd64.tar.gz
tar zxvf traefik_v2.3.6_linux_amd64.tar.gz
cp traefik /usr/local/bin
setcap cap_net_bind_service+ep /usr/local/bin/traefik

mkdir /usr/local/etc/traefik
cp traefik.yaml /usr/local/etc/traefik
touch /usr/local/etc/traefik/acme.json
chmod 600 /usr/local/etc/traefik/acme.json
chown www-data:www-data /usr/local/etc/traefik/acme.json

cp traefik.service /etc/systemd/system
systemctl daemon-reload
systemctl enable traefik
systemctl start traefik

Be sure to fix your IP-address and domain name in /usr/local/etc/traefik/traefik.yaml

Fix nginx to listen on 127.0.0.1

Set the listen address and port to 127.0.0.1:80 in /etc/piler/piler-nginx.conf

server {
  listen 127.0.0.1:80;
  server_name archive.yourdomain.com;
  ...
}

Fix the log format in /etc/nginx/nginx.conf to get the real IP-addresses:

http {
   ...
   log_format my '$http_x_forwarded_for - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
   access_log /var/log/nginx/access.log my;
}

Then restart nginx

nginx -t
nginx -s reload

Final notes

Traefik obtains you an A-grade https certificate, and automatically renews it before it expires. The traefik config yaml file uses TLS v1.3. If necessary you may lower the minVersion to your needs. Optionally visit https://www.ssllabs.com/ssltest/ to verify it.