How to obtain an A-grade Let’s Encrypt certificate with traefik
Nowadays a secure https connection is a must. I show you in this article how to obtain an A-grade https certificate with the traefik edge router for your archive. And the best part? Traefik automatically renews the certificate before it expires!
To spare you from typing too much, the configuration files are available in the piler-examples github repo.
tar zxvf traefik_v2.3.6_linux_amd64.tar.gz
cp traefik /usr/local/bin
setcap cap_net_bind_service+ep /usr/local/bin/traefik
cp traefik.yaml /usr/local/etc/traefik
chmod 600 /usr/local/etc/traefik/acme.json
chown www-data:www-data /usr/local/etc/traefik/acme.json
cp traefik.service /etc/systemd/system
systemctl enable traefik
systemctl start traefik
Be sure to fix your IP-address and domain name in /usr/local/etc/traefik/traefik.yaml
Fix nginx to listen on 127.0.0.1
Set the listen address and port to 127.0.0.1:80 in /etc/piler/piler-nginx.conf
Fix the log format in /etc/nginx/nginx.conf to get the real IP-addresses:
log_format my '$http_x_forwarded_for - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log my;
Then restart nginx
nginx -s reload
Traefik obtains you an A-grade https certificate, and automatically renews it before it expires. The traefik config yaml file uses TLS v1.3. If necessary you may lower the minVersion to your needs. Optionally visit https://www.ssllabs.com/ssltest/ to verify it.