most widely used method for subdomain https on a single server?

[rabelais88]

Hi Bret,

Your lesson from Udemy taught me so much about Docker. Prior to your class, I had hard time understanding the concept of containers and orchestrators but not any more. Setting up a microservice really feels easy now with docker and docker swarm, thanks to you.

Right now, I am trying to migrate my own portfolio site to docker, from direct terminal deploy approach that I have been using.

without further ado, what's the most widely used method to implement https certification for microservice with subdomains on a single server? personally I've tried implementing that via these https certificate automation docker images: nginx+neilpang/acme.sh, nginx+jrcs/letsencrypt-nginx-proxy-companion, traefik but none of them successfully obtained certificates and gave me weird errors that I can't find answers on the internet; plus, all of them required extensive & complicated setting, felt very hackish to me. Obtaining certification for a single domain with docker-swarm was not a challenge. I think I am missing something for setting up subdomains & getting certificates for them.

in short,

I want to set up a reverse proxy on

- https://mysite.com, https://aaa.mysite.com -> frontend
- https://admin.mysite.com -> cms frontend
- https://api.mysite.com -> api backend

all in a single server, with certifications.

I have tried

- jwilder/nginx-proxy+neilpang/acme.sh
- jwilder/nginx-proxy+jrcs/letsencrypt-nginx-proxy-companion
- traefik

and none of them worked.

and I've made sure all of these services running before testing out for certifications, with https://github.com/ufoscout/docker-compose-wait. The server is on vultr, a VPS similar to digital-ocean.

what's the most widely used & best method for setting subdomain https on a single server?

or maybe I should avoid implement all these on a single server and just start using separate server?

[nikathone]

Not sure if you have seen https://github.com/BretFisher/dogvscat/blob/master/stack-proxy.yml and https://github.com/BretFisher/dogvscat/blob/master/stack-voting.yml they might give you some ideas.

[rabelais88]

thank you for your reply @nikathone . but I don't have problem with neither of those. stack-proxy is about getting a ceritificate on a single domain and stack-voting is about deploying via orchestrator without https. I think I've followed Bret's instructions on Udemy quite faithfully and had no problems with whatever he introduced. Getting multiple https certifications on multiple apps on single server is the only thing that I couldn't get explanations from his class. somehow it's quite different from getting a single certification honestly.

[BretFisher]

Like @nikathone says, Traefik is my number one goto for this on Swarm if you're able to use Let's Encrypt. It does indeed get any cert that meets Let's Encrypt requirements in both stacks of http://dogvs.cat (there's a stack-proxy.yml and also a stack-proxy-global.yml that I like better but a bit more going on.

You need to ensure your DNS is pointed to the IP(s) that will have Traefik running. Then uncomment and configure all the ACME values in the proxy yaml, and setup your stacks with all the domain names you need. This ama isn't meant as a technical troubleshooting forum, so if you have issues with dogvscat examples, I'd recommend posting an issue there.

[rabelais88]

Initially I've thought this is a docker-swarm issue. It's actually solved by carefully reading through Traefik documents; the main issue was not about the Docker-swarm. Traefik is difficult to troubleshoot for a beginner, because of some undocumented reactions. Maybe this can be labeled as a Traefik or Router issue.

• Traefik doesn't have error messages when missing .yaml/.toml setting files. it just shows blank logs.
• Traefik https redirection works clunky sometimes
• some settings only work on .deploy.labels of docker-compose, when it should work on .yaml/.toml settings.
• one must check both docker stack ps ${SERVICE_NAME} and docker service logs ${SERVICE_NAME} all time.
• many errors yield just plain 404 response; lacks detailed error messages.

nevertheless, I'd still recommend Traefik, as @BretFisher mentioned. I've found that it's the easiest solution available for any containerized systems. It took me 2 months to realize everything, as I've been tackling the issue while working 9 to 6 simultaneously. and thank you for kindhearted response again, @BretFisher @nikathone.

[BretFisher]

Keeping this open so others can learn :)