Day 10
The Problem:
For today, my task for #100DaysOfHomelab was to generate some self-signed certificates for the services I run. Starting today, I was only running one service that really needed a self-signed certificate: Unifi Controller. In days 1-7 I'd already routed it through my reverse proxy, traefik, but I was getting annoyed with going to check my cool network dashboard and being presented with an insecure connection webpage. So, following this tutorial from The Digital Life and armed with his cheat sheet, I set off to generate some certs.
Following the tutorial was pretty easy and afterwards I had a certs generated and ready to install into traefik. Only problem is, I couldn't really figure out how to install them into traefik. The traefik documentation shows that tls cert configuration goes into the dynamic configuration, but I had Unifi Controller's dynamic configuration in Docker, not in my yaml file. Traefik had no indication (and still does not) that you can specify such a thing in Docker. They make a pretty clear note that using Kubernetes requires special storage of secrets for certificates as well, so that was a pretty strong hint that specifying certs for my docker traefik routers/services wasn't supported.
Confused, I did a bit more diggging around through the documentation before the need for sleep hit and my hour of homelabbing had expired. Day 11 would be where this continued.
Day 11
With more sleep and another hour to spend on my homelab today, I took another crack at getting traefik to let me put my certs in for my docker services.
This time, I decided to take a new angle on this problem. Instead of trying to get it to work with a docker configured router/service, instead I should set up a new router/service in my dynamic yaml configuration and attempt to use it there. I set up a quick router/service that points to my unraid NAS, generated some certs, and put my cert specficiation under the tls category of my router for my config. I opened up portainer to view my traefik logs and was greeted with field not found. Odd, but maybe like a server transport, tls certs sat under the http and not routers? field not found. Well at this point I was a bit confused, so I figured to throw it on the root column of that file. The documentation doesn't mention it needs to live underneath any field, and to the wise or trained eye would then suggest it lives without a heading over it. But, since it lives in the dynamic configuration, I thought some dynamic service needed to own it. Otherwise, why not have it live in the static configuration? But I moved it to the root column and now I'm getting issues with my certificates! Finally, an error about my certs and not my configuration. Clearly I'm doing something better. Knowing I didn't need that new router/service I'd drafted up for testing, I scrapped it and grabbed my old certs from Day 10. I plugged them into my configuration and sure enough my Unifi Controller showed my new certificate. Even though it was configured through Docker!
The easiest part about this was now adding my root CA certificate to my laptop. In MacOS, this is just a double click of your certificate file. Apple knows how to handle the rest of it, unless you wanted to put that certificate in your iCloud. I got an error trying to do that, but it happily accepted me putting that cert into my system-level trusted certificates. A refresh of the page, and Unifi Controller now showed a trusted and self-signed certificate! What progress I've made.
Drunk on my self-signed certificate power, I then added Portainer (a service that would use the same certificate) to my traefik file config (I'm not using docker compose to configure portainer, so adding all the traefik labels in docker would've been a pain). And somehow on the second try (had to set tls:true), portainer was now configured with a trusted self-signed certificate and routed through traefik!