blog

In the context of the BSI's new requirements for TLS I've been looking at a way to configure traefik to use ECDSA certificates. Here's an example with traefik having two certificate providers configured: le-rsa2048 for RSA 2048-based certificates and le-ecdsa for ECDSA certificates.

services:

  traefik:
    image: traefik:latest
    ports:
      - 80:80
      - 0.0.0.0:443:443
      - 127.0.0.1:8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme.json:/acme.json
      - ./traefik.log:/traefik.log
    command:
      - --api
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--api.insecure=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.ep1.address=:443"
      - "--entrypoints.ep0.address=:80"
      - "--entrypoints.ep0.http.redirections.entryPoint.to=ep1"
      - "--entrypoints.ep0.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.le-ecdsa.acme.email=me@example.org"
      - "--certificatesresolvers.le-ecdsa.acme.storage=/acme.json"
      - "--certificatesresolvers.le-ecdsa.acme.keytype=EC384"
      - "--certificatesresolvers.le-ecdsa.acme.httpchallenge.entrypoint=ep0"
      - "--certificatesresolvers.le-rsa2048.acme.email=me@example.org"
      - "--certificatesresolvers.le-rsa2048.acme.storage=/acme.json"
      - "--certificatesresolvers.le-rsa2048.acme.keytype=RSA2048"
      - "--certificatesresolvers.le-rsa2048.acme.httpchallenge.entrypoint=ep0"
    labels:
      traefik.enable: 'true'

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`example.org`)"
      - "traefik.http.routers.whoami.entrypoints=ep1"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=le-ecdsa"