Traefik: Configure SSL Certificates On Your Domain To Make Site Safer.

This is more personal note but may be someone find interesting how to obtain and configure formal SSL certificate for domain absolutely for free.

Configure SSL certificate for a domain

For activating https on a domain we need to obtain an SSL certificate. There are a lot of ways how to do that but we will achieve it with console utility certbot absolutly for free... First of all, we should install Certbot tool on the server to which the domain is bound:
sudo apt install certbot
next run
certbot certonly \
--manual  \
--agree-tos \
-m you_email@gmail.com  \
--server https://acme-v02.api.letsencrypt.org/directory  \
--preferred-challenges dns \
-d example.com \
-d *.example.com
Line #8 is optional. In this case, we try to obtain an SSL certificate for all of the possible subdomains. and its return some dialog:

Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

CZpNH8wvSyx862dvgLfOSdfd3NpdLUAn8lTZRnZqrXDw

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

In this place, you must go to the dashboard of your domain provider and for selected domain name add DNS records according to instruction above.

Pay attantion: in the field "host" type "_acme-challenge" only (without domain name as a prefix).

Don't press key Enter. Open a new terminal window. Run

dig -t txt _acme-challenge.example.com
until command will return value you had set for _acme-challenge.example.com in DNS record. In my case it was:

;; ANSWER SECTION:
_acme-challenge.examle.com. 6824 IN	TXT	"CZpNH8wvSyx862dvgLfOSdfd3NpdLUAn8lTZRnZqrXDw"

Now you can press ENTER in that terminal window where the message "Press Enter to Continue" popped up. You will see something like this


Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-06-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
As you can see Certbot has created the SSL certificate that is valid for the next three month. Periodically we should run certbot renew to recreate it (just delegate this task to crontab).

Configuring Traefik with SSL

This blog is built on Docker containers (managed with docker-compose) and traefik is one of them, so inside the project, I had created .data/traefik/traefik.toml with
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/cert.crt"
      keyFile = "/key.key"
and into docker-compose.yaml just added 443 port and couple volume's links:
services:
  traefik:
    image: traefik
    command: --docker
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/letsencrypt/live/example.com/fullchain.pem:/cert.crt
      - /etc/letsencrypt/live/example.com/privkey.pem:/key.key
      - ./.data/traefik/traefik.toml:/traefik.toml
Then just had restarted (with the rebuild option) the container with Traefik and that is it.