traefik permissions 777 for acme.json are too open, please use 600

Asked 4/9, 2018 at 13:5 Answered 22/12, 2022 at 16:3

Solved docker windows-7 lets-encrypt traefik

Yes, I get this when I try to run traefik with https. Problem is I mount the dir on my Win7 machine but I cant chmod the file.

The mount is working but file permissions are off.

looks like this:

volumes
  - d:/docker/traefikcompose/acme/acme.json:/etc/traefik/acme/acme.json:rw

traefik | time="2018-09-04T12:57:11Z" level=error msg="Error starting provider *acme.Provider: unable to get ACME account : permissions 777 for /etc/traefik/acme/acme.json are too open, please use 600"

If I remove the acme.json file I get this:

ERROR: for traefik Cannot start service traefik: b'OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:58: mounting \\\"/d/docker/traefikcompose/acme/acme.json\\\" to rootfs \\\"/mnt/sda1/var/lib/docker/aufs/mnt/c84d8644252848bde8f0322bafba3d206513ceb8479eb95aeee0b4cafd4a7251\\\" at \\\"/mnt/sda1/var/lib/docker/aufs/mnt/c84d8644252848bde8f0322bafba3d206513ceb8479eb95aeee0b4cafd4a7251/etc/traefik/acme/acme.json\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type'

Hadrian answered 4/9, 2018 at 13:5 Comment(8)

it's better if you create an acme.json within the server itself, rather than creating on a mounted file system. I also had similar issues, and I resolved this by creating inside the server. – Medan 6/9, 2018 at 15:10

Ok, how did you do it? – Hadrian 6/9, 2018 at 17:52

you can ssh into the machine where you have installed docker, right? just create a file acme.json in the directory where your docker-compose.yml file is located at. – Medan 6/9, 2018 at 18:0

Ok I ssh into the machine made a dir mounted it to VirtualBox ssh and touch acme.json but I can't change chmod to 600 – Hadrian 6/9, 2018 at 20:17

so, as far I understand, what you've done is: you have a folder in Windows host, you have mounted it to Virtual Box via shared folder and then from the guest machine(the machine with docker installed), you created acme.json inside that mounted directory, right? Sometimes, virtualbox behaves weird. instead, give the location of acme.json as something like ~/acme.json or somewhere inside VM but not on the shared mount. try it once. – Medan 6/9, 2018 at 20:32

I'm with you, I ssh in to default (docker@default) and "touch acme.json" there. I change the chmod and it WORKS. but how should I get it to the docker container now? If I move it to a mounted dir the permissions get changed by windows :( – Hadrian 7/9, 2018 at 7:8

I don't quite understand "how should I get it to docker container now?" acme.json is not supposed to be in docker container. It is supposed to be on the host side. traefik will use it for SSL management. and beware, it might not work in your local system, as it cannot complete the challenge. – Medan 8/9, 2018 at 9:47

I should have typed how do I reach it from my docker-compose file. Yeah if I put in on the Windows machine the permissions get changed – Hadrian 8/9, 2018 at 17:21

I did finally find the solution thanks to Cooshals kind help,

we have to ssh into the virtualbox-machine and make the file there, and then point it out right from the docker-compose.yml, in this case I did like this:

docker-machine ssh default
touch /var/acme.json
chmod 600 /var/acme.json

Then in my docker-compose:

volumes:
 - /var/:/var/acme.json

Finally in traefik.toml:

[acme]
  storage = "acme.json"

Hadrian answered 26/9, 2018 at 18:32 Comment(5)

Yes, but every time you recreate the docker, you must run the chmod 600 acme.json. Is there a better to achieve it automaticaly ? Dockerfile ? – Phosgene 5/4, 2020 at 11:37

I'm using traefik2 now, and in my compose I have volume= traefik2:/traefik2 and in the traefik configuration using storage = "/traefik2/acme.json" – Hadrian 5/4, 2020 at 20:21

You actually don't need to ssh into you docker container. You can just create acme.json and change chmod to 600. Read the official docs search for 600 (CTRL+F) – Linlithgow 23/8, 2020 at 2:42

that requires you run docker on linux, in windows you can't chmod 600 the acme.json – Hadrian 24/8, 2020 at 7:6

If you use the volumes section from the selected answer: '- /var/:/var/acme.json' you end up with /var from the host to be exposed as /var/acme.json/ in the container. So your acme.json will sit in /var/acme.json/acme.json I don't even get how that configuration can reference the acme.json in /var. – Conversational 22/12, 2022 at 15:15

In addition to the above answer, to automate the creation of the acme.json file and assign the required permissions, create a Dockerfile and call it in your docker.compose.yml

FROM traefik:2.2

RUN touch /acme.json \
  && chmod 600 /acme.json

Extramural answered 5/4, 2020 at 12:36 Comment(1)

Does not work for me on Linux, seems that the mount comes after the script execution. In volumes i have - "./acme:/acme" and the external directory shadows the files in that location. – Conversational 22/12, 2022 at 15:10

I solved this problem with a named docker volume:

docker-compose.yml (only showing the relevant parts of the file)

services:
  traefik:
    environment:
    - TRAEFIK_CERTIFICATESRESOLVERS_LE_ACME_STORAGE=/acme/acme.json
    volumes:
      - acme:/acme
volumes:
  acme:

Sentimentalize answered 8/1, 2022 at 22:56 Comment(2)

Easiest solution. Any downsides to this comparing to the other methods saying to create the acme.json file in the dockerfile and setting the permissions then? – Biddy 25/7, 2023 at 18:53

@JohnMc I do not know any downside of this approach. The file will automatically get the correct permissions. Benefit: No need to run extra commands or modify docker image – Sentimentalize 24/10, 2023 at 15:15

I have the same problem as you, wanted to have the acme.json file outside the container/volume, that is, on the host FS. This way I wanted to make backups easy since my tests would exceed the let's encrypt / ACME quota quite fast at times.

Docker Windows

Turns out on Docker Windows you get this permission inside traefik container:

-rwxrwxrwx    1 root     root           0 Dec 22 15:21 acme.json and on Linux

Docker Linux (ubuntu 22.04)

If the traefik creates the file on the host side using something like:

docker run -v ./acme:/acme ... traefik

On Linux docker the container side looks different:

-rw-------    1 root     root       15.7K Dec 22 15:14 acme.json

But on the host I also have this:

-rw-------    1 root     root       15.7K Dec 22 15:14 acme.json

Which means that my normal user can't see/backup or modify that file.

I think there is currently no sufficient support in maintaining this file on the host FS side.

Recommendation

Store this file inside a docker volume and access it using 'docker cp':

Backup:

docker container cp traefik:/acme/acme.json .

Restore:

docker container cp acme.json traefik:/acme/
docker exec -it traefik -> chmod 0700 /acme/acme.json
docker container restart traefik

Conversational answered 22/12, 2022 at 15:38 Comment(0)

This can be solved using a Dockerfile / entrypoint.sh and works like this:

Dockerfile

FROM traefik:v2.9.4

COPY entrypoint.sh /
ENTRYPOINT [ "/entrypoint.sh" ]
CMD ["traefik"]

entrypoint.sh

#! /bin/sh
set -e

echo "Setting acme.json permissions 0600"
touch /works
touch /acme/acme.json
chmod 600 /acme/acme.json
chown root:root /acme
chown root:root /acme/acme.json

# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
    set -- traefik "$@"
fi

# if our command is a valid Traefik subcommand, let's invoke it through Traefik instead
# (this allows for "docker run traefik version", etc)
if traefik "$1" --help >/dev/null 2>&1
then
    set -- traefik "$@"
else
    echo "= '$1' is not a Traefik command: assuming shell execution." 1>&2
fi

exec "$@"

In the docker-compose.yaml I had:

traefik:
  #image: traefik:v2.9.4
  build: traefik/

So a docker compose build && docker compose up -d updated the file permissions according to the script in the entrypoint.sh

Note: It is important to do the updates of the /acme/acme.json file from the entrypoint.sh as the volumes are mounted then already. This is not the case when only using a Dockerfile.

Note: I'm using docker compose but docker will also support this but with a different synatx on the commands.

Summary

I think this is also too much maintainance burden. In the docker community we should come up with a volume system which can set owners/modes on directories for the container and leave the files on the host be whatever owner/mode they have.

volumes:

"file:acme.json:/acme.json:root:root:0600"

Also if that file does not exist on the host, just created it. Linux docker does create it on the host while Docker Windows would fails to start the docker compose up -d command.

Conversational answered 22/12, 2022 at 16:3 Comment(0)

-1

This just solved it for me:

Have WSL2 installed in Windows 10
Use PowerShell and navigate to the directory where your acme.json file is
Type wsl, this wil open the same location but now from WSL2
Type chmod 600 acme.json
Done!

Revenuer answered 25/2, 2021 at 21:55 Comment(1)

good for you, but WSL2 is not available on Windows 7 – Hadrian 26/2, 2021 at 14:57

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++