Skip to content

EPMRPP-111176 || Setup TLS / HTTPS Docker Compose + Traefik v2 #1056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maria-hambardzumian merged 2 commits into from
Jan 15, 2026
Merged

EPMRPP-111176 || Setup TLS / HTTPS Docker Compose + Traefik v2 #1056

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3b11e68
EPMRPP-111176 || Setup TLS / HTTPS Docker Compose + Traefik v2
Jan 13, 2026
b55a3d7
EPMRPP-111176 || Setup TLS / HTTPS Docker Compose + Traefik v2
Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
248 changes: 248 additions & 0 deletions docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,248 @@
---
sidebar_position: 10
sidebar_label: Setup TLS / HTTPS Docker Compose + Traefik v2
description: Practical guide to setting up TLS/HTTPS in our test results dashboard
---

# Setup TLS / HTTPS Docker Compose + Traefik v2

This guide documents how to enable HTTPS for a ReportPortal Docker Compose deployment using **Traefik v2** as the reverse proxy. It covers both **self-signed certificates** (for local or internal testing) and **Let’s Encrypt certificates** (for publicly trusted TLS).

## 1. Supported TLS Scenarios

| **Certificate Type** | **Environment** | **Public Internet Required** |
| ----------- | ----- | ------------ |
| Self-signed (OpenSSL) | Localhost / Internal VPC | No |
Copy link

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix hard tab character in table.

Line 14 contains a hard tab character that may cause rendering issues. Replace with spaces.

Proposed fix 
-| Self-signed (OpenSSL) | Localhost / Internal VPC	 | No |
+| Self-signed (OpenSSL) | Localhost / Internal VPC | No |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| Self-signed (OpenSSL) | Localhost / Internal VPC | No |
| Self-signed (OpenSSL) | Localhost / Internal VPC | No |
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

14-14: Hard tabs
Column: 51

(MD010, no-hard-tabs)

🤖 Prompt for AI Agents 
In @docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md at
line 14, The table row string "| Self-signed (OpenSSL) | Localhost / Internal
VPC\t | No |" contains a hard tab character; edit the line containing that exact
table row and replace the tab ("\t") between "Internal VPC" and "|" with
appropriate spaces (e.g., one space or align with other table columns) so the
Markdown table uses spaces only and renders consistently.

| Let’s Encrypt (HTTP-01) | Public EC2 + Route 53 | Yes |
| Let’s Encrypt (DNS-01) | Private VPC | No |

:::important
Let’s Encrypt HTTP-01 validation requires **public internet reachability**.<br />
Deployments in private subnets without an Internet Gateway **must use DNS-01** instead.
:::

## 2. Test Environment (Reference)

**AWS Infrastructure (HTTP-01 scenario)**

| **Component** | **Specification** |
| ----------- |----------------------------------|
| EC2 | t3.medium (2 vCPU, 4 GB RAM) /
Copy link

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add missing trailing pipe in table row.

Line 29 is missing the trailing pipe character, which creates inconsistent table formatting.

Proposed fix 
-| EC2 | t3.medium (2 vCPU, 4 GB RAM) /   
+| EC2 | t3.medium (2 vCPU, 4 GB RAM) |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| EC2 | t3.medium (2 vCPU, 4 GB RAM) /
| EC2 | t3.medium (2 vCPU, 4 GB RAM) |
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

29-29: Table pipe style
Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe

(MD055, table-pipe-style)

🤖 Prompt for AI Agents 
In @docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md at
line 29, The table row "EC2 | t3.medium (2 vCPU, 4 GB RAM) /" is missing its
trailing pipe which breaks Markdown table formatting; update that row (the line
containing "EC2 | t3.medium (2 vCPU, 4 GB RAM) /") by appending a trailing pipe
character ("|") so the row reads "EC2 | t3.medium (2 vCPU, 4 GB RAM) / |".

| OS | Ubuntu 24.04 / Amazon Linux 2023 |
| Subnet | Public subnet with IGW |
| DNS | Route 53 public hosted zone |
| Domain | <a>tls-docker.example.com</a> |
Copy link

@coderabbitai coderabbitai bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Replace incorrect <a> tag with backticks.

The HTML anchor tag without an href attribute is invalid and may render incorrectly. Use backticks for domain names in Markdown tables.

Proposed fix 
-| Domain | <a>tls-docker.example.com</a>    |
+| Domain | `tls-docker.example.com`    |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| Domain | <a>tls-docker.example.com</a> |
| Domain | `tls-docker.example.com` |
🤖 Prompt for AI Agents 
In `@docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md` at
line 34, Replace the invalid HTML anchor tag used in the Markdown table cell
(the string "<a>tls-docker.example.com</a>") with Markdown inline code/backticks
so the domain renders correctly; update the table row to use
`tls-docker.example.com` in the Domain column instead of the <a>...</a> tag.


Using a public subnet removes ambiguity during troubleshooting.

**Required Security Group Rules**

| **Type** | **Port** | **Source** | **Purpose** |
| ----------- | ----- | ------------ | ----- |
| HTTP | 80 | 0.0.0.0/0 | ACME HTTP-01 |
Copy link

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix hard tab character in table.

Line 41 contains a hard tab character that may cause rendering issues. Replace with spaces.

Proposed fix 
-| HTTP | 80	| 0.0.0.0/0 | ACME HTTP-01 |
+| HTTP | 80 | 0.0.0.0/0 | ACME HTTP-01 |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| HTTP | 80 | 0.0.0.0/0 | ACME HTTP-01 |
| HTTP | 80 | 0.0.0.0/0 | ACME HTTP-01 |
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

41-41: Hard tabs
Column: 12

(MD010, no-hard-tabs)

🤖 Prompt for AI Agents 
In @docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md at
line 41, Replace the hard tab character in the table row that currently reads "|
HTTP | 80\t| 0.0.0.0/0 | ACME HTTP-01 |" with spaces so the column separator is
" | 80 | " (e.g., use a single space on each side of the pipe); update the
string in the Markdown table to remove the \t and ensure consistent spacing for
proper rendering.

| HTTPS | 443 | 0.0.0.0/0 | HTTPS access |
| TCP | 8081 | Your IP | Traefik dashboard |
| SSH | 22 | Your IP | Management |

## 3. Scenario 1 — Self-Signed Certificates (OpenSSL)

### 3.1 Generate Certificates

```
mkdir -p certs

openssl genrsa -out certs/reportportal.key 2048

openssl req -new -x509 \
-key certs/reportportal.key \
-out certs/reportportal.crt \
-days 365 \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
```

### 3.2 Traefik File Provider (TLS)

Create ```certs/tls.yml```:
Copy link

@coderabbitai coderabbitai bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use single backticks for inline code.

Triple backticks (```) are for code blocks. For inline code like filenames, use single backticks.

Proposed fix 
-Create ```certs/tls.yml```:
+Create `certs/tls.yml`:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Create ```certs/tls.yml```:
Create `certs/tls.yml`:
🤖 Prompt for AI Agents 
In `@docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md` at
line 66, The markdown line currently uses triple backticks for an inline
filename ("Create ```certs/tls.yml```:"); change that to use single backticks
for inline code so it reads "Create `certs/tls.yml`:" in the
SetupTLSHTTPSDockerComposeTraefikV2.md content, replacing the triple-backtick
instance with a single-backtick inline code span for the filename.


```
tls:
certificates:
- certFile: /certs/reportportal.crt
keyFile: /certs/reportportal.key
```

### 3.3 Validation — Self-Signed TLS

**Verify key matches certificate**

```
openssl x509 -noout -modulus -in certs/reportportal.crt | openssl md5
openssl rsa -noout -modulus -in certs/reportportal.key | openssl md5
```

**Trust validation**

```
curl -v --cacert certs/reportportal.crt https://localhost
```

**Fingerprint comparison**

```
oopenssl x509 -in certs/reportportal.crt -noout -fingerprint -sha256
Copy link

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix typo: "oopenssl" → "openssl".

Line 92 contains a critical typo that will cause the command to fail.

🐛 Proposed fix 
-oopenssl x509 -in certs/reportportal.crt -noout -fingerprint -sha256
+openssl x509 -in certs/reportportal.crt -noout -fingerprint -sha256
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
oopenssl x509 -in certs/reportportal.crt -noout -fingerprint -sha256
openssl x509 -in certs/reportportal.crt -noout -fingerprint -sha256
🤖 Prompt for AI Agents 
In @docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md at
line 92, Fix the typo in the TLS/HTTPS setup command: replace the incorrect
token "oopenssl" with "openssl" in the command string shown (the line starting
with "oopenssl x509 -in certs/reportportal.crt -noout -fingerprint -sha256") so
the command reads "openssl x509 -in certs/reportportal.crt -noout -fingerprint
-sha256" and will execute correctly.


openssl s_client -connect localhost:443 </dev/null 2>/dev/null \
| openssl x509 -noout -fingerprint -sha256
```

**Subject and validity**

```
openssl s_client -connect localhost:443 </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
```

## 4. Scenario 2 — Let’s Encrypt (HTTP-01)

### 4.1 Prerequisites (Mandatory)

* Domain resolves to a **public IP**
* EC2 subnet has route:

```
0.0.0.0/0 → Internet Gateway
```

* Ports **80** and **443** reachable from the internet

### 4.2 Prepare ACME Storage

```
touch acme.json
chmod 600 acme.json
```

### 4.3 Docker Compose — Traefik Gateway

```
services:
gateway:
image: traefik:v2.11.32
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "8081:8081"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
command:
- --providers.docker=true
- --providers.docker.exposedbydefault=false

- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.traefik.address=:8081

- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https

- --certificatesresolvers.letsencrypt.acme.email=admin@example.com
- --certificatesresolvers.letsencrypt.acme.storage=/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web

- --api.dashboard=true
- --api.insecure=true
```

### 4.4 Service TLS Labels

```
labels:
- "traefik.enable=true"
- "traefik.http.routers.app.rule=Host(`tls-docker.example.com`)"
- "traefik.http.routers.app.entrypoints=websecure"
- "traefik.http.routers.app.tls=true"
- "traefik.http.routers.app.tls.certresolver=letsencrypt"
- "traefik.http.services.app.loadbalancer.server.port=8080"
```

## 5. Validation — Let’s Encrypt (HTTP-01)

**DNS resolution**

```
dig +short tls-docker.example.com
dig @8.8.8.8 +short tls-docker.example.com
```

**TCP reachability**

```
nc -vz tls-docker.example.com 80
```

**HTTP reachability**

```
curl -v http://tls-docker.example.com
```

**ACME challenge path**

```
404 Not Found is expected and correct
```

**HTTPS validation**

```
curl -v https://tls-docker.example.com
```

**Certificate issuer verification**

```
echo | openssl s_client \
-connect tls-docker.example.com:443 \
-servername tls-docker.example.com \
2>/dev/null | openssl x509 -noout -issuer -subject -dates
```

Expected issuer:

```
CN = Let's Encrypt
```

## 6. Private Subnets — Important Limitation

If the domain resolves to a **private IP (RFC1918)** or the subnet routes traffic via **NAT Gateway only**, Let’s Encrypt **HTTP-01 will fail**.

**Symptoms**

* DNS resolves internally but not publicly
* ACME challenge never triggered
* Traefik serves default certificate

**Solution**<br />
Use **DNS-01 validation** with Route 53.

## 7. Troubleshooting

| **Issue** | **Cause** | **Resolution** |
|-----------------|------------------|--|
| ACME never triggers | No public ingress | Use DNS-01 |
Copy link

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix hard tab characters in troubleshooting table.

Lines 236 and 240 contain hard tab characters that may cause rendering issues. Replace with spaces.

Proposed fix 
-| ACME never triggers | No public ingress	 | Use DNS-01 |
+| ACME never triggers | No public ingress | Use DNS-01 |
-| 404 from HTTPS   | Host rule mismatch	 | Verify router rule |
+| 404 from HTTPS | Host rule mismatch | Verify router rule |

Also applies to: 240-240

🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

236-236: Hard tabs
Column: 42

(MD010, no-hard-tabs)

🤖 Prompt for AI Agents 
In @docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md at
line 236, The troubleshooting table has hard tab characters in the row
containing "| ACME never triggers | No public ingress	 | Use DNS-01 |" (and the
similar row at line 240); open the markdown table and replace the hard tab
characters between "No public ingress" and " | Use DNS-01 |" (and any other tabs
on that row) with regular spaces so the table cells use spaces only and render
correctly.

| Default Traefik cert | No issued cert | Check ACME logs |
| <a>example.com</a> email error | Invalid ACME email | Use real domain |
Copy link

@coderabbitai coderabbitai bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Replace incorrect <a> tag with backticks.

The HTML anchor tag without an href attribute is invalid. Use backticks for domain names.

Proposed fix 
-| <a>example.com</a> email error | Invalid ACME email  | Use real domain |
+| `example.com` email error | Invalid ACME email  | Use real domain |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| <a>example.com</a> email error | Invalid ACME email | Use real domain |
| `example.com` email error | Invalid ACME email | Use real domain |
🤖 Prompt for AI Agents 
In `@docs/installation-steps-advanced/SetupTLSHTTPSDockerComposeTraefikV2.md` at
line 239, The markdown table contains an invalid HTML anchor
"<a>example.com</a>" without an href; replace that HTML tag with inline
code/backticks around the domain (i.e., change "<a>example.com</a>" to
`example.com`) so the table cell shows the domain correctly and conforms to
Markdown syntax.

| Permission denied acme.json | Wrong file mode | chmod 600 |
| 404 from HTTPS | Host rule mismatch | Verify router rule |

## 8. Summary

* Self-signed TLS works for **local and internal environments**
* Let’s Encrypt HTTP-01 works **only with public ingress**
* DNS-01 is required for **private VPC deployments**
* Traefik configuration remains identical; only the ACME method changes