Traefik Configuration Fixes

Issues Fixed

1. MinIO Router Service Conflicts ✅

Problem:

ERR Router minio-api cannot be linked automatically with multiple Services: ["minio-api" "minio-console"]
ERR Router minio-console cannot be linked automatically with multiple Services: ["minio-api" "minio-console"]

Root Cause: Both minio-api and minio-console routers were trying to auto-link to services, but Traefik couldn't determine which service to use for each router.

Fix: Explicitly assigned services to each router:

# MinIO API Router
- "traefik.http.routers.minio-api.service=minio-api"
- "traefik.http.services.minio-api.loadbalancer.server.port=9000"

# MinIO Console Router  
- "traefik.http.routers.minio-console.service=minio-console"
- "traefik.http.services.minio-console.loadbalancer.server.port=9001"

2. Compression Middleware Not Found ✅

Problem:

ERR error="middleware \"compression@docker\" does not exist"

Root Cause: The compression middleware is defined in the file provider (infrastructure/config/traefik/dynamic/middleware.yml), but compose files were referencing it without the @file suffix, causing Traefik to look for it in the Docker provider.

Fix: Updated all middleware references to explicitly specify the provider:

# Before:
- "traefik.http.routers.service.middlewares=default-headers,compression"

# After:
- "traefik.http.routers.service.middlewares=default-headers@file,compression@file"

Files Updated: - infrastructure/compose/qualification.yml - All 8 services - infrastructure/compose/production.yml - All 8 services

⚠️ IMPORTANT: After updating compose files, restart the services to apply new labels:

# Restart qualification services
docker compose -f infrastructure/compose/qualification.yml --env-file .env.qual restart

# Or recreate to ensure fresh labels
docker compose -f infrastructure/compose/qualification.yml --env-file .env.qual up -d --force-recreate

3. Certificate Resolver Configuration ✅

Problem:

ERR Router uses a nonexistent certificate resolver certificateResolver=letsencrypt
ERR error="HTTP challenge is not enabled"
ERR error="unable to get ACME account: permissions 644 for /acme.json are too open, please use 600"

Root Cause: 1. The certificate resolver was configured, but the HTTP challenge might have issues with the redirect configuration 2. The ACME file (acme.json) has incorrect permissions (644 instead of 600)

Fix:

1. Enhanced certificate resolver configuration:

   - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
   

2. Fix ACME file permissions:

   # On VPS
   cd /opt/po-platform
   chmod 600 infrastructure/config/traefik/acme.json
   
   # Or use the helper script
   ./infrastructure/scripts/fix-traefik-acme-permissions.sh
   

Note: The certificate resolver IS properly configured. The errors might be transient during initial certificate issuance. Once certificates are issued, these errors should disappear.

Complete Fix Procedure

On VPS:

cd /opt/po-platform

# 1. Fix ACME file permissions
chmod 600 infrastructure/config/traefik/acme.json

# 2. Restart Traefik to apply certificate resolver fixes
docker compose -f infrastructure/compose/shared.yml --env-file infrastructure/compose/.env.shared restart traefik

# 3. Restart qualification services to apply new middleware labels
docker compose -f infrastructure/compose/qualification.yml --env-file .env.qual restart

# 4. Verify no errors
docker logs po-traefik 2>&1 | grep -i error | tail -20

Verification

After applying fixes, verify:

# 1. Check Traefik logs for errors
docker logs po-traefik 2>&1 | grep -i error | tail -20

# 2. Verify MinIO routers (should see no conflicts)
docker logs po-traefik 2>&1 | grep -i "minio-api\|minio-console" | grep -i error

# 3. Verify middleware references (should see no "does not exist" errors)
docker logs po-traefik 2>&1 | grep -i "compression" | grep -i error

# 4. Verify certificate resolver (ACME errors should be gone after permissions fix)
docker logs po-traefik 2>&1 | grep -i "acme\|certificate" | grep -i error

# 5. Check ACME file permissions
ls -l infrastructure/config/traefik/acme.json
# Should show: -rw------- (600)

Expected Behavior

After fixes: - ✅ No MinIO router conflicts - ✅ Compression middleware found and working - ✅ Certificate resolver configured (ACME file permissions fixed) - ✅ No middleware "does not exist" errors

Related Files

• infrastructure/compose/shared.yml - Traefik and MinIO configuration
• infrastructure/compose/qualification.yml - Qualification environment services
• infrastructure/compose/production.yml - Production environment services
• infrastructure/config/traefik/dynamic/middleware.yml - Middleware definitions
• infrastructure/scripts/fix-traefik-acme-permissions.sh - ACME permissions fix script