A custom certificate is not used by Traefik

Hi team ,
I am using the common traefik.yaml file for multiple environments. In some environments, I am using Letsencrypt and some user-defined certificates. with two resolvers. Can you tell me if the below configurations are correct? I am facing an issue; it is taking the Traefik default certificate. Could you please help with troubleshooting the problem?
I have the below configuration files.
docker-compose.yaml

version: "3.3"

services:

  traefik:
    image: "traefik:v3.0.0-rc5"
    container_name: "traefik"
    networks:
      - qa
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=qa"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnsChallenge.provider=godaddy"
      - "--certificatesresolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0"
      - "--certificatesresolvers.myresolver.acme.storage=/home/ec2-user/traefik/letsencrypt/acme.json"
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.qa.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.tls.certresolver=selfsigned"
    env_file:
      - .provider.env
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/ec2-user/traefik/traefik.yml:/etc/traefik/traefik.yml" 
      - "/home/ec2-user/traefik/certs:/certs" 

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.gtp.internal`)" # change hostname!
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=selfsigned"
      - "traefik.http.routers.traefik.entrypoints=web,websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
  demo:
    image: traefik/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.demo.rule=Host(`demo.gtp.internal`)"
      - "traefik.http.routers.demo.entrypoints=websecure"
      - "traefik.http.routers.demo.tls=true"
      - "traefik.http.routers.demo.tls.certresolver=selfsigned"
    networks:
      - qa
networks:
  qa:
    external: true

.provider.env

GODADDY_API_KEY=
GODADDY_API_SECRET=

traefik.yml

# Global configuration
global:
  checkNewVersion: true
  sendAnonymousUsage: false
# Entry points
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
# Logging configuration
log:
  level: DEBUG
# Access logs
accessLog:
  format: common

# API configuration
api:
  insecure: true
  dashboard: true
  debug: true

# Providers configuration
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

# SSL certificate resolver configuration
certificatesResolvers:
  selfsigned:
    acme:
      email: "${EMAIL}"
      storage: "/acme.json"
      httpChallenge:
        entryPoint: websecure
  cloudflare:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory 
      email: ${EMAIL}
      storage: /etc/traefik/acme.json # chmod 600 this file on the host system
      tlsChallenge: {}
      dnschallenge:
        provider: godaddy
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

myresolver can not be tlsChallenge and dnsChallenge at the same time.

Thanks, I'll fix that. However, as you can see, I also listed a different resolver that is "selfsigned," and that is for my custom certificate. Furthermore, it is not secure on browser.

Can you provide more context?

A resolver with httpChallenge will create a TLS cert, but you need to use a http entrypoint, without TLS enabled, so not websecure. Otherwise switch to tlsChallenge.

If you want to use a custom created/paid TLS cert, you need to load that in a dynamic config file (doc), which is loaded with providers.file in static config.

And the usual note: you cannot use static config in traefik.yml and command:, decide for one (doc).

Not `http, but https as entrypoint with TLS enabled is what I need to utilize. I've already produced a certificate that is mapped to the Traefik service volume "/home/ec2-user/traefik/certs:/certs" .

Your issue is solved?

not yet facing same issue

What is your issue? You have a custom created TLS cert that is not used? You want to use certresolver with LetsEncrypt?

I have two certificates: one is custom-created with mkcert, and the other one is provided by GoDaddy. Now, I want to use both certificates. However, when I try to use my custom certificate, it shows 'not secure' on the browsing traffic of my default browser and uses the default certificate provided by Traefik. How can I solve this issue?

I already explained it:

# Dynamic configuration file, not traefik.yml
tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

Then enable plain TLS with tls: {} or tls=true on entrypoint or router.

Using existing TLS certs has nothing to do with certresolver.

Now I have updated these files for the custom certificate that was created by mkcert. I have mounted that in the file.

docker-compose.yaml

version: '3.3'

services:
reverse-proxy:
image: traefik:v3.0.0-rc5
container_name: traefik
restart: unless-stopped
# security_opt:
#- no-new-privileges:true
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=onsurity"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(traefik.gtp.internal)"
- "traefik.http.routers.traefik.entrypoints=websecure"
ports:
# Web
- 80:80
- 443:443
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Map the static configuration into the container
- ./config/static.yml:/etc/traefik/traefik.yml
# Map the dynamic configuration into the container
- ./config/dynamic.yml:/etc/traefik/dynamic.yml
# Map the certificats into the container
- ./certs:/certs
networks:
- onsurity

static.yml
global:
checkNewVersion: true
sendAnonymousUsage: false
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
log:
level: DEBUG
accessLog:
format: common

api:
insecure: true
dashboard: true
debug: true

providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false

dynamic.yml

http:
routers:
traefik:
rule: "Host(traefik.gtp.internal)"
service: "api@internal"
tls:
domains:
- main: "gtp.internal"
sans:
- ".gtp.internal"
- main: "gtp.internal"
sans:
- ".gtp.internal"

tls:
certificates:
- certFile: "/certs/cert.pem"
keyFile: "/certs/key.pem"

this configration is working fine but in traefik logs i'm getting this error please help me with this

Screenshot 2024-04-19 11272611043×35 5.27 KB

Your configs still look mixed up between static and dynamic content.

Define your static config (entrypoints, providers, etc.) in a single place.

1. traefik.yml file
2. docker-compose.yml file in command section
3. environment variables

Decide for a single place. Check simple Traefik example.

Add a providers.file in static config to read the dynamic config file, which includes the existing TLS certs.