Ability to validate remote certificates and support old ssl/tls connections

I have played a bit around with traefik lately and it is working relatively well with Docker/Podman for containers on the same host (internal network NOT accessible from the Outside).

Now I would like to provide Letsencrypt validated certificates (I am using certbot + distributing the certificates automatically since in use on multiple hosts - not a task for traefik) when I access e.g. IPMI or Switches Remote Management (Mikrotik, Zyxel, ...).

Scenario a
For IPMI I would like to upload (to the IPMI device) some self-signed certificates and let traefik validate that certificate when connecting to the required IPMI web interface.
Basically something like:

Client Browser <---> HTTPS tls12 Letsencrypt myipmihost.MYDOMAIN.TLD <--> Certificate Validation <---> HTTPS tls12 myipmihost.host.home <---> IPMI Web Server

Goal is:

  • Do NOT transmit plain HTTP data across the network (can be sniffed)
  • Make sure that the server I am talking to it's the right one (no IP changes etc)

Scenario b
For some legacy devices that do NOT support tls1.2 and where I cannot put a custom Certificate (old Zyxel switches), I'd like to transmit the data using tls1.0, but IIRC that's not supported with traefik 2 (sigh).

Goal is:

  • Do NOT transmit plain HTTP data across the network (can be sniffed)

Client Browser <---> HTTPS tls12 Letsencrypt myipmihost.MYDOMAIN.TLD <--> HTTPS tls10 myipmihost.host.home <---> Switch Web Server

How could these targets be achieved ?

Thank you :slight_smile:

For regular TLS certs you can disable validation checking with insecureSkipVerify globally or declare a serversTransport with it and assign it to a service. That way you can use custom certs internally.

Alternatively you can declare a serversTransport with the internal certs (doc) and assign it to the service (doc) to be used to forward requests.

The reference (doc) shows you can disable http2 for forward requests, but there seems to be no TLS setting to allow old certs.

So I cannot use tls1.0 with legacy devices (switches in particular)? They will be in their own vlan but still... Some encryption would be better than no encryption at all :pensive:.

Why would I want to disable validation checking?
On the traefik server certificate it's not an issue since it's issued by let's encrypt certificates.

I want to validate the certificate on the remove host that traefik will be forwarding traffic to.

The validation checks domain match and trust chain AFAIK. You can disable it for custom TLS certs used by target service, not registered with Traefik.

Instead you can (manually) use a LetsEncrypt TLS cert inside the target container, then Traefik will trust it.

Or you create a custom TLS cert and use it in Traefik and the target service.


If your switch only enables TLS 1.0 it’s probably really old and you don’t get any updates or security fixes for it. If you want to avoid risk, you need to get a new one.

I think there is some misunderstanding.
We are talking about different things I believe.

I already have the letsencrypt certificate generated & updated by certbot on a separate host (and distribute to where the traefik docker container is located through Salt/Saltstack).

So my user browser will trust the chain TO traefik, that is not the problem.

In ~/config/traefik/dynamic/certificates.yml I have

#  stores:
#    default:
#      defaultCertificate:
#        certFile: /certificates/MYDOMAIN.TLD/cert.pem
#        keyFile: /certificates/MYDOMAIN/privkey.pem
    - certFile: /certificates/MYDOMAIN/cert.pem
      keyFile: /certificates/MYDOMAIN/privkey.pem

(for some reason I needed to use tls.certificates instead of tls.stores.default.defaultCertificate, not sure why).

So that is using the letsencrypt certificate.

Anyway ... What I would like to do now is that when the traefik container tries to pass the connection to the target host (lets call it ipmiA), it will fail unless it can validate the certificate used by ipmiA (which I will import into traefik).

Not sure if it's any clear, I'm not sure how I can explain it :no_mouth:

The regular tls settings are for incoming requests.

For Traefik to forward requests to a TLS target service, you need to