Browser does not trust TLS certificate (ERR_CERT_AUTHORITY_INVALID)

I have setup a site, using Docker and Traefik 2, that answers through both HTTP and HTTPS (no redirection for now). When I access it through HTTPS, the browser seems not to trust the certificate but if I manually tell it to proceed, then the site loads without a problem. However, the certificate is not self-signed. It is a valid certificate that is accompanied by a chain.pem and a fullchain.pem (I can't see any place to configure Traefik TLS in order to use these two)

Firefox says: Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
and
Chrome says: NET::ERR_CERT_AUTHORITY_INVALID

My traefik.yaml contains:

tls:
    certificates:
        - certFile: /certs/cert.pem 
          keyFile: /certs/privkey.pem

I am trying to understand why this is happening. Is it because the chain or the fullchain file is not being served ? If yes, how can make it happen ? :anguished:

Hello @AlexandrosG,

If you have an intermediate certificate, you need to concatenate the intermediate certificate together with the primary certificate. Of note, in a PEM file, each certificate block has to be signed by the block below.

This means that your certificate pem file will look like this:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate)
-----END CERTIFICATE-----

And if you have a root certificate, you may append it at the end after the intermediate. Please note that most modern browsers will not accept root certificates from servers, and will complain about the trust chain, or duplicate roots if the root cert is already present in the browser trust store.

I am not sure what you mean by "intermediate certificate". Putting aside the private key, I have 3 files (I am putting the first characters from each file to make clear the relation between them):

cert.pem

-----BEGIN CERTIFICATE-----
MIIFSzCCBDO...
-----END CERTIFICATE-----

chain.pem

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gA....
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAw
-----END CERTIFICATE-----

fullchain.pem

-----BEGIN CERTIFICATE-----
MIIFSzCCBDO...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gA....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAw
-----END CERTIFICATE-----

Is chain.pem what you call the intermediate certificate ? :roll_eyes:

Hello @AlexandrosG,

A primary certificate (or server certificate) is the certificate that contains the information about the server or host you created the certificate request for (via the Certificate Signing Request [CSR]).

Primary certificates are signed by other certificates in order to make a trust chain. Minimally, certificate authorities can sign your server certificate with their root certificate, however this is not advisable, becuase it can cause issues down the road (such as expiry, revocation, cross signing, etc). To overcome these issues, certificate authorities use their root certificates to sign intermediate certificates. These intermediates are in turn used to sign your server certificates. Your certificate authority may have one or more intermediate certificates.

What the files are called is not important, and has no bearing on the contents. Let me label these to show you what I mean:

cert.pem

-----BEGIN CERTIFICATE----- #<---- Primary Certificate (for your server)
MIIFSzCCBDO...
-----END CERTIFICATE-----

chain.pem

-----BEGIN CERTIFICATE----- #<---- Intermediate Certificate
MIIFFjCCAv6gA....
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE----- #<---- Intermediate Certificate 2, or Root certificate
MIIFYDCCBEigAw
-----END CERTIFICATE-----

fullchain.pem

-----BEGIN CERTIFICATE----- #<---- Primary Certificate (for your server)
MIIFSzCCBDO...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- #<---- Intermediate Certificate
MIIFFjCCAv6gA....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- #<---- Intermediate Certificate 2, or Root certificate
MIIFYDCCBEigAw
-----END CERTIFICATE-----

The intermediate and root certificates are often publicly posted on Certificate authority's websites, and will be exactly the same as you have letter for letter.