I spent a day to get the mutual authentication to work, and I cannot. My compose, static and
dynamic files are below.
The container logs contains this error
ERR error="building TLS config: unknown client auth type \"requireAndVerifyClientCert\"" entryPointName=https routerName=traefik-secure@docker
Traefik version:
Version: 3.1.2
Codename: comte
Go version: go1.22.5
Built: 2024-08-06T13:37:51Z
OS/Arch: linux/amd64
The certificates are generated with mkcert tool.
Any idea what might be the issue?
Docker-compose:
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.yml:/traefik.yml:ro
- ./traefik/acme.json:/acme.json
- ./traefik/config.yml:/config.yml:ro
- ./traefik/logs:/var/log/traefik
- ./certs/server.pem:/etc/certs/server.pem
- ./certs/server-key.pem:/etc/certs/server-key.pem
- ./certs/ca.pem:/etc/certs/ca.pem
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_DOMAIN}`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DASHBOARD_DOMAIN}`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
#- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=${DOMAIN}"
- "traefik.http.routers.traefik-secure.tls.options=default"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=${WILDCARD_DOMAIN}"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
name: proxy
external: true
Static file traefik.yml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: example@mail.com
storage: /acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
Dynamic file config.yml
tls:
certificates:
- certFile: "/etc/certs/server.pem"
keyFile: "/etc/certs/server-key.pem"
options:
default:
clientAuth:
caFiles:
- "/etc/certs/ca.pem"
clientAuthType: "requireAndVerifyClientCert"
stores:
default:
defaultCertificate:
certFile: "/etc/certs/server.pem"
keyFile: "/etc/certs/server-key.pem"