Cannot get traefik to work with self-signed certificate - an exception cannot be added for the website

Traefik Traefik v2
1

I'm trying to set up a docker/traefik environment for local development with a self signed certificate which I created for a domain 'local.dev' like so:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout local.dev.key -out local.dev.crt

The only reasonable template config I've found so far is from the last answer here - basically all other examples I've found use letsencrypt which is not an option on a local dev box.

docker-compose.yml:

traefik:
  image: traefik:v2.1
  command:
    - --entrypoints.web.address=:80
    - --entrypoints.websecure.address=:443
    - --providers.docker=true
    - --providers.file.directory=/etc/traefik/dynamic_conf
    - --providers.file.watch=true
  ports:
    - 80:80
    - 443:443
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - ./certs/:/certs/:ro
    - ./traefik.yml:/etc/traefik/dynamic_conf/conf.yml:ro

web:
  image: nginx:1.17.8-alpine
  labels:
    # http with redirection
    - traefik.http.middlewares.redirect-middleware.redirectscheme.scheme=https
    - traefik.http.routers.web-router.entrypoints=web
    - traefik.http.routers.web-router.rule=Host(`local.dev`)
    - traefik.http.routers.web-router.middlewares=redirect-middleware
    # https
    - traefik.http.routers.websecure-router.entrypoints=websecure
    - traefik.http.routers.websecure-router.tls=true
    - traefik.http.routers.websecure-router.rule=Host(`local.dev`)

traefik.yml:

tls:
  certificates:
    - certFile: /certs/local.dev.crt
      keyFile: /certs/local.dev.key

No errors on container startup, but Firefox doesn't accept the certificate on https://local.dev (MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT) and doesn't give me the option to add an exception in the advanced dialog as it usually does with other self signed certs.

What seems strange is that the error message also says: "local.dev uses a security technology called "HTTP Strict Transport Security (HSTS)", through which Firefox is only allowed to connect to the website via secure connections. Therefore, an exception cannot be added for the website" - this kind of indicates, that although I'm calling it on https I get an insecure answer?

I've also explicitly added this URL as an exception in the certificate config, no change. And the same basically happens with Edge and Chrome.

What am I missing here? And has anybody a working configuration for using self signed certs in a local setup?

2

You've visited this domain before and have received an HSTS response(or it can be baked into the browser, unlikely in this case).

You can clear the HSTS storage if it has been received as a header. Or you can use a provate browsing session.

3

Unfortunately this doesn't make a difference (cleared both the HSTS storage and tested in a private session), repeated in Chrome, same error.

4

Are you setting any of the strict transport security anywhere in your configuration?

Here:

    - ./traefik.yml:/etc/traefik/dynamic_conf/conf.yml:ro

Or even set in your nginx configuration?

curl -ik https://local.dev to see what headers are being returned.

5

If you mean

- traefik.http.routers.websecure-router.tls=true

then yes (see above).

And there's the problem: it says HTTP/1.1 200 OK on the first line :frowning:

(my entire config - copy&pasted from the 8x up-voted stackoverflow answer is listed above, so I assume there's something missing there?)

6

No, I'm asking about strict transport security headers

Not really, STS is implemented in the browser. cURL doesn't care.

The headers should be listed under that, the sts header looks something like:
strict-transport-security: max-age=63072000; includeSubDomains

If it is returned and not configured in traefik then look at nginx.

7

Those headers are not returned.

Meanwhile, and just to get nginx as complication out of the way, I also tried a config from the traefik.io blog by basically commenting out the letsencrypt related directives and pulling in my self signed certs and adding the following labels:

      - "traefik.http.middlewares.my-appsts.headers.stsincludesubdomains=false"
      - "traefik.http.middlewares.my-appsts.headers.stspreload=true"
      - "traefik.http.middlewares.my-appsts.headers.stsseconds=31536000"
      - "traefik.http.middlewares.servicests.headers.isdevelopment=false"
      - "traefik.http.routers.my-app.middlewares=my-appsts"

curl now confirms that header:

HTTP/1.1 200 OK
Content-Length: 347
Content-Type: text/plain; charset=utf-8
Date: Fri, 22 Oct 2021 15:46:54 GMT
Strict-Transport-Security: max-age=31536000; preload

Regardless, Firefox still has the same problem :frowning:

But, I've found a workaround: Setting network.stricttransportsecurity.preloadlist to false in Firefox...

8

I think this indicates that the SiteSecurityServiceState.txt was not cleared properly.

Glad you have a resolution.

9

I double-checked that file, there is nothing stored there for local.dev and I ran all tests in private sessions anyway.

I just wonder, all the examples I found use LetsEncrypt - do people not have traefik in the loop on local dev boxes?

10

Here is why: