Default Certificate not working

I configured the Default Certificate as follows in my traefik.toml:

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"

I mounted the ssl-folder as a volume to my traefik container:

    volumes:
    - "./ssl:/ssl"

If I jump into the container to verirfy the files, it looks good:

/ # cat traefik.toml 

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[api]
[providers.docker]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"/ # 
/ # 
/ # ls -la /ssl
total 16
drwxrwxr-x    2 1000     1000          4096 Oct 30 07:15 .
drwxr-xr-x   34 root     root          4096 Oct 30 07:16 ..
-rw-rw-r--    1 1000     1000          2021 Oct 29 18:34 cert.pem
-rw-------    1 1000     1000          3414 Oct 29 18:33 key.pem

Unfortunaltey, this default certificate it not loaded. If I look into the cert for my domain, it still shows CN = TRAEFIK DEFAULT CERT.

What do I miss?

Hi @boldt, the tls.stores directive (https://docs.traefik.io/v2.0/https/tls/#default-certificate) is part of the dynamic configuration (https://docs.traefik.io/v2.0/getting-started/configuration-overview/#the-dynamic-configuration).

It means that you have to update the file provider (https://docs.traefik.io/v2.0/providers/file/) and point it to the file containing the tls.stores definitions (traefik.toml in your case, even though using another file is recommended).

Let us know?

1 Like

Hey @dduportal, thanks for your quick response. I do not get the file providers. It shouln't be so complicated to provide own cetficates, sorry. V1-configuration ws much simpler.

I tried the following:

# traefik.toml
[providers.file]
  filename = "/ssl/"

# ssl.toml
[[tls.certificates]]
  certFile = "/ssl/cert.pem"
  keyFile = "/ssl/key.pem"
  stores = ["default"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"

Still no success, still the TRAEFIK DEFAULT CERT.

The new V2 configuration seems to be quite complicated and not well documented yet.

Can you please provide a working MWE with a default cert?

Used references:

1 Like

Do not point to a folder, point to a specific file.toml;

[providers.file]

  filename = "/path/to/my/filesettings.toml"

See here with yml: "No default certificate, generating one" even if default certificate is specified

[providers.file]
  directory = "/ssl/"

use directory instead filename

https://docs.traefik.io/v2.0/providers/file/#directory

Actually, I tried both, directory and filename, and both end up in the following error (I replaced the cert with [...]):

traefik_1     | time="2019-11-01T12:45:35Z" level=error msg="Error while creating certificate store: failed to load X509 key pair: tls: failed to parse private key" tlsStoreName=default
traefik_1     | time="2019-11-01T12:45:35Z" level=error msg="Unable to append certificate -----BEGIN CERTIFICATE-----\r\n[...]\r\n-----END CERTIFICATE-----\r\n to store: unable to generate TLS certificate : tls: failed to parse private key" tlsStoreName=default

All files exist at the defined locations:

$ docker exec -it traefik /bin/sh

/ # cat traefik.toml 
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[api]
[providers.docker]

[providers.file]
#  directory = "/ssl/"
  filename = "/ssl/ssl.toml"

/ # ls -la /ssl
total 20
drwxrwxr-x    2 1000     1000          4096 Oct 31 20:33 .
drwxr-xr-x    1 root     root          4096 Oct 31 20:18 ..
-rw-rw-r--    1 1000     1000          2054 Oct 31 19:28 cert.pem
-rw-rw-r--    1 1000     1000          3468 Oct 31 19:28 key.pem
-rw-r--r--    1 1000     1000           245 Oct 31 20:33 ssl.toml

/ # cat /ssl/ssl.toml 
[[tls.certificates]]
  certFile = "/ssl/cert.pem"
  keyFile = "/ssl/key.pem"
  stores = ["default"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"

@boldt can you check the content of the files with the openssl command please?

The last log message tells us that Traefik was able to access the files, but their content was not a parseable valid PEM format for the private key.

Well, you were right. The private key was broken. I just ran openssl again to generate a new cert and private key - and it works.

1 Like

I was running into the same problem.
I just moved all the tls config to my dynamic configuration and it worked!

#traefik.yml

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

  file:
    filename: /etc/traefik/settings/dynamic.yml


#dynamic.yml
tls:
  certificates:
    - certFile: /etc/ssl/cert.crt
      keyFile: /etc/ssl/cert.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/ssl/cert.crt
        keyFile: /etc/ssl/cert.key

Thanks!