Default Certificate not working

boldt · October 30, 2019, 7:30am

I configured the Default Certificate as follows in my traefik.toml:

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"

I mounted the ssl-folder as a volume to my traefik container:

    volumes:
    - "./ssl:/ssl"

If I jump into the container to verirfy the files, it looks good:

/ # cat traefik.toml 

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[api]
[providers.docker]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"/ # 
/ # 
/ # ls -la /ssl
total 16
drwxrwxr-x    2 1000     1000          4096 Oct 30 07:15 .
drwxr-xr-x   34 root     root          4096 Oct 30 07:16 ..
-rw-rw-r--    1 1000     1000          2021 Oct 29 18:34 cert.pem
-rw-------    1 1000     1000          3414 Oct 29 18:33 key.pem

Unfortunaltey, this default certificate it not loaded. If I look into the cert for my domain, it still shows CN = TRAEFIK DEFAULT CERT.

What do I miss?

dduportal · October 30, 2019, 8:09am

Hi @boldt, the tls.stores directive (https://docs.traefik.io/v2.0/https/tls/#default-certificate) is part of the dynamic configuration (https://docs.traefik.io/v2.0/getting-started/configuration-overview/#the-dynamic-configuration).

It means that you have to update the file provider (https://docs.traefik.io/v2.0/providers/file/) and point it to the file containing the tls.stores definitions (traefik.toml in your case, even though using another file is recommended).

Let us know?

boldt · October 31, 2019, 8:28pm

Hey @dduportal, thanks for your quick response. I do not get the file providers. It shouln't be so complicated to provide own cetficates, sorry. V1-configuration ws much simpler.

I tried the following:

# traefik.toml
[providers.file]
  filename = "/ssl/"

# ssl.toml
[[tls.certificates]]
  certFile = "/ssl/cert.pem"
  keyFile = "/ssl/key.pem"
  stores = ["default"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"

Still no success, still the TRAEFIK DEFAULT CERT.

The new V2 configuration seems to be quite complicated and not well documented yet.

Can you please provide a working MWE with a default cert?

Used references:

joeherold · November 1, 2019, 12:03am

Do not point to a folder, point to a specific file.toml;

[providers.file]

  filename = "/path/to/my/filesettings.toml"

See here with yml: "No default certificate, generating one" even if default certificate is specified

ldez · November 1, 2019, 12:09am

[providers.file]
  directory = "/ssl/"

use directory instead filename

https://docs.traefik.io/v2.0/providers/file/#directory

boldt · November 1, 2019, 12:48pm

Actually, I tried both, directory and filename, and both end up in the following error (I replaced the cert with [...]):

traefik_1     | time="2019-11-01T12:45:35Z" level=error msg="Error while creating certificate store: failed to load X509 key pair: tls: failed to parse private key" tlsStoreName=default
traefik_1     | time="2019-11-01T12:45:35Z" level=error msg="Unable to append certificate -----BEGIN CERTIFICATE-----\r\n[...]\r\n-----END CERTIFICATE-----\r\n to store: unable to generate TLS certificate : tls: failed to parse private key" tlsStoreName=default

All files exist at the defined locations:

$ docker exec -it traefik /bin/sh

/ # cat traefik.toml 
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[api]
[providers.docker]

[providers.file]
#  directory = "/ssl/"
  filename = "/ssl/ssl.toml"

/ # ls -la /ssl
total 20
drwxrwxr-x    2 1000     1000          4096 Oct 31 20:33 .
drwxr-xr-x    1 root     root          4096 Oct 31 20:18 ..
-rw-rw-r--    1 1000     1000          2054 Oct 31 19:28 cert.pem
-rw-rw-r--    1 1000     1000          3468 Oct 31 19:28 key.pem
-rw-r--r--    1 1000     1000           245 Oct 31 20:33 ssl.toml

/ # cat /ssl/ssl.toml 
[[tls.certificates]]
  certFile = "/ssl/cert.pem"
  keyFile = "/ssl/key.pem"
  stores = ["default"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/ssl/cert.pem"
      keyFile = "/ssl/key.pem"

dduportal · November 1, 2019, 12:57pm

@boldt can you check the content of the files with the openssl command please?

The last log message tells us that Traefik was able to access the files, but their content was not a parseable valid PEM format for the private key.

boldt · November 1, 2019, 9:49pm

Well, you were right. The private key was broken. I just ran openssl again to generate a new cert and private key - and it works.

joaquinwojcik · January 3, 2022, 10:17am

I was running into the same problem.
I just moved all the tls config to my dynamic configuration and it worked!

#traefik.yml

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

  file:
    filename: /etc/traefik/settings/dynamic.yml


#dynamic.yml
tls:
  certificates:
    - certFile: /etc/ssl/cert.crt
      keyFile: /etc/ssl/cert.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/ssl/cert.crt
        keyFile: /etc/ssl/cert.key

Thanks!

Topic		Replies	Views
Unable to get SSL working Traefik v2 docker	2	8219	September 15, 2019
Docker, Traefik v2, SSL cannot set default cert Traefik v2 docker	2	708	October 15, 2019
Traefik v2.10 Configuration Issue with Custom SSL Certificate and Docker Traefik v2 docker	1	836	December 24, 2023
Default TLS should specificly be in "file" provider? Traefik v2 docker , file	2	856	September 19, 2019
Custom certificate not been picked up Traefik v2 docker	4	1811	March 3, 2020

Default Certificate not working

Related topics