Detect reason why user certificate is not applied

Traefik Traefik v3 (latest)
1

Hi! My question is rather akin to this one, but not seeing that latter solved, I am making a new one here.

So I've got a custom certificate (which is in fact also a LetsEncrypt one). I've made up one cert chain file (cert.crt) using the domain certificate, intermediate and root LE certificates. I also have a private key file (cert.key).

My dynamic.yml is as follows:

tls:
  options:
    default:
      minVersion: VersionTLS12
  certificates:
    - certFile: /etc/certs/cert.crt
      keyFile: /etc/certs/cert.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/cert.crt
        keyFile: /etc/certs/cert.key

For Traefik endpoints, I'm using Docker Compose labels. My site is on https://enelectro.pro, so the container defines the following:

services:
  webclient: # web: https://enelectro.pro/
    container_name: "webclient"
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.my-compress.compress=true
      - traefik.http.routers.webclient.rule=Host(`enelectro.pro`)
      - traefik.http.routers.webclient.entrypoints=https
      - traefik.http.routers.webclient.middlewares=my-compress

Other containers are defined in the same way, but using various subdomains, e.g. api.enelectro.pro, traefik.enelectro.pro, and so on.

The funny thing is that while the subdomain sites finally get their proper TLS certificates (I can see them in my browser), the main website (https://enelectro.pro) goes without any. Traefik seems to use its 'default cert' which has no ownership info:

image
image703×459 22.4 KB

image
image812×811 20.1 KB

The actual error is ERR_CERT_COMMON_NAME_INVALID, which seems to imply that the certificate is incorrect (uses a different domain).

Oddly enough, SSLChecker shows that everything should be OK with the certificate.

The Traefik logs show no error, apart from that "No store is defined to add the certificate MIIE/DCCA+SgAwIBAgISBMvLIkmMAF+w4ypMRyT6A2bGMA0GCS, it will be added to the default store".

How can I check my certificate to see why it is not accepted as valid by the browser? Or am I wrong somewhere in defining the Traefik settings?

2

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

3

traefik.yml

################################################################
# API and dashboard configuration
################################################################
api:
  # Dashboard
  dashboard: true
  # insecure: true

################################################################
# Docker configuration backend
################################################################
providers:
  file:
    filename: "/etc/traefik/dynamic.yml"
    watch: true
  docker:
    watch: true
    exposedByDefault: false

################################################################
# Traefik Logging
################################################################
log:
  level: DEBUG
  format: json
  filePath: "/etc/traefik/log.log"

accessLog:
  format: json
  filePath: "/etc/traefik/access-log.log"
  bufferingSize: 50

################################################################
# Entrypoint
################################################################
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
          entryPoint:
            to: https
            scheme: https
            permanent: true
  https:
    address: ":443"
    http:
      tls: true

################################################################
# Certificate resolvers
################################################################
certificatesResolvers:
  le:
    acme:
      tlschallenge: {}
      email: s00mbre@gmail.com
      storage: /letsencrypt/acme.json

dynamic.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
  certificates:
    - certFile: /etc/certs/cert.crt
      keyFile: /etc/certs/cert.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/cert.crt
        keyFile: /etc/certs/cert.key

Compose

services:

  traefik:
    image: "traefik:v3.0"
    container_name: "traefik"
    restart: unless-stopped
    environment:
      - TZ=UTC
    ports:
      - 80:80 # http
      - 443:443 # https
    volumes:
      - traefik:/letsencrypt:rw # acme.json
      - /run/docker.sock:/var/run/docker.sock:ro
      - ./back/certs:/etc/certs # user certificate files: cert.crt and cert.key
      - ./back/traefik:/etc/traefik # traefik conf and logs
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$ur5Gr99C$$f354Cu/lqKJYOv5M/eNdW0

      - traefik.http.routers.traefik-admin.rule=Host(`traefik.enelectro.pro`)
      - traefik.http.routers.traefik-admin.entrypoints=https
      - traefik.http.routers.traefik-admin.service=api@internal
      - traefik.http.routers.traefik-admin.middlewares=auth

  webclient: # https://enelectro.pro/
    container_name: "webclient"
    build:
      dockerfile: Dockerfile
    restart: unless-stopped
    expose:
      - 80
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.my-compress.compress=true
      - traefik.http.routers.webclient.rule=Host(`enelectro.pro`)
      - traefik.http.routers.webclient.entrypoints=https
      - traefik.http.routers.webclient.middlewares=my-compress

Logs

log file in json: log.log.json — Яндекс Диск
access log file in json (after accessing website): access-log.log.json — Яндекс Диск