Error 404 when trying tls backend host

Traefik Traefik v3 (latest)
1

new here, please be gentle.
I installed Traefik on debian12 and using it inside my lab. the domain is "nelsonlab.local". My Traefik server is 10.0.22.21, the host on the backend is https://10.0.3.2 Traefik has this host as fwhq.nelsonlab.local

Ultimately i want to front end the HTTPS so that I don't get the unsecure tls. I used mkcert and installed the rootCA to my browser pc.

when going to https://fwhq.nelsonlab.local and looking at the cert, it shows signed by Traefik, so good sofar right? although I still get the privacy error and if I accept, i get a 404 page not found.

This is my traefik.yml

providers:
  file:
    directory: /etc/traefik/conf.d/
    watch: true

entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: letsencrypt
  traefik:
    address: ':8080'

certificatesResolvers:
  letsencrypt:
    acme:
      email: "foo@bar.com"
      storage: /etc/traefik/ssl/acme.json
      tlsChallenge: {}

api:
  dashboard: true
  insecure: true

log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: INFO

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

this is my fqhe.yml located inside the /etc/traefik/conf.d folder with root permissions and 644

http:
  routers:
    fwhq-router:
      rule: Host(`fwhq`)
      entryPoints:
        - websecure
      tls:
        certificates:
          - certFile: "/etc/traefik/certs/fwhq.nelsonlab.local.pem"
            keyFile: "/etc/traefik/certs/fwhq.nelsonlab.local-key.pem"
      service: fwhq-service

  services:
    fwhq-service:
      loadBalancer:
        servers:
          - url 'https://10.0.3.2/'
        passHostHeader: true
        scheme: https
        serversTransport: skip-verify

serversTransports:
  skip-verify:
    insecureSkipVerify: true

i cant seem to figure out why im not getting the page to show properly and without the cert warning?!?

2

There is no such thing as certificates in this place (reference).

Instead use a root tls element in your dynamic config file (doc). This will load your custom cert, so no "Traefik" cert will be shown, should be the one from mkcert.

Then enable Traefik access log in JSON format (doc) and check during requests if error status comes from target service (OriginStatus) or only from Traefik itself (DownstreamStatus).

3

im not sure i understand what needs to change.
my understanding is the static file is /etc/traefik/traefik.yml correct?
and the dynamic file, in my case the above file calls a directory, so from what i understand is any files in /etc/traefik/conf.d/*.yml will be loaded?

so back to this, should the dynamic file (fwhq.yml) have general info in it or specific to the host?

so if i understand, the ssl part needs to be in the fwhq.yml as:

tls:
  stores:
    default: {}

so my fwhq.yml should look like this?

http:
  routers:
    fwhq-router:
      rule: "Host(`fwhq.nelsonlab.local`)"
      entryPoints:
        - websecure
      tls:
        stores:
          default: {}
      service: fwhq-service

  services:
    fwhq-service:
      loadBalancer:
        servers:
          - url https://10.0.3.2
        passHostHeader: true
        scheme: https
        serversTransport: skip-verify

serversTransports:
  skip-verify:
    insecureSkipVerify: true

again, im new to this, just trying to make it work.

4

Dynamic config is loaded via a provider in static config. You can place tls next to your routers and services, but as root element.

Those TLS certs are enabled with tls: {} in router.