Error creating certificate store / failed to load X509 key pair: tls: failed to parse private key

Traefik Traefik v2
1

I am getting the following error when attempting to use a custom PositiveSSL wildcard certificate. It could well be that I’m using openssl req To generate the private key and CSR:

time="2020-04-12T17:37:34Z" level=error msg="Error while creating certificate store: failed to load X509 key pair: tls: failed to parse private key" tlsStoreName=default
time="2020-04-12T17:37:34Z" level=error msg="Unable to append certificate -----BEGIN CERTIFICATE-----\r\n...<redacted>...\r\n-----END CERTIFICATE----- to store: unable to generate TLS certificate : tls: failed to parse private key" tlsStoreName=default

My traefik.yml includes:

    volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /share/appdata/config/traefik:/etc/traefik
       - /share/appdata/config/certs:/etc/traefik/certs:ro
    networks:
      - traefik_public
    command: --configFile=/etc/traefik/traefik-static.yaml

My traefik-static.yaml includes:


entryPoints:

  http:
    address: ":80"
    forwardedHeaders:
      trustedIPs:
      - "172.16.0.0/12"
      - "10.0.0.0/8"
      - "192.168.0.0/16"    
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
          permanent: true
          priority: 10

  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs:
      - "172.16.0.0/12"
      - "10.0.0.0/8"
      - "192.168.0.0/16"      
    http:
      tls:
        options: default

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    swarmMode: true
    network: traefik_public

  file:
    # Optional instead of directory:
    filename: /etc/traefik/traefik-dynamic.yaml
    watch: true

My traefik-dynamic.yaml includes:

tls:
  certificates:
  - certFile: /etc/traefik/certs/gkoerk_com.crt
    keyFile: /etc/traefik/certs/gkoerk_com.key
    stores:
      - default
  options:
    default:
      minVersion: VersionTLS12
      maxVersion: VersionTLS13
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/gkoerk_com.crt
        keyFile: /etc/traefik/certs/gkoerk_com.key

Any ideas if I’ve got a permissions issue or a cert format problem?

2

The error says it cannot parse suggesting a formatting error vs a file I/O error.

Is your key file password protected?

Try using the pair with openssl

$ openssl s_server -cert vpn.crt -key vpn.key
Using default temp DH parameters
ACCEPT
1 Like
3

The keyfile is not password protected.

[/share/appdata/config/traefik/certs] # openssl s_server -cert gkoerk_com.crt -key gkoerk_com.key
Using default temp DH parameters
ACCEPT
4

Hi,
I'm new to Traefik. I got the same error "Error while creating certificate store: failed to load X509 key pair: tls: failed to parse private key" using my self-signed cert, and yes my self-signed cert is password protected.
Previously with another cert that is not password protected, I got my applications working, but that is not the use case I want to cover, as the public certificate I'm getting is with password. I cannot find anything about including password in dynamic config in documentation, perhaps I missed it. Any help is appreciated, thanks!

Here is my dynamic config looks like:

tls:
    stores:
      default:
        defaultCertificate:
          certFile: configuration/cert-password.pem
          keyFile: configuration/key-password.pem
5

Hi @mizzPpY

You will need to remove the password from the private key. This is not supported at the moment.

1 Like