Help with insecureSkipVerify

I have been trying to set the insecureSkipVerify option, however no matter what I do it seems to be ignored.

I am using traefik 3.5.0 and get the below error in the router:

error building proxy for server URL ``https://<IP>:``<PORT>: getting RoundTripper: servers transport not found skipverify-https@swarm

I have added this label:

traefik.http.services.myapp.loadbalancer.serversTransport=skipverify-https

And this is my traefik.yml:

entryPoints:
  https:
    address: :443
    http:
      middlewares:
        - gzip
      tls:
        certResolver: le
  http:
    address: :80
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
          permanent: true
  ssh:
    address: :22
certificatesResolvers:
  le:
    acme:
      email: admin@sw.dockerswarm.rocks
      storage: /certificates/acme.json
      tlsChallenge: {}
providers:
  swarm:
    defaultRule: Host(`{{ index .Labels "com.docker.stack.namespace" }}.domain.com`)
    exposedByDefault: false
    network: traefik_public
api:
  dashboard: true
accessLog: {}
metrics:
  prometheus: {}
serversTransports:
  skipverify-https:
    insecureSkipVerify: true

I am new to traefik so any help solving this issue would be greatly appreciated!

Either use it globally in static config (doc):

## Static configuration
serversTransport:
  insecureSkipVerify: true

Or create a named serversTransport in dynamic config and assign it to the service (doc):

## Dynamic configuration
http:
  serversTransports:
    mytransport:
      insecureSkipVerify: true

## Dynamic configuration
http:
  services:
    Service01:
      loadBalancer:
        serversTransport: mytransport
1 Like

Thanks for the reply, but neither of these seem to work.

I have added the below to my traefik.yml file

serversTransport:
insecureSkipVerify: true

And I still get the below error:

ERR 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 10.0.1.220 because it doesn't contain any IP SANs"

I don’t understand what you mean by dynamic configuration, I am using labels to do the dynamic bits.

Please do remember I am new to Traefik…

It seems to work for me:

services:
  traefik:
    image: traefik:v3.5
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ~/certificates:/certificates
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --accesslog.format=json
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/certificates/acme.json
      - --serversTransport.insecureSkipVerify=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.11.0
    hostname: whoami
    ports:
      - 8443:443
    networks:
      - proxy
    volumes:
      - ./certs:/certs
    command: ["-verbose", "-port=443", "-cert=/certs/example.crt", "-key=/certs/example.key"]
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`) || PathPrefix(`/whoami`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=443
      - traefik.http.services.mywhoami.loadbalancer.server.scheme=https

networks:
  proxy:
    name: proxy
    attachable: true

Using a custom created TLS cert only with country (doc):

$ mkdir ./certs
$ openssl req -newkey rsa:4096 \
    -x509 \
    -sha256 \
    -days 3650 \
    -nodes \
    -out ./certs/example.crt \
    -keyout ./certs/example.key

Note that I added

.loadbalancer.server.scheme=https

to the target service labels.

And opened port 8443 to directly test the target service.

I have added the command:

command:
- --serversTransport.insecureSkipVerify=true

But I still get an internal server error when loading the container with the same error logged

ERR 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 10.0.1.237 because it doesn't contain any IP SANs"

This is the full yaml file

 version: '3.8'

services:
  traefik:
    image: traefik:latest
    ports:
      - target: 22
        published: 22
        mode: host
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    networks:
      - public
      - cftunnel-transport
    volumes:
      - /etc/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - certificates:/certificates
    command:
      - --serversTransport.insecureSkipVerify=true
    deploy:
      placement:
        constraints:
          - node.labels.traefik-public.certificates == true
      labels:
        - traefik.enable=true
        - traefik.http.middlewares.gzip.compress=true
        - traefik.http.routers.traefik-public-api.entrypoints=https
        - traefik.http.routers.traefik-public-api.service=api@internal
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080

networks:
  public:
  cftunnel-transport:

volumes:
  certificates:

You can’t add a single command. Either use traefik.yml or command:, decide for one (doc).

I provided my traefik.yml file, based on your example with the command in it.

It’s no use keep linking me to the docs, which are woefully unclear on how to use them, I have tried at least 10 different variations of getting this to work.

Based on the yml example I provided, what exactly do I need to put in it and where?

Thanks

This needs to go into traefik.yml:

## Static configuration
serversTransport:
  insecureSkipVerify: true

Maybe you start providing all the info, like the full dynamic config of your target service, not just a single label.

1 Like

No problems, you can find the dynamic config yml below:

#version: '3.8'

services:
  umbraco:
    image: ghcr.io/location/image:latest
    volumes:
      - /mnt/storage-pool/persist/wwwroot/media:/app/wwwroot/media
      - /mnt/storage-pool/persist/umbraco/Logs:/app/umbraco/Logs
    environment:
      ASPNETCORE_ENVIRONMENT: Production
      ASPNETCORE_HTTP_PORTS: 8441
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.container.rule=Host(`subdomain.domain.com`)
        - traefik.http.routers.container.entrypoints=https
        - traefik.http.services.container.loadbalancer.server.port=8441
        - traefik.http.services.container.loadbalancer.server.scheme=https
    networks:
      - traefik_public

networks:
  traefik_public:
    external: true

Enable Traefik access log in JSON format (doc) and share the output from a request.

{
    "ClientAddr": "10.0.2.6:52642",
    "ClientHost": "10.0.2.6",
    "ClientPort": "52642",
    "ClientUsername": "-",
    "DownstreamContentSize": 21,
    "DownstreamStatus": 500,
    "Duration": 5379779,
    "OriginContentSize": 21,
    "OriginDuration": 5184618,
    "OriginStatus": 500,
    "Overhead": 195161,
    "RequestAddr": "subdomain.domain.com",
    "RequestContentSize": 0,
    "RequestCount": 1,
    "RequestHost": "subdomain.domain.com",
    "RequestMethod": "GET",
    "RequestPath": "/",
    "RequestPort": "-",
    "RequestProtocol": "HTTP/2.0",
    "RequestScheme": "https",
    "RetryAttempts": 0,
    "RouterName": "subdommain@swarm",
    "ServiceAddr": "10.0.1.237:8441",
    "ServiceName": "subdommain@swarm",
    "ServiceURL": "https://10.0.1.237:8441",
    "StartLocal": "2025-08-13T12:12:15.547659554Z",
    "StartUTC": "2025-08-13T12:12:15.547659554Z",
    "TLSCipher": "TLS_AES_128_GCM_SHA256",
    "TLSVersion": "1.3",
    "entryPointName": "https",
    "level": "info",
    "msg": "",
    "time": "2025-08-13T12:12:15Z"
}

ERR 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 10.0.1.237 because it doesn't contain any IP SANs"

The global traefik.yml

serversTransports:
  insecureSkipVerify: true

entryPoints:
  https:
    address: :443
    http:
      middlewares:
        - gzip
      tls:
        certResolver: le

  http:
    address: :80
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
          permanent: true
  ssh:
    address: :22
certificatesResolvers:
  le:
    acme:
      email: joe@bloggs.com
      storage: /certificates/acme.json
      tlsChallenge: {}
providers:
  swarm:
    defaultRule: Host(`{{ index .Labels "com.docker.stack.namespace" }}.domain.com`)
    exposedByDefault: false
    network: traefik_public
api:
  dashboard: true
accessLog:
  format: "json"
metrics:
  prometheus: {}