I have been trying to set the insecureSkipVerify
option, however no matter what I do it seems to be ignored.
I am using traefik 3.5.0 and get the below error in the router:
error building proxy for server URL ``https://<IP>:``<PORT>: getting RoundTripper: servers transport not found skipverify-https@swarm
I have added this label:
traefik.http.services.myapp.loadbalancer.serversTransport=skipverify-https
And this is my traefik.yml
:
entryPoints:
https:
address: :443
http:
middlewares:
- gzip
tls:
certResolver: le
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
ssh:
address: :22
certificatesResolvers:
le:
acme:
email: admin@sw.dockerswarm.rocks
storage: /certificates/acme.json
tlsChallenge: {}
providers:
swarm:
defaultRule: Host(`{{ index .Labels "com.docker.stack.namespace" }}.domain.com`)
exposedByDefault: false
network: traefik_public
api:
dashboard: true
accessLog: {}
metrics:
prometheus: {}
serversTransports:
skipverify-https:
insecureSkipVerify: true
I am new to traefik so any help solving this issue would be greatly appreciated!
Either use it globally in static config (doc):
## Static configuration
serversTransport:
insecureSkipVerify: true
Or create a named serversTransport in dynamic config and assign it to the service (doc):
## Dynamic configuration
http:
serversTransports:
mytransport:
insecureSkipVerify: true
## Dynamic configuration
http:
services:
Service01:
loadBalancer:
serversTransport: mytransport
1 Like
Thanks for the reply, but neither of these seem to work.
I have added the below to my traefik.yml file
serversTransport:
insecureSkipVerify: true
And I still get the below error:
ERR 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 10.0.1.220 because it doesn't contain any IP SANs"
I don’t understand what you mean by dynamic configuration, I am using labels to do the dynamic bits.
Please do remember I am new to Traefik…
It seems to work for me:
services:
traefik:
image: traefik:v3.5
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ~/certificates:/certificates
command:
- --api.dashboard=true
- --log.level=DEBUG
- --accesslog.format=json
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/certificates/acme.json
- --serversTransport.insecureSkipVerify=true
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
whoami:
image: traefik/whoami:v1.11.0
hostname: whoami
ports:
- 8443:443
networks:
- proxy
volumes:
- ./certs:/certs
command: ["-verbose", "-port=443", "-cert=/certs/example.crt", "-key=/certs/example.key"]
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`) || PathPrefix(`/whoami`)
- traefik.http.services.mywhoami.loadbalancer.server.port=443
- traefik.http.services.mywhoami.loadbalancer.server.scheme=https
networks:
proxy:
name: proxy
attachable: true
Using a custom created TLS cert only with country (doc):
$ mkdir ./certs
$ openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-nodes \
-out ./certs/example.crt \
-keyout ./certs/example.key
Note that I added
.loadbalancer.server.scheme=https
to the target service labels.
And opened port 8443 to directly test the target service.
I have added the command:
command:
- --serversTransport.insecureSkipVerify=true
But I still get an internal server error when loading the container with the same error logged
ERR 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 10.0.1.237 because it doesn't contain any IP SANs"
This is the full yaml file
version: '3.8'
services:
traefik:
image: traefik:latest
ports:
- target: 22
published: 22
mode: host
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
networks:
- public
- cftunnel-transport
volumes:
- /etc/traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
- certificates:/certificates
command:
- --serversTransport.insecureSkipVerify=true
deploy:
placement:
constraints:
- node.labels.traefik-public.certificates == true
labels:
- traefik.enable=true
- traefik.http.middlewares.gzip.compress=true
- traefik.http.routers.traefik-public-api.entrypoints=https
- traefik.http.routers.traefik-public-api.service=api@internal
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
networks:
public:
cftunnel-transport:
volumes:
certificates:
You can’t add a single command. Either use traefik.yml
or command:
, decide for one (doc).
I provided my traefik.yml file, based on your example with the command in it.
It’s no use keep linking me to the docs, which are woefully unclear on how to use them, I have tried at least 10 different variations of getting this to work.
Based on the yml example I provided, what exactly do I need to put in it and where?
Thanks
This needs to go into traefik.yml
:
## Static configuration
serversTransport:
insecureSkipVerify: true
Maybe you start providing all the info, like the full dynamic config of your target service, not just a single label.
1 Like
No problems, you can find the dynamic config yml below:
#version: '3.8'
services:
umbraco:
image: ghcr.io/location/image:latest
volumes:
- /mnt/storage-pool/persist/wwwroot/media:/app/wwwroot/media
- /mnt/storage-pool/persist/umbraco/Logs:/app/umbraco/Logs
environment:
ASPNETCORE_ENVIRONMENT: Production
ASPNETCORE_HTTP_PORTS: 8441
deploy:
labels:
- traefik.enable=true
- traefik.http.routers.container.rule=Host(`subdomain.domain.com`)
- traefik.http.routers.container.entrypoints=https
- traefik.http.services.container.loadbalancer.server.port=8441
- traefik.http.services.container.loadbalancer.server.scheme=https
networks:
- traefik_public
networks:
traefik_public:
external: true
Enable Traefik access log in JSON format (doc) and share the output from a request.
{
"ClientAddr": "10.0.2.6:52642",
"ClientHost": "10.0.2.6",
"ClientPort": "52642",
"ClientUsername": "-",
"DownstreamContentSize": 21,
"DownstreamStatus": 500,
"Duration": 5379779,
"OriginContentSize": 21,
"OriginDuration": 5184618,
"OriginStatus": 500,
"Overhead": 195161,
"RequestAddr": "subdomain.domain.com",
"RequestContentSize": 0,
"RequestCount": 1,
"RequestHost": "subdomain.domain.com",
"RequestMethod": "GET",
"RequestPath": "/",
"RequestPort": "-",
"RequestProtocol": "HTTP/2.0",
"RequestScheme": "https",
"RetryAttempts": 0,
"RouterName": "subdommain@swarm",
"ServiceAddr": "10.0.1.237:8441",
"ServiceName": "subdommain@swarm",
"ServiceURL": "https://10.0.1.237:8441",
"StartLocal": "2025-08-13T12:12:15.547659554Z",
"StartUTC": "2025-08-13T12:12:15.547659554Z",
"TLSCipher": "TLS_AES_128_GCM_SHA256",
"TLSVersion": "1.3",
"entryPointName": "https",
"level": "info",
"msg": "",
"time": "2025-08-13T12:12:15Z"
}
ERR 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 10.0.1.237 because it doesn't contain any IP SANs"
The global traefik.yml
serversTransports:
insecureSkipVerify: true
entryPoints:
https:
address: :443
http:
middlewares:
- gzip
tls:
certResolver: le
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
ssh:
address: :22
certificatesResolvers:
le:
acme:
email: joe@bloggs.com
storage: /certificates/acme.json
tlsChallenge: {}
providers:
swarm:
defaultRule: Host(`{{ index .Labels "com.docker.stack.namespace" }}.domain.com`)
exposedByDefault: false
network: traefik_public
api:
dashboard: true
accessLog:
format: "json"
metrics:
prometheus: {}