How to configure self signed certificates?

Hi,

I would like to use self signed certificates in my own network. Reason, my provider does not support DNS challenge and it will therefor not be possible to get certificates from e.g. Let's encrypt for my internal hosts.
(ps: I've DNS challenge successfully working on my local systems/in my own network, but that is with a temporarely domain from a provider supporting DNS challenge).

I used the following guides:

• traefik-using-owned-ssl-certificate
• add-custom-ssl-certificate-to-traefik
• 2.4-tls-and-acme-configuratio

I configured in my dynamic traefik.yml file:

tls:
  certificates:
    - certfile: /etc/pki/certs/pihole01.blue.domain.tld.crt
      keyfile: /etc/pki/keys/pihole01.blue.domain.tld.pem
    - certfile: /etc/pki/certs/portainer01.blue.domain.tld.crt
      keyfile: /etc/pki/keys/portainer01.blue.domain.tld.pem

The files are available in the container:

# find  /etc/pki -type f | sed 's/yyy.xxx/domain.tld/'
/etc/pki/certs/pihole01.blue.domain.tld.crt
/etc/pki/certs/portainer01.blue.domain.tld.crt
/etc/pki/keys/portainer01.blue.domain.tld.pem
/etc/pki/keys/pihole01.blue.domain.tld.pem

As well as the certificate resolver:

certificatesResolvers:
  cloudflare:
    acme:
      email: a@example.com
      storage: acme.json
      ....
      dnsChallenge:
        provider: cloudflare
        ....

  local:
    acme:
      tlschallenge: true
      email: a@example.com
      storage: local.json

I shortened the cloudflare configuration, don't look at that, please.

Further more I configured a label in the Pihole docker compose file to point to the certificate resolver:

      traefik.http.routers.pihole-secure.tls: "true"
      traefik.http.routers.pihole-secure.tls.certresolver: "local"

Is this sufficient to get self-signed certificates to work?

As I still get the former certificate from Lets Encrypt when I navigate to my pihole fqdn, it looks like it is not working. From the logging I can't derive which certificate traefik is using exactly.

I did not remove the LE certificate from the acme.json file. Is Traefik maybe using that certificate from the cache maybe?

Thanks.

Local custom TLS is not a certResolver.

Load your dynamic TLS config via providers.file in static config. Enable .tls=true in router labels.

Traefik will automatically use the custom TLS cert with the matching hostname (SNI) of the incoming request.

@bluepuma77 thanks a lot for your support. It is helpfull and appreciated.

With help of your directions, I made modifications, and it is now working for me.

Ah, of course. I removed this part.

Hmm, I checked the files again, and the tls: config was in the wrong config file.

I see this happening now

Traefik label setup:

      traefik.http.routers.whoami01-blue.entrypoints: "http"
      traefik.http.routers.whoami01-blue.rule: "Host(`whoami01.blue.domain.tld`)"
      traefik.http.routers.whoami01-blue.middlewares: "redirect-http-to-https-once@file"

      traefik.http.routers.whoami01-blue-secure.entrypoints: "https"
      traefik.http.routers.whoami01-blue-secure.rule: "Host(`whoami01.blue.domain.tld`)"      
      traefik.http.routers.whoami01-blue-secure.tls: "true"

There was a wildcard certificate for my domain in the acme.json file. I had to remove this one, to make it work. That's ok.

Thanks for the feedback, that made it work!