How to make Traefik include the full CA chain?

Hello,

I use Traefik v1.7.20.
Testing my domain with openssl, I get:
verify error:num=20:unable to get local issuer certificate

I have a PEM file, that includes everything:

  • private key
  • server cert
  • intermediate cert
  • trusted CA cert

Which looks like this:

-----BEGIN PRIVATE KEY-----
<base64 encoded private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<base64 encoded server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<base64 encoded intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<base64 encoded trusted CA certificate>
-----END CERTIFICATE-----

On the other hand, Traefik accepts 2 files for TLS:

  1. key file
  2. cert file

I believe that it is expected the cert file to include the full CA chain (i.e. the last 3 parts from above example).
However, based on this SO post, I understand that DER encoded files cannot be used as containers for multiple certificates, which per my understanding -- allows only 1 certificate in the cert file.

How am I supposed to work this our then?

Hello, I have the exact same issue, were you able to solve it, or find a workaround? Thank you!

Yes. Use the PEM file as is both for the key/cert configurations.

The libs used by Traefik know how to work with it.

Thanks, it works indeed! The documentation is misleading then.

I'm using traefik on kubernetes infrastructure as Ingress controller. I have bought official CA cert from GlobalSign Root CA - R3, which is signed by required to set the whole chain , which should then be presented to the user.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.