How to make Traefik include the full CA chain?

Hello,

I use Traefik v1.7.20.
Testing my domain with openssl, I get:
verify error:num=20:unable to get local issuer certificate

I have a PEM file, that includes everything:

  • private key
  • server cert
  • intermediate cert
  • trusted CA cert

Which looks like this:

-----BEGIN PRIVATE KEY-----
<base64 encoded private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<base64 encoded server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<base64 encoded intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<base64 encoded trusted CA certificate>
-----END CERTIFICATE-----

On the other hand, Traefik accepts 2 files for TLS:

  1. key file
  2. cert file

I believe that it is expected the cert file to include the full CA chain (i.e. the last 3 parts from above example).
However, based on this SO post, I understand that DER encoded files cannot be used as containers for multiple certificates, which per my understanding -- allows only 1 certificate in the cert file.

How am I supposed to work this our then?

2 Likes

Hello, I have the exact same issue, were you able to solve it, or find a workaround? Thank you!

Yes. Use the PEM file as is both for the key/cert configurations.

The libs used by Traefik know how to work with it.

2 Likes

Thanks, it works indeed! The documentation is misleading then.

I'm using traefik on kubernetes infrastructure as Ingress controller. I have bought official CA cert from GlobalSign Root CA - R3, which is signed by required to set the whole chain , which should then be presented to the user.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.