How to make Traefik trust my company CA (for letsencrypt cert generation)

I am trying to generate a normal letsencrypt certificate with Traefik for one of my backends. Traefik is unable to do that because our company firewall is between Traefik and letsencrypt servers. The firewall changes the certificates used in all https connections to use our own company generated certificate. This is quite common in some companies, the purpose is so the firewall can inspect even https traffic for malicious content.

Because Traefik does not trust our cert it returns an error during the cert generation process: cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory .... certificate signed by unknown authority . Basically Traefik does not want to open the simple https website, because it appears like the site is using our untrusted company certificate. The cert generation process therefore fails.

Exactly the same thing happens when I simply use wget https://acme-staging-v02.api.letsencrypt.org/directory inside the container.

The RootCAs and InsecureSkipVerify settings do not work, I believe that those are used in communication with the backends, not from Traefik to the internet.

Traefik docker compose:

version: "3.6"

services:

  traefik:
    image: "traefik:2.3.6"
    container_name: traefik
    hostname: traefik
    domainname: mydomain.com
    networks:
      - myNetwork

    labels:
      - traefik.http.routers.api.rule=Host(`traefik.mydomain.com`) #probably

    ports:
    - "80:80"
    - "443:443"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $PWD/config.toml:/etc/traefik/traefik.toml
      - $PWD/acme.json:/acme.json

networks:
  myNetwork:
    name: myNetwork
    ipam:
      config:
        - subnet: 192.168.4.1/24

my config.toml

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[certificatesResolvers.myresolver.acme]
  email = "me@mydomain.com"
  storage = "acme.json"

  # use letsencrypt staging during testing
  caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

  [certificatesResolvers.myresolver.acme.httpChallenge]
    entryPoint = "web"

[providers.docker]

So the question is, how to "install" my company CA certificate into traefik, so that it won't complain during the letsencrypt cert generation process? This topic is incredibly hard to google, since people usually want something else but they use the same words.

Not sure if this will work but I would try adding the CA to the container.

If your host's ca store is configured with the ca. Then bind mounting /etc/ssl to the traefik container should be enough.

Otherwise create your own ca-certificates.crt with the ca included and mount it to /etc/ssl/certs/ca-certificates.crt

The idea is great but sadly it didn't work. I appended the contents of my CA cert to ca-certificates.crt and checked it looked ok, but even after restarting the container there are no changes.

It looks like this file is not read again after the container is built... On normal linux servers there are ways to refresh the cert state, such as update-ca-certificates... Is there anything like that in traefik?

EDIT: actually there is a change. wget still fails, but the letsencrypt error message changed. im investigating now

EDIT2: It works now! For some reason the HTTP challenge still doesn't work (something about timeout when getting the http challenge), but TLS challenge works. I am not sure if I broke something during testing for HTTP but I am happy with the TLS challenge.
Oh and I'm not sure if it's relevant but I copied the ca-certificates.crt file to the container in the Dockerfile, just to make sure to get it inside the container as early as possible.

I am so relieved. Thank you for your help.

1 Like

@MorgusLethe

Thank you for the update, glad to hear it worked out. go uses ca-certificates.crt so any method of getting that file updated to contains the CA should work, I've used multiple.

I was just concerned traefik might not use the system ca's.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.