I am trying to generate a normal letsencrypt certificate with Traefik for one of my backends. Traefik is unable to do that because our company firewall is between Traefik and letsencrypt servers. The firewall changes the certificates used in all https connections to use our own company generated certificate. This is quite common in some companies, the purpose is so the firewall can inspect even https traffic for malicious content.
Because Traefik does not trust our cert it returns an error during the cert generation process:
cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory .... certificate signed by unknown authority . Basically Traefik does not want to open the simple https website, because it appears like the site is using our untrusted company certificate. The cert generation process therefore fails.
Exactly the same thing happens when I simply use
wget https://acme-staging-v02.api.letsencrypt.org/directory inside the container.
InsecureSkipVerify settings do not work, I believe that those are used in communication with the backends, not from Traefik to the internet.
Traefik docker compose:
version: "3.6" services: traefik: image: "traefik:2.3.6" container_name: traefik hostname: traefik domainname: mydomain.com networks: - myNetwork labels: - traefik.http.routers.api.rule=Host(`traefik.mydomain.com`) #probably ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock - $PWD/config.toml:/etc/traefik/traefik.toml - $PWD/acme.json:/acme.json networks: myNetwork: name: myNetwork ipam: config: - subnet: 192.168.4.1/24
[entryPoints] [entryPoints.web] address = ":80" [entryPoints.websecure] address = ":443" [certificatesResolvers.myresolver.acme] email = "firstname.lastname@example.org" storage = "acme.json" # use letsencrypt staging during testing caServer = "https://acme-staging-v02.api.letsencrypt.org/directory" [certificatesResolvers.myresolver.acme.httpChallenge] entryPoint = "web" [providers.docker]
So the question is, how to "install" my company CA certificate into traefik, so that it won't complain during the letsencrypt cert generation process? This topic is incredibly hard to google, since people usually want something else but they use the same words.