How to provide self generated certs instead of the default ones?

Traefik Traefik v2
,
1

Hello, please forgive me, I know this is a newbie question. Also, I have looked into the documentation, and searched the older posts here but really! I couldn't figure out what is wrong with my setup.
So, I have my own ACME generated cert and key files. I have generated them through ZeroSSL's acme integration. I am trying to make traefik use those instead of the default certificates. Here is my traefik.yml;

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"

tls:
  stores:
    default
      defaultCertificate:
        certFile: "/etc/ssl/certs/mydomain.cert"
        keyFile: "/etc/ssl/private/mydomain.key"

api:
  dashboard: true
  insecure: true

Here is how I run traefik in docker;

docker run --name traefik --detach --restart unless-stopped \
  --publish 80:80 --publish 443:443 --publish 8080:8080  \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --env-file .kamal/env/traefik/traefik.env --log-opt max-size="10m" \
  --label traefik.http.routers.catchall.entryPoints="http" \
  --label traefik.http.routers.catchall.rule="PathPrefix(`/`)" \
  --label traefik.http.routers.catchall.service="unavailable" \
  --label traefik.http.routers.catchall.priority="1" \
  --label traefik.http.services.unavailable.loadbalancer.server.port="0" \
  --volume "/etc/ssl/certs/mydomain.cert:/etc/ssl/certs/mydomain.cert" \
  --volume "/etc/ssl/private/mydomain.key:/etc/ssl/private/mydomain.key" \
  --volume "/root/access.log:/access.log" --volume "/root/traefik.yml:/traefik.yml" \
  traefik:v2.10 --providers.docker --log.level="DEBUG" --configFile="/traefik.yml" \
  --accesslog --accesslog.format="json" --accesslog.filePath="/access.log"

Now, when I run curl on mydomain in verbose mode, I still see;

* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Aug 26 10:10:47 2024 GMT
*  expire date: Aug 26 10:10:47 2025 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

So, traefik is still using its own default cert. The start and expire dates of the certificate I provided, doesn't match either. Please help me. What am I doing wrong?

I deploy traefik using Kamal which uses traefik 2.10v, I guess.

2

You can’t provide static config via traefik.yml and command, decide for one.

TLS is dynamic config, create a dynamic config file and load it in static config via providers.file. Set tls true on router to use loaded certs.

3

That helped me! Thank you. I removed the docker labels and configured everything to the traefik.yml and providers.yml. Now, I need to find a way to do that with kamal :slight_smile: