I have a few services for my home lab running on a different machine from the one running traefik, I want to use https with self-signed certificates in order to encrypt the connection, but I have only been able to find the option to add a whole CA as trusted or just don't check them at all, is there a way to specify directly a certificate that should be trusted? (for that specific service if possible)
You can create a serversTransports in a dynamic config file, load it in Traefik static config via providers.file and assign it to the Traefik service (in file or labels).
## Dynamic configuration
http:
serversTransports:
mytransport:
certificates:
- certFile: foo.crt
keyFile: bar.crt
You can also globally add TLS certs to be trusted in Traefik static config (doc).
Or you use insecureSkipVerify, either globally (doc) or for specific services via serversTransport (doc).
I was convinced that that only applied when using mutual TLS, I do have a doubt, I'm guessing that for certFile it would be the public certificate of the server in question, but what would be the keyFile in this case?
certificatesis the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS.
rootCAsdefines the set of root certificate authorities (as file paths, or data bytes) to use when verifying server certificates.
Shouldn't rootCAs work with custom TLS certs?
I'm struggling to implement this, so far this is what's working, uncommenting the serversTransports part makes it just output "Internal Server Error":
openwebui.yml
http:
routers:
openwebui:
rule: Host(`openwebui.domain.com`)
entryPoints: 'websecure'
tls:
options: 'modern@file'
certResolver: letsencrypt
domains:
- main: 'domain.com'
sans:
- '*.domain.com'
middlewares:
- authelia@file
service: openwebui
#serversTransports:
# self-signed:
# certificates:
# - certFile: /run/secrets/trusted_cert
services:
openwebui:
loadBalancer:
#serversTransport: self-signed
servers:
- url: "https://192.168.100.4:443"
traefik.yml
api:
dashboard: true # Optional can be disabled
debug: false # Optional can be Enabled if needed for troubleshooting
entryPoints:
websecure:
address: ":443"
transport:
respondingTimeouts:
readTimeout: 600s
idleTimeout: 600s
writeTimeout: 600s
http:
tls:
certResolver: letsencrypt
redirections:
entryPoint:
scheme: https
serversTransport:
insecureSkipVerify: true
providers:
#docker:
# endpoint: "unix:///var/run/docker.sock"
# exposedByDefault: false
file:
directory: /dynamic
certificatesResolvers:
letsencrypt:
acme:
storage: /certs/acme.json
caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
log:
filePath: /logs/traefik.log
level: INFO
accessLog:
filePath: /logs/access.log
This is the only possibly relevant error:
ERR Unable to create redirection: the entry point or the port is missing entryPointName=websecure providerName=internal
I have now also tried setting the certificate as a rootCA in the transport, but no luck, still 500 errors. I'm guessing I would have to properly set it up with a CA and a separate certificate for the service in order for that to work, if possible I would prefer to avoid that since it would add another layer of complexity.