Hey @aleksvujic
I think there’s a confusion;
-
The fact that you want traffic between Traefik and your backends to be encrypted does not mean the certificates being used need to be signed by a trusted CA.
-
If you use a self signed certificate with
insecureSkipVerify=true, the traffic will be encrypted at the same level. -
When to insist on using
insecureSkipVerify=false, then? If you have a concern where someone can deploy more backends to your VNET and impose as your backend, then this concern could be mitigated by making Traefik trust the CA which signed your certificate. -
If you go with
insecureSkipVerify=false, then you need to configure Traefik to trust the relevant CAs. Which once done, every backend presenting a certificate not signed by these CAs, will not be recognized by Traefik.
Hopefully I’ve helped.