insecureSkipVerify - tls failed to parse certificate from server x509

Traefik Traefik v3 (latest)
1

Hi,

Unfortunately, I am getting the following error in the debug logs:

10.111.3.42 - - [09/Dec/2025:09:27:49 +0000] “GET /<project> HTTP/2.0” 500 21 “-” “-” 12 “websecure-<project>@docker” “https://10.89.0.2:4990” 4ms
2025-12-09T10:28:32+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:176 > Service selected by WRR: https://10.89.0.2:4990
2025-12-09T10:28:32+01:00 DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:121 > 500 Internal Server Error error="tls: failed to parse certificate from server: x509: negative serial number"

Using curl (-k), the call works:

* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=daeirnd08813
*  start date: Oct  2 02:00:23 2024 GMT
*  expire date: Oct  2 02:00:23 2027 GMT
*  issuer: CN=daeirnd08813
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.

The container uses a self-signed certificate, over which I have no control.
I have already tried various approaches:

As a label

traefik.http.services.<project>.loadbalancer.serversTransport=forceInsecureTransport@file

As config.yaml

# disable tls verify
http:
  serversTransports:
    forceInsecureTransport:
      insecureSkipVerify: true

As a global setting in static and dynamic configuration

Static configuration:

serversTransport:
  insecureSkipVerify: true

And also as a command

--serversTransport.insecureSkipVerify=true
--providers.docker.tls.insecureskipverify=true

Unfortunately, the error message persists.
Do you have any other ideas?

Best regards,
Lars

2

It looks like Traefik makes a difference if it trusts the target cert or if the target cert has invalid data, according to its parsing.