Intermediate certificate configuration

I'm pretty new to certificates, so hopefully someone can guide me. From my company, I made a certificate signing request. I received two certificates: my certificate signed by my company and an intermediate certificate. I placed both certificates and key in the directory defined in my static configuration and tried several dynamic configurations (one attempt is as follows):

tls:
  stores:
    default:
      defaultCertificate:
      - certFile: /etc/traefik/certs/mydomain.com.cer
        certFile: /etc/traefik/certs/PBACA-G2.cer
        keyFile: /etc/traefik/certs/mydomain.key
  certificates:
    - certFile: /etc/traefik/certs/mydomain.com.cer
      certFile: /etc/traefik/certs/PBACA-G2.cer
      keyFile: /etc/traefik/certs/mydomain.key
      stores:
        - default

However, the response from any reverse-proxy services return the insecure message from the browser. This message in the log suggests that the file is not set correctly.
time="2022-09-29T15:53:01-04:00" level=debug msg="No default certificate, generating one" tlsStoreName=default

Can someone provide an example dynamic configuration file that is appropriate for intermediate certificates? Any help is greatly appreciated.

Like most similar data structures (Python dictionaries, Javascript objects, etc), a YAML map (a set of key: value pairs) can't have duplicate keys. When you write:

tls:
  stores:
    default:
      defaultCertificate:
      - certFile: /etc/traefik/certs/mydomain.com.cer
        certFile: /etc/traefik/certs/PBACA-G2.cer
        keyFile: /etc/traefik/certs/mydomain.key

This is a logic error: the second certFile overrides the earlier one, so this is exactly as if you had written:

tls:
  stores:
    default:
      defaultCertificate:
      - certFile: /etc/traefik/certs/PBACA-G2.cer
        keyFile: /etc/traefik/certs/mydomain.key

Typically, when you have both your server certificate and an intermediate certificate that must be presented at the same time, you concatenate them in a single file, with the server certificate at the top and any intermediate certificates following.

I haven't specifically tested this with Traefik.

Concatenating worked perfectly. Thank you. For reference on anyone else getting this post the certificates go from top-to-bottom domain->intermediate->intermediate...->root.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.