Intermediate certificate configuration

brentjm · September 29, 2022, 8:47pm

I'm pretty new to certificates, so hopefully someone can guide me. From my company, I made a certificate signing request. I received two certificates: my certificate signed by my company and an intermediate certificate. I placed both certificates and key in the directory defined in my static configuration and tried several dynamic configurations (one attempt is as follows):

tls:
  stores:
    default:
      defaultCertificate:
      - certFile: /etc/traefik/certs/mydomain.com.cer
        certFile: /etc/traefik/certs/PBACA-G2.cer
        keyFile: /etc/traefik/certs/mydomain.key
  certificates:
    - certFile: /etc/traefik/certs/mydomain.com.cer
      certFile: /etc/traefik/certs/PBACA-G2.cer
      keyFile: /etc/traefik/certs/mydomain.key
      stores:
        - default

However, the response from any reverse-proxy services return the insecure message from the browser. This message in the log suggests that the file is not set correctly.
time="2022-09-29T15:53:01-04:00" level=debug msg="No default certificate, generating one" tlsStoreName=default

Can someone provide an example dynamic configuration file that is appropriate for intermediate certificates? Any help is greatly appreciated.

larsks · September 30, 2022, 3:00pm

Like most similar data structures (Python dictionaries, Javascript objects, etc), a YAML map (a set of key: value pairs) can't have duplicate keys. When you write:

tls:
  stores:
    default:
      defaultCertificate:
      - certFile: /etc/traefik/certs/mydomain.com.cer
        certFile: /etc/traefik/certs/PBACA-G2.cer
        keyFile: /etc/traefik/certs/mydomain.key

This is a logic error: the second certFile overrides the earlier one, so this is exactly as if you had written:

tls:
  stores:
    default:
      defaultCertificate:
      - certFile: /etc/traefik/certs/PBACA-G2.cer
        keyFile: /etc/traefik/certs/mydomain.key

Typically, when you have both your server certificate and an intermediate certificate that must be presented at the same time, you concatenate them in a single file, with the server certificate at the top and any intermediate certificates following.

I haven't specifically tested this with Traefik.

brentjm · September 30, 2022, 7:40pm

Concatenating worked perfectly. Thank you. For reference on anyone else getting this post the certificates go from top-to-bottom domain->intermediate->intermediate...->root.

system · October 3, 2022, 7:40pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to properly configure the default ssl cert Traefik v2 kubernetes-ingress	5	11568	January 23, 2020
Failed to register default certificate on traefik Traefik v2 file	4	1938	March 8, 2023
Default Certificate not working Traefik v2 docker	8	15949	January 3, 2022
Traefik default certificate Traefik v2 docker	3	1677	December 22, 2020
Using certresolver over default stored certificate Traefik v2 letsencrypt-acme	3	1326	October 6, 2022

Intermediate certificate configuration

Related topics