I have an internal TLS CA (smallstep-ca) which I use for my internal services. So for my local authelia instance (https://authelia.home.arpa) I have a CA which my local clients trust, which issues certificates using ACME. It works great if I test it manually.
But I can't make it work properly with Traefik 2.10. I must be missing something very obvious!
My internal CA is trusted on my container host level, so I've just exposed that to traefik as a podman volume: -v /etc/ssl/certs:/etc/ssl/certs:ro
and then I've also exposed my root_ca.crt
into the container as /etc/traefik/root_ca.crt
If I then run wget from my traefik container to a local service using that CA, no certificate warnings or error messages are shown. I take that as a sign that my TLS trust chain is setup properly.
I then try to do something like below, copied from my config:
---
http:
serversTransports:
stepca:
# insecureSkipVerify: true
rootCAs:
- /etc/traefik/root_ca.crt
# rootCAs: |
# -----BEGIN CERTIFICATE-----
services:
authelia:
loadBalancer:
serversTransport: stepca
servers:
- url: https://authelia.home.arpa
routers:
authelia:
rule: Host(`authelia.example.com`)
service: authelia
But if I then try to curl to https://authelia.example.com (which I expose through traefik) a blank page is returned. If I revert to not using TLS it works without issues.
I've tried multiple services in addition to Authelia, same issue.
Some other interesting things with serversTransport
is:
- if I set insecureSkipVerify to true it still doesn't work with TLS!
- if I inline my root_ca directly into serversTransport it doesn't work either
I've checked and double checked permissions on my root_ca.crt
file, and it's fine. I can read it from my container. I've triple checked my firewall, and it works from within my Traefik container when using wget.
What am I missing?