Internal TLS for services?

I have an internal TLS CA (smallstep-ca) which I use for my internal services. So for my local authelia instance ( I have a CA which my local clients trust, which issues certificates using ACME. It works great if I test it manually.

But I can't make it work properly with Traefik 2.10. I must be missing something very obvious!

My internal CA is trusted on my container host level, so I've just exposed that to traefik as a podman volume: -v /etc/ssl/certs:/etc/ssl/certs:ro and then I've also exposed my root_ca.crt into the container as /etc/traefik/root_ca.crt

If I then run wget from my traefik container to a local service using that CA, no certificate warnings or error messages are shown. I take that as a sign that my TLS trust chain is setup properly.

I then try to do something like below, copied from my config:

      # insecureSkipVerify: true                                                                                                                                
        - /etc/traefik/root_ca.crt
      # rootCAs: |                                                                                                                                              
      #   -----BEGIN CERTIFICATE-----  

        serversTransport: stepca                                                                                                                              
          - url:

      rule: Host(``)
      service: authelia

But if I then try to curl to (which I expose through traefik) a blank page is returned. If I revert to not using TLS it works without issues.

I've tried multiple services in addition to Authelia, same issue.

Some other interesting things with serversTransport is:

  • if I set insecureSkipVerify to true it still doesn't work with TLS!
  • if I inline my root_ca directly into serversTransport it doesn't work either

I've checked and double checked permissions on my root_ca.crt file, and it's fine. I can read it from my container. I've triple checked my firewall, and it works from within my Traefik container when using wget.

What am I missing? :smiley:

Blank page, no error message or http status code?

Blank page. No errors in the systemd log either.

What does the browser console log or developer tools network tab tell you?

I've setup another service to use TLS, but with the same setup like above with Authelia. Authelia might refuse to serve requests of the domain differs from it's configuration, and I'm not 100% certain I'm dealing with it correctly. The 'new' service doesn't care, and it's certificate is valid.

The page worked before enabling TLS, and after enabling TLS and running in incognito mode with developer tools enabled...nothing. It's a blank page, and the return code is HTTP 200.

What is Traefik debug log and access log telling you? What is authelia log telling you?

Blank page with status 200 does not sound like a Traefik issue.

It's not only for authelia, it's for any other service I try to use TLS for the backend communication.