I have an internal TLS CA (smallstep-ca) which I use for my internal services. So for my local authelia instance (https://authelia.home.arpa) I have a CA which my local clients trust, which issues certificates using ACME. It works great if I test it manually.
But I can't make it work properly with Traefik 2.10. I must be missing something very obvious!
My internal CA is trusted on my container host level, so I've just exposed that to traefik as a podman volume:
-v /etc/ssl/certs:/etc/ssl/certs:ro and then I've also exposed my
root_ca.crt into the container as
If I then run wget from my traefik container to a local service using that CA, no certificate warnings or error messages are shown. I take that as a sign that my TLS trust chain is setup properly.
I then try to do something like below, copied from my config:
--- http: serversTransports: stepca: # insecureSkipVerify: true rootCAs: - /etc/traefik/root_ca.crt # rootCAs: | # -----BEGIN CERTIFICATE----- services: authelia: loadBalancer: serversTransport: stepca servers: - url: https://authelia.home.arpa routers: authelia: rule: Host(`authelia.example.com`) service: authelia
But if I then try to curl to https://authelia.example.com (which I expose through traefik) a blank page is returned. If I revert to not using TLS it works without issues.
I've tried multiple services in addition to Authelia, same issue.
Some other interesting things with
- if I set insecureSkipVerify to true it still doesn't work with TLS!
- if I inline my root_ca directly into serversTransport it doesn't work either
I've checked and double checked permissions on my
root_ca.crt file, and it's fine. I can read it from my container. I've triple checked my firewall, and it works from within my Traefik container when using wget.
What am I missing?