Hi all,
i try to configure traefik to use my own issued wildcard-certificate for the own dashboard. the ca is also an internal solution and works well in other situations like vpn, webservers,...
Here's my configuration:
docker-compose.yml
version: '3.8'
services:
traefik:
image: traefik:v3.1
ports:
- "80:80" # HTTP
- "443:443" # HTTPS
read_only: true
security_opt:
- no-new-privileges=true
deploy:
replicas: 1 # Traefik wird auf zwei Manager-Nodes gestartet
placement:
constraints:
- "node.role == manager" # Läuft nur auf Manager-Nodes
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-config-nfs:/etc/traefik:ro
- traefik-logs-nfs:/var/log/traefik
environment:
- TZ=Europe/London
- CF_DNS_API_TOKEN=${CFAPI}
labels:
- traefik.enable=true
- traefik.http.routers.traefik-https.entrypoints=websecure
- traefik.http.routers.traefik-https.rule=Host(`traefik.server.own.tld`)
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.tls=true
networks:
- traefik-public
traefik.yml
api:
dashboard: true
entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
- 127.0.0.1/32
- 10.1.0.0/16
- 10.10.0.0/16
- 10.20.0.0/16
- 10.30.0.0/16
websecure:
address: ":443"
http:
tls:
domains:
- main: "*.server.own.tld"
forwardedHeaders:
trustedIPs:
- 127.0.0.1/32
- 10.1.0.0/16
- 10.10.0.0/16
- 10.20.0.0/16
- 10.30.0.0/16
providers:
swarm:
exposedByDefault: false
endpoint: "unix:///var/run/docker.sock"
defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.server.own.tld`)"
network: traefik-public
file:
directory: "/etc/traefik/configs"
watch: true
serversTransport:
insecureSkipVerify: false
log:
level: INFO
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
fields:
headers:
names:
User-Agent: keep
tls.yml
tls:
options:
default:
minVersion: VersionTLS12
certificates:
- certFile: /etc/traefik/certs/server.own.tld.pem
keyfile: /etc/traefik/certs/server.own.tld.key
stores:
default:
defaultCertificate:
certFile: /etc/traefik/certs/server.own.tld.pem
keyFile: /etc/traefik/certs/server.own.tld.key
If i check the certificate with openssl x509 -in server.own.tld.pem -text, i get:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4145 (0x1031)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = xx, ST = XXX, L = XXX, O = xXX, CN = XXX Intermediate CA
Validity
Not Before: Dec 16 19:19:00 2024 GMT
Not After : Dec 15 19:19:00 2029 GMT
Subject: C = xx, ST = XXX, L = XXX, O = XXX, CN = *.server.own.tld
In the traefik.log, i found:
2024-12-16T22:05:09Z INF Starting provider *docker.SwarmProvider
2024-12-16T22:05:09Z ERR Unable to append certificate -----BEGIN CERTIFICATE-----
MIIGLjCCBBagAwIBAgICEDEwDQYJKoZIhvcNAQELBQAwbzELMAkGA1UEBhMCQ0gx
HjAcBgNVBAgMFUFwcGVuemVsbCBJbm5lcnJob2RlczESMBAGA1UEBwwJQXBwZW56
...
A9/rSb0fOAW1pi1sQiCbbUV7qWRgM2qXA3WNnQk3ZnDlf5Xrf1eI6ubst5mvQyPJ
egjXg0IEKjzg8zYmzb5yYfuxz3kSdQZIrHhPwZf/lKgXcrG3QfXpLMVw3yz3mNpy
tTU1OmOWKS7jnwOGzbw8ThKn0YosPflItz1m1NOCGPLgC9ghRfE4sPi1MN9n4Vlt
Cgg=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFuDCCA6CgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCQ0gx
HjAcBgNVBAgMFUFwcGVuemVsbCBJbm5lcnJob2RlczESMBAGA1UEBwwJQXBwZW56
...
izzVhGEen2hHF4GqbJHrTN8ARE7iuIvoqFOFpA==
-----END CERTIFICATE-----
to store error="unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default
2024-12-16T22:05:09Z ERR Error while creating certificate store error="failed to load X509 key pair: tls: failed to find any PEM data in certificate input" tlsStoreName=default
Actually, the pem-file contain the server-certificate, the intermediate-certificate and the root-certificate. I also try to reduce the pem by delete the root-cert, but i get also the error.
The files are readable in the traefik-container.
What i doing wrong?
Thank you for your help.
Regards
Thomas