I want to use a backend (server) on version 2.0, that uses a self-signed certificate. How can I configure this with labels or cli? the option --serverstransport.insecureskipverify=true does not seem to work...when I call the service over traeffik with the port provided for ssl on the backend I only see: Internal server error. What am I doing wrong?
I'm having the same issue. I've attempted to add
docker.tls.insecureSkipVerify=true but then that just makes all of my containers return a 404.
Figured it out. you need serverTransports.insecureSkipVerify = true
Nope...the flag alone dosn't skip the problem...as I mentioned above, i only get internal server error
could provide more information: docker-compose file, traefik files, command line, ...
some-container labels: - "traefik.enable=true" - "traefik.http.routers.code.rule=host(`somehost`)" - "traefik.http.routers.code.entrypoints=web" - "traefik.http.routers.code.middlewares=redirect" - "traefik.http.middlewares.redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.redirect.redirectscheme.permanent=true" # SSL-Section - "traefik.http.routers.code2.rule=Host(`somehost`)" - "traefik.http.routers.code2.entrypoints=web-secure" - "traefik.http.routers.code2.tls=true" - "traefik.http.services.openhab.loadBalancer.server.port=8443" - "traefik.http.services.openhab.loadbalancer.passhostheader=true" # Basic-Auth-Section - "traefik.http.routers.code2.middlewares=auth" - "traefik.http.middlewares.auth.basicauth.users=user:somepass traefik: hostname: traefik container_name: traefik image: traefik:latest restart: always command: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entryPoints.web.address=:80" - "--entryPoints.web-secure.address=:443" - "--global.sendAnonymousUsage=false" - "--serverstransport.insecureskipverify=true" ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /home/etc/traefik
Everything works when i use a non-ssl backend...as soon as I attach a backend with selfsigned ssl-certificates, ist shows internal server error...
I agree with @ bd8392
I have basically the same problem trying to add a reverse proxy with traefik for my Unifi Controller.
There is no way to remove the http->https redirection on Unifi and it generates a default custom certificate.
In order to add a reverse, I need to set my traefik service scheme as https and ignore the certificate, which at this point is not possible afaik.
If you have any ideas...
@zaggash as was mentioned before the answer is:
Here is an example. In order to demostrate a service with self-signed cert, we need an image that exposes one. I could not think of a better example than traefik dashboard itself, but any other image with self-signed cert would do. In the example below we have two traefik instances, one is main instance and the other just an example of a service with a self signed cert.
version: "3" services: # This is second traefik instance, that we use as an example # of site that serves a self-signed certificate # In theory any site that serves a self-signed certificate would do dashboard: image: traefik:v2.0.1 # This is so we can validate externally (in browser or with curl # & openssl) that the site is up and that the cert is self-signed # This is not required for example to run ports: - "8443:443" command: # listen on 443 - --entryPoints.websecure.address=:443 # serve dashboard - --api # load dynamic config from a file - --providers.file.filename=/dashboard.toml # note, docker provider is not enabled for this one, since the purpose # of this container to to be traefik but just a random web site with # a self signed cert volumes: - "./dashboard.toml:/dashboard.toml" # These labels are read by the _main_ traefik instance, not this one labels: # expose this via main traefik instance - "traefik.enable=true" # all requests should match - "traefik.http.routers.dashboard.rule=PathPrefix(`/`)" # web is the only entry point main traefik instance defines - "traefik.http.routers.dashboard.entrypoints=web" # We need to let traefik know port and url scheme # we are doing that via service - "traefik.http.routers.dashboard.service=dashboard" # This is the port traefik will forward requests to - "traefik.http.services.dashboard.loadbalancer.server.port=443" # And this is so it knows that the requests will be TLS - "traefik.http.services.dashboard.loadbalancer.server.scheme=https" # And this is the main traefik instance traefik: image: traefik:v2.0.1 ports: # Let's keep it simple, no TLS - "80:80" command: - --entryPoints.web.address=:80 # this is so that traefik does not try to expose itself - --providers.docker.exposedByDefault=false - --log.level=DEBUG # if you omit this you will get the "Internal Server Error" due to # the self-signed certificate - --serverstransport.insecureskipverify=true volumes: - /var/run/docker.sock:/var/run/docker.sock
[http.routers.dashboard] entryPoints = ["websecure"] service = "api@internal" rule = "PathPrefix(`/`)" [http.routers.dashboard.tls]
- --serverstransport.insecureskipverify=true you will get
Internal Server Error on the page and
level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 192.168.48.3 because it doesn't contain any IP SANs"
In the debug log.
- --serverstransport.insecureskipverify=true it works.
https://host:8443 you can see the internal website with self signed cert, and at
http://host it's explosed via traefik.
If you add the self-signed certificate as a CA e.g.
You can avoid the
insecureskipverify you just need to make the file accessible by traefik example
volumes: - /d/p/trajano.net/devops-ca-R2.crt:/ca.pem
Here's the relevant chunk from Trajano base Docker swarm stacks
Figured it out! The insecureskipverify works when using this label at the container you want to expose:
so you have to use insecureskipverify=true AND the label. Thanks for your help!
Thanks, I'm gonna try this next time =)
I was just checking why you had
scheme but I didn't recall doing it on my final stack. It turns out I was using TCP routing, I think that also does TLS certificate checks as well when I did the TLS section https://docs.traefik.io/v2.0/routing/routers/#tls_1
Thanks a lot, I was actually confused between the "redirectscheme.scheme=https" from my middleware catch-all and the "loadbalancer.server.scheme=https"
It tricked my mind
Getting the same issue only in kubernetes, any ideas ?
Same answer only in kubernetes, i guess?