Problem using ssl Backend with selfsigned certificates

I want to use a backend (server) on version 2.0, that uses a self-signed certificate. How can I configure this with labels or cli? the option --serverstransport.insecureskipverify=true does not seem to work...when I call the service over traeffik with the port provided for ssl on the backend I only see: Internal server error. What am I doing wrong?

2 Likes

I'm having the same issue. I've attempted to add docker.tls.insecureSkipVerify=true but then that just makes all of my containers return a 404.

Figured it out. you need serverTransports.insecureSkipVerify = true

1 Like

Nope...the flag alone dosn't skip the problem...as I mentioned above, i only get internal server error

could provide more information: docker-compose file, traefik files, command line, ...

 some-container
        labels:
       - "traefik.enable=true"
       - "traefik.http.routers.code.rule=host(`somehost`)"
       - "traefik.http.routers.code.entrypoints=web"
       - "traefik.http.routers.code.middlewares=redirect"
       - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
       - "traefik.http.middlewares.redirect.redirectscheme.permanent=true"
       # SSL-Section
       - "traefik.http.routers.code2.rule=Host(`somehost`)"
       - "traefik.http.routers.code2.entrypoints=web-secure"
       - "traefik.http.routers.code2.tls=true"
       - "traefik.http.services.openhab.loadBalancer.server.port=8443"
       - "traefik.http.services.openhab.loadbalancer.passhostheader=true"
       # Basic-Auth-Section
       - "traefik.http.routers.code2.middlewares=auth"
       - "traefik.http.middlewares.auth.basicauth.users=user:somepass

   traefik:
     hostname: traefik
     container_name: traefik
     image: traefik:latest
     restart: always
     command:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entryPoints.web.address=:80"
       - "--entryPoints.web-secure.address=:443"
       - "--global.sendAnonymousUsage=false"
       - "--serverstransport.insecureskipverify=true"
     ports:
       - "80:80"
       - "443:443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /home/etc/traefik

Everything works when i use a non-ssl backend...as soon as I attach a backend with selfsigned ssl-certificates, ist shows internal server error...

1 Like

I agree with @ bd8392
I have basically the same problem trying to add a reverse proxy with traefik for my Unifi Controller.

There is no way to remove the http->https redirection on Unifi and it generates a default custom certificate.
In order to add a reverse, I need to set my traefik service scheme as https and ignore the certificate, which at this point is not possible afaik.

If you have any ideas...

@zaggash as was mentioned before the answer is:

Here is an example. In order to demostrate a service with self-signed cert, we need an image that exposes one. I could not think of a better example than traefik dashboard itself, but any other image with self-signed cert would do. In the example below we have two traefik instances, one is main instance and the other just an example of a service with a self signed cert.

docker-compose.yaml:

version: "3"
services:
  # This is second traefik instance, that we use as an example 
  #   of site that serves a self-signed certificate
  # In theory any site that serves a self-signed certificate would do
  dashboard:
    image: traefik:v2.0.1
    # This is so we can validate externally (in browser or with curl 
    #   & openssl) that the site is up and that the cert is self-signed
    # This is not required for example to run
    ports:
      - "8443:443"
    command:
      # listen on 443
      - --entryPoints.websecure.address=:443
      # serve dashboard
      - --api
      # load dynamic config from a file
      - --providers.file.filename=/dashboard.toml
      # note, docker provider is not enabled for this one, since the purpose 
      #    of this container to to be traefik but just a random web site with 
      #    a self signed cert
    volumes:
      - "./dashboard.toml:/dashboard.toml"
     # These labels are read by the _main_ traefik instance, not this one
    labels:
     # expose this via main traefik instance
     - "traefik.enable=true"
     # all requests should match
     - "traefik.http.routers.dashboard.rule=PathPrefix(`/`)"
     # web is the only entry point main traefik instance defines
     - "traefik.http.routers.dashboard.entrypoints=web"
     # We need to let traefik know port and url scheme
     # we are doing that via service
     - "traefik.http.routers.dashboard.service=dashboard"
     # This is the port traefik will forward requests to
     - "traefik.http.services.dashboard.loadbalancer.server.port=443"
     # And this is so it knows that the requests will be TLS
     - "traefik.http.services.dashboard.loadbalancer.server.scheme=https"
  # And this is the main traefik instance
  traefik:
    image: traefik:v2.0.1
    ports:
      # Let's keep it simple, no TLS
      - "80:80"
    command:     
      - --entryPoints.web.address=:80
      # this is so that traefik does not try to expose itself
      - --providers.docker.exposedByDefault=false
      - --log.level=DEBUG
      # if you omit this you will get the "Internal Server Error" due to 
      # the self-signed certificate
      - --serverstransport.insecureskipverify=true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

and dashboard.toml:

[http.routers.dashboard]
entryPoints = ["websecure"]
service = "api@internal"
rule = "PathPrefix(`/`)"
[http.routers.dashboard.tls]

Without - --serverstransport.insecureskipverify=true you will get Internal Server Error on the page and

level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 192.168.48.3 because it doesn't contain any IP SANs"

In the debug log.

With - --serverstransport.insecureskipverify=true it works.

At https://host:8443 you can see the internal website with self signed cert, and at http://host it's explosed via traefik.

If you add the self-signed certificate as a CA e.g.

  - --serverstransport.rootcas=/ca.pem

You can avoid the insecureskipverify you just need to make the file accessible by traefik example

volumes:
  - /d/p/trajano.net/devops-ca-R2.crt:/ca.pem

Here's the relevant chunk from Trajano base Docker swarm stacks

1 Like

Figured it out! The insecureskipverify works when using this label at the container you want to expose:

  • "traefik.http.services.dashboard.loadbalancer.server.scheme=https"

so you have to use insecureskipverify=true AND the label. Thanks for your help!

Thanks, I'm gonna try this next time =)

I was just checking why you had scheme but I didn't recall doing it on my final stack. It turns out I was using TCP routing, I think that also does TLS certificate checks as well when I did the TLS section https://docs.traefik.io/v2.0/routing/routers/#tls_1

Thanks a lot, I was actually confused between the "redirectscheme.scheme=https" from my middleware catch-all and the "loadbalancer.server.scheme=https"

It tricked my mind :slight_smile:

Getting the same issue only in kubernetes, any ideas ?

Thanks

Same answer only in kubernetes, i guess? :rofl: