Proxy.go:100 > 500 Internal Server Error error="tls: failed to verify certificate: x509: certificate is valid for 0.0.0.0, not 172.28.0.10"

hello world

i'm using traefik 3.0.0 and trying to proxy connections to my ssl enabled backend and seeing following message in traefik debug log:

traefik | 2024-05-03T02:42:08Z DBG github.com/traefik/traefik/v3/pkg/server/service/proxy.go:100 > 500 Internal Server Error error="tls: failed to verify certificate: x509: certificate is valid for 0.0.0.0, not 172.28.0.10"

172.28.0.10 is IP address of my container that's running webserver with SSL

# docker exec -it traefik sh
/ # apk add -q curl 
/ # curl -kI https://172.28.0.10:9443/timeout.html
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Length: 17218
Content-Type: text/html; charset=utf-8
Last-Modified: Sun, 21 Apr 2024 23:50:59 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Fri, 03 May 2024 02:50:27 GMT

/ # 

how does one allows insecure server connections when using SSL similar curl -k?

please advise)
thank you in advance!

If Traefik should forward/proxy requests to a target service with an untrusted cert, then you can use insecureSkipVerify, which you can set globally in static config (doc) or create a transport with it and assign to a service in dynamic config (doc).

i don't want that setting to be global, i do however would like this kind of behavior for specific back end though, i've tried it but i guess i did it wrong(

# grep -- '- traefik\.' docker-compose.override.yaml | grep -v ^#
      - traefik.enable=true
      - traefik.http.middlewares.portainer_ipallowlist.ipallowlist.sourcerange=10.0.0.0/8
      - traefik.http.middlewares.portainer_stripprefix.stripprefix.prefixes=/portainer
      - traefik.http.routers.portainer.entrypoints=websecure
      - traefik.http.routers.portainer.middlewares=portainer_stripprefix@docker
      - traefik.http.routers.portainer.rule=Host(`XYZ`) && PathRegexp(`/(portainer|timeout.html).*`)
      - traefik.http.routers.portainer.service=portainer
      - traefik.http.routers.portainer.tls.certresolver=myresolver
      - traefik.http.services.portainer.loadbalancer.server.port=9443
      - traefik.http.services.portainer.loadbalancer.server.scheme=https
      - traefik.http.serversTransports.portainer.insecureSkipVerify=true
#

can you provide an example please?
thanks in advance!

You can assign a serversTransport in labels (reference):

  - "traefik.http.services.service02.loadbalancer.serverstransport=mytransport"

It needs to be declared in a dynamic config file (doc), loaded with providers.file in static config:

## Dynamic configuration
http:
  serversTransports:
    mytransport:
      insecureSkipVerify: true

i've added following label:

root@parmesan:/opt/cnt/backend# grep mytransport docker-compose.override.yaml
      - "traefik.http.services.backend.loadbalancer.serverstransport=mytransport"
root@parmesan:/opt/cnt/backend#

and

root@parmesan:/opt/traefik# grep providers docker-compose.override.yaml
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/etc/traefik/dynamic"
      - "--providers.file.watch=true"
root@parmesan:/opt/traefik# cat traefik/dynamic/traefik_routing_services.yml
# https://doc.traefik.io/traefik/routing/services/#insecureskipverify

http:
  serversTransports:
    mytransport:
      insecureSkipVerify: true
root@parmesan:/opt/traefik#

now, seeing error

servers transport not found mytransport@docker

please advise.

Try adding @file to the end of the line

works!

root@parmesan:/opt/cnt/backend# grep traefik.http.services.backend.loadbalancer.serverstransport docker-compose.override.yaml
      - "traefik.http.services.backend.loadbalancer.serverstransport=mytransport@file"
root@parmesan:/opt/cnt/backend#

thank you so much!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.