Self-Signed Certificate in Traefik not trusted even when I add CA Cert to Browser

Traefik Traefik v2
,
1

When I generate certificate for e.g. proxmox I am able to perform the general procedure to make this Self-Signed certificate trusted.

But that is not the case with Traefik Routes
I followed these guides:

  1. Traefik Proxy 2.x and TLS 101 [Updated 2022] | Traefik Labs
  2. How to create & sign SSL/TLS certificates - DEV Community
    And everything in my setup is almost the same.

When it comes to generating the Certificate I try to generate a wildcard certificate to *.home

# 1. Generate CA's private key and self-signed certificate

openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -keyout ca-key.pem -out ca-cert.pem -subj "/C=FR/ST=Occitanie/L=Toulouse/O=Tech School/OU=Education/CN=*.home/emailAddress=bartmok17@gmail.com"

echo "CA's self-signed certificate"

openssl x509 -in ca-cert.pem -noout -text

echo "subjectAltName=DNS:*.home" > server-ext.cnf

# 2. Generate web server's private key and certificate signing request (CSR)
openssl req -newkey rsa:4096 -nodes -keyout server-key.pem -out server-req.pem -subj "/C=FR/ST=Ile de France/L=Paris/O=PC Book/OU=Computer/CN=*.home/emailAddress=bartmok17@gmail.com"

# 3. Use CA's private key to sign web server's CSR and get back the signed certificate
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile server-ext.cnf

echo "Server's signed certificate"
openssl x509 -in server-cert.pem -noout -text

traefik-stack.j2

version: '3.5'

services:
  reverse-proxy:
    image: {{traefik_app_image}}
    command:
      - "--api.dashboard=true"
      - "--providers.docker"
      - "--providers.docker.swarmMode=true"
      - "--entrypoints.web.address=:{{traefik_listen_port}}"
      - "--entrypoints.{{traefik_secure_network_name}}.address=:{{traefik_secure_listen_port}}"
      - "--providers.docker.exposedByDefault=false"
      - "--log.level=DEBUG" 
+     - "--providers.file.directory=/configuration/"
+     - "--providers.file.watch=true"
+     - "--serversTransport.insecureSkipVerify=true" # I thought It would fix the issue
    ports:
      - "{{traefik_listen_port}}:{{traefik_listen_port}}"
      - "{{traefik_admin_port}}:8080"
+     - "{{traefik_secure_listen_port}}:{{traefik_secure_listen_port}}" 
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
 +    - "/home/{{ansible_user}}/traefik/configuration/:/configuration/"
 +    - "/home/{{ansible_user}}/traefik/certs/:/certs/"
    networks:
      - {{traefik_network_name}}

    deploy:
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`{{traefik_app_name}}.{{app_domain_name}}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users={{traefikpassword.stdout}}"
      # Dummy service for Swarm port detection. The port can be any valid integer value.
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
      mode: global
      placement:
        constraints: [node.role == manager]

networks:
  {{traefik_network_name}}:
    driver: overlay
    attachable: true
    name: {{traefik_network_name}}

example-app-stack.j2:

version: "3.5"


services:
  {{dsomm_app_name}}:
    image: "{{dsomm_app_image}}"
    container_name: {{dsomm_app_name}}
    ports:
      - "{{app_default_port}}"
    networks:
      - {{traefik_network_name}}
      - {{dsomm_network_name}}
    volumes:
      - {{dsomm_volume_name}}:/app
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.{{dsomm_app_name}}.rule=Host(`{{dsomm_app_name}}.{{app_domain_name}}`)"
        - "traefik.http.services.{{dsomm_app_name}}.loadbalancer.server.port={{dsomm_admin_port}}"
        - "traefik.docker.network={{traefik_network_name}}"
        - "io.portainer.accesscontrol.users=admin"
 +       - "traefik.http.routers.{{dsomm_app_name}}.tls=true"



networks:
  {{dsomm_network_name}}:
    driver: overlay 
    attachable: true
    name: {{dsomm_network_name}}
  {{traefik_network_name}}:
    external: true
    name: {{traefik_network_name}}

volumes: 
  {{dsomm_volume_name}}:
    driver: {{filesystem_driver}}

certificates.yml

tls:
  certificates:
    # first certificate
    - certFile: "/certs/server-cert.pem" 
      keyFile: "/certs/server-key.pem"

And the self-signed certificate is used

image
image541×670 30.2 KB

But adding the CA Cert doesn't make this domain Trusted :frowning:

Please help

2

I'd like to add that I also tried:

  1. Adding ca-cert.pem into the traefik container and using - "--serverstransport.rootcas=/certs/ca-cert.pem" command in Docker Compose
  2. Adding - "traefik.http.services.dashboard.loadbalancer.server.scheme=https" label to each of my service
    ^ From -> Problem using ssl Backend with selfsigned certificates - #9 by trajano

But it still doesn't work :confused:

I also give the plain docker-compose files for better readibility:

traefik.yml

version: '3.5'

services:
  reverse-proxy:
    image: traefik:v2.10
    command:
      - "--api.dashboard=true"
      - "--providers.docker"
      - "--providers.docker.swarmMode=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--providers.docker.exposedByDefault=false"
      - "--log.level=DEBUG"
      - "--providers.file.directory=/configuration/"
      - "--serverstransport.rootcas=/certs/ca-cert.pem"
      - "--providers.file.watch=true"
      - "--serversTransport.insecureSkipVerify=true"
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "/home/swarm/traefik/configuration/:/configuration/"
      - "/home/swarm/traefik/certs/:/certs/"
    networks:
      - web

    deploy:
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.home`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=<REDACTED>:<REDACTED>"
      # Dummy service for Swarm port detection. The port can be any valid integer value.
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
      mode: global
      placement:
        constraints: [node.role == manager]

networks:
  web:
    driver: overlay
    attachable: true
    name: web

Example App:

version: "3.5"


services:
  dsomm:
    image: "wurstbrot/dsomm:latest"
    container_name: dsomm
    ports:
      - "80"
    networks:
      - web
      - dsomm
    volumes:
      - dsomm-volume:/app
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.dsomm.rule=Host(`dsomm.home`)"
        - "traefik.http.services.dsomm.loadbalancer.server.port=8080"
        - "traefik.docker.network=web"
        - "io.portainer.accesscontrol.users=admin"
        - "traefik.http.routers.dsomm.tls=true"
        - "serverstransport.insecureskipverify=true"

networks:
  dsomm:
    driver: overlay
    attachable: true
    name: dsomm
  web:
    external: true
    name: web

volumes:
  dsomm-volume:
    driver: local
3

Try mkcert.

Here is my demo:
image

generate certs

install -d certs
mkcert -key-file certs/key.pem -cert-file certs/cert.pem m.local *.m.local
mkcert -install

compose.yml 

version: Compose specification

services:
    traefik:
        image: traefik:3.0
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        environment:
            - TZ=Asia/Shanghai
        volumes:
            # /traefik.yml and /etc/traefik/traefik.yml are both available.
            - "./traefik.yml:/etc/traefik/traefik.yml"
            # dynamic-conf dir is self-defined
            - "./dynamic-conf:/etc/traefik/dynamic-conf"
            - "./certs:/certs"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
        networks:
            - traefik-net

networks:
    traefik-net:
        name: traefik-net
        ipam:
            config:
                -   subnet: 172.16.238.0/24

traefik.yml 

### Static Configuration
log:
    level: INFO
api:
    dashboard: true
entryPoints:
    web:
        address: :80
        http:
            redirections:
                entryPoint:
                    to: websecure
                    scheme: https
                    permanent: true
    websecure:
        address: :443
providers:
    file:
        directory: /etc/traefik/dynamic-conf
        watch: true

self.yml in ./dynamic-conf/ 

### Dynamic Configuration
tls:
    certificates:
        -   certFile: /certs/cert.pem
            keyFile: /certs/key.pem
http:
    routers:
        dashboard:
            rule: Host(`traefik.m.local`)
            service: api@internal
            tls: { }
1 Like
4

Thank you for the demo!
I've tried it with my setup, but the cert is still not trusted

mkcert -key-file server-key.pem -cert-file server-cert.pem "home" "*.home"

image
image823×254 19.1 KB

mkcert --install

image
image1137×50 7.98 KB

image
image851×342 31 KB

image
image545×689 34.3 KB

image
image879×692 66.7 KB

5
  1. try a non second-level domain
  2. restart your browser
  3. maybe try it on Chrome
1 Like
6

I've already tried restarting Browser, PC,
And other browsers: Firefox, Chromium

What do you mean by that?
If it's about a simple https://home without anything occupying then it still shows not secure
image

7

image
image717×106 17.4 KB

Look this.

1 Like
8

Even when I generate certs without second level wildcards so in my case:

mkcert -key-file server-key.pem -cert-file server-cert.pem "home"

I still get the same issue

Then I tried importing the rootCA.pem to another Operating System (Windows), but doesn't work either

Thank you pplmx though for your support :slight_smile:
I might come with the solution

9

The domain name that is issued should consist of at least two segments, for example m.dev or xx.local.
Like this:

mkcert -key-file certs/key.pem -cert-file certs/cert.pem m.dev

image

10

Okay so:

  1. I didn't realized that traefik container needs to be restarted each time new cert.pem is mounted - so my testing wasn't really done (I thought docker deploy [...] did update it)
  2. pplmx was right about second level wildcards. When I issue one by one cert for each service it is trusted
    • Or maybe I just generated the wildcards in the wrong way? :confused: Idk.
11

Maybe it just that you don't restart the traefik.
I tried https://home, it works fine. :white_check_mark:

1 Like
12

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.