Self-signed certificates not recognized

matt_jay · February 28, 2024, 10:33am

I am trying to set up Traefik with Docker and self-signed certificates as described here.

However, the certificates appear not to be recognized and Traefik is defaulting to a self-generated one:
time="2024-02-28T10:24:56Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

My docker-compose.yml:

services:
  traefik:
    image: traefik:v2.11
    restart: always
    networks:
      - traefik
    ports:
      - 443:443
      - 80:80
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./certs:/etc/certs:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.localho.st`)"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.service=api@internal"

networks:
  traefik:
    external: true

My traefik.yml:

global:
  sendAnonymousUsage: false

log:
  level: DEBUG

api:
  insecure: true

providers:
  docker:
    exposedByDefault: false
    network: traefik

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"

tls:
  certificates:
    - certFile: /etc/certs/traefik.localho.st+3.pem
      keyFile: /etc/certs/traefik.localho.st+3-key.pem

I generated my certificates using mkcert:
mkcert traefik.localho.st localhost 127.0.0.1 ::1

ls -al ./certs

drwxr-xr-x@ 7 me  staff   224 28 Feb 10:38 .
drwxr-xr-x@ 9 me  staff   288 28 Feb 11:24 ..
-rw-r--r--@ 1 me  staff     0 27 Feb 18:57 .gitkeep
-rw-------@ 1 me  staff  1704 27 Feb 20:29 localho.st+4-key.pem
-rw-r--r--@ 1 me  staff  1631 27 Feb 20:29 localho.st+4.pem
-rw-------@ 1 me  staff  1704 28 Feb 10:38 traefik.localho.st+3-key.pem
-rw-r--r--@ 1 me  staff  1623 28 Feb 10:38 traefik.localho.st+3.pem

Here is a full log of the service starting:

time="2024-02-28T10:24:56Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml"
time="2024-02-28T10:24:56Z" level=info msg="Traefik version 2.11.0 built on 2024-02-12T15:26:45Z"
time="2024-02-28T10:24:56Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"http\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"https\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik\",\"swarmModeRefreshSeconds\":\"15s\"}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"
time="2024-02-28T10:24:56Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2024-02-28T10:24:56Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-02-28T10:24:56Z" level=debug msg="Starting TCP Server" entryPointName=http
time="2024-02-28T10:24:56Z" level=debug msg="Starting TCP Server" entryPointName=https
time="2024-02-28T10:24:56Z" level=info msg="Starting provider *docker.Provider"
time="2024-02-28T10:24:56Z" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2024-02-28T10:24:56Z" level=info msg="Starting provider *traefik.Provider"
time="2024-02-28T10:24:56Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2024-02-28T10:24:56Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-02-28T10:24:56Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2024-02-28T10:24:56Z" level=debug msg="Starting TCP Server" entryPointName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645},\"http-to-https\":{\"entryPoints\":[\"http\"],\"middlewares\":[\"redirect-http-to-https\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}},\"redirect-http-to-https\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2024-02-28T10:24:56Z" level=debug msg="Provider connection established with docker 24.0.7 (API 1.43)" providerName=docker
time="2024-02-28T10:24:56Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal entryPointName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik middlewareName=dashboard_stripprefix@internal routerName=dashboard@internal
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing entryPointName=traefik routerName=api@internal middlewareType=TracingForwarder
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=http routerName=http-to-https@internal
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareName=redirect-http-to-https@internal entryPointName=http routerName=http-to-https@internal middlewareType=RedirectScheme
time="2024-02-28T10:24:56Z" level=debug msg="Setting up redirection to https 443" entryPointName=http routerName=http-to-https@internal middlewareType=RedirectScheme middlewareName=redirect-http-to-https@internal
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-02-28T10:24:56Z" level=debug msg="Filtering disabled container" providerName=docker container=proxy-compose-b5cbef812d5f1da864bfb6e7a26a4d067b1d7862c58b6aa7ecd19edf8a142431
time="2024-02-28T10:24:56Z" level=debug msg="Filtering disabled container" providerName=docker container=cron-compose-4f99096fa7d2a84e3d931658fa7cac6457516da68174149fca11095508e586e0
time="2024-02-28T10:24:56Z" level=debug msg="Filtering disabled container" container=worker-compose-8cc3972fdf2a93ace3dfe66f3f7b88c6d27b503b88e1f7bef33dc6887c14536f providerName=docker
time="2024-02-28T10:24:56Z" level=debug msg="Filtering disabled container" container=db-compose-2a8cce6867a072e4f7d37c00bba034ea3fe6afb2b3577dcc6907b493bfba25ca providerName=docker
time="2024-02-28T10:24:56Z" level=debug msg="Filtering disabled container" providerName=docker container=autoheal-compose-719f30b81c4e151de9853332dec2a9aa0ecf4e9f547211fbf9663b9fd3d1273e
time="2024-02-28T10:24:56Z" level=debug msg="Filtering disabled container" providerName=docker container=cache-compose-6d07b34ba054d9ca609245b026aae3bee16f2133c9f7c7720140518e3c4b3487
time="2024-02-28T10:24:56Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"opweb\":{\"service\":\"opweb\",\"rule\":\"Host(`opweb.localho.st`)\",\"tls\":{}},\"traefik\":{\"service\":\"api@internal\",\"rule\":\"Host(`traefik.localho.st`)\",\"tls\":{}}},\"services\":{\"opweb\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.176.3:8080\"}],\"passHostHeader\":true}},\"traefik-traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.176.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2024-02-28T10:24:56Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [http https]" routerName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [http https]" routerName=opweb
time="2024-02-28T10:24:56Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal middlewareName=tracing
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2024-02-28T10:24:56Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex routerName=dashboard@internal entryPointName=traefik middlewareName=dashboard_redirect@internal
time="2024-02-28T10:24:56Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex routerName=dashboard@internal entryPointName=traefik middlewareName=dashboard_redirect@internal
time="2024-02-28T10:24:56Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware noop@internal" entryPointName=http routerName=http-to-https@internal middlewareName=tracing middlewareType=TracingForwarder
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" entryPointName=http routerName=http-to-https@internal middlewareName=redirect-http-to-https@internal middlewareType=RedirectScheme
time="2024-02-28T10:24:56Z" level=debug msg="Setting up redirection to https 443" entryPointName=http routerName=http-to-https@internal middlewareName=redirect-http-to-https@internal middlewareType=RedirectScheme
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining routerName=opweb@docker serviceName=opweb entryPointName=http
time="2024-02-28T10:24:56Z" level=debug msg="Creating load-balancer" serviceName=opweb entryPointName=http routerName=opweb@docker
time="2024-02-28T10:24:56Z" level=debug msg="Creating server 0 http://192.168.176.3:8080" routerName=opweb@docker serviceName=opweb serverName=0 entryPointName=http
time="2024-02-28T10:24:56Z" level=debug msg="child http://192.168.176.3:8080 now UP"
time="2024-02-28T10:24:56Z" level=debug msg="Propagating new UP status"
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware opweb" routerName=opweb@docker entryPointName=http middlewareType=TracingForwarder middlewareName=tracing
time="2024-02-28T10:24:56Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=http routerName=traefik@docker middlewareName=tracing
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" entryPointName=http middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-02-28T10:24:56Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=https
time="2024-02-28T10:24:56Z" level=debug msg="Adding route for traefik.localho.st with TLS options default" entryPointName=http
time="2024-02-28T10:24:56Z" level=debug msg="Adding route for opweb.localho.st with TLS options default" entryPointName=http
time="2024-02-28T10:24:56Z" level=debug msg="Adding route for opweb.localho.st with TLS options default" entryPointName=https
time="2024-02-28T10:24:56Z" level=debug msg="Adding route for traefik.localho.st with TLS options default" entryPointName=https

I have tried multiple restarts of the Traefik Docker container, different browsers, emptying caches along the way. Nothing helped so far.

What am I missing here that a more experienced eye might catch?

bluepuma77 · February 29, 2024, 9:30pm

TLS certs are loaded in a dynamic config file, which is read with providers.file in a static config.

Topic		Replies	Views
Tls: unknown certificate Traefik v2 (latest) docker	1	7412	October 31, 2019
Using own certificate Traefik v2 (latest) docker	7	3159	May 2, 2022
Traefik v2.10 Configuration Issue with Custom SSL Certificate and Docker Traefik v2 (latest) docker	1	341	December 24, 2023
Help with configuring Traefik with Self Signed certificates Traefik v2 (latest) docker	4	978	October 6, 2020
Traefik can't find my own certificate SSL Traefik v2 (latest) docker	0	257	July 6, 2022

Self-signed certificates not recognized

Related Topics