Self Signed Certificates Not Working

Traefik Traefik v3 (latest)
1

Hey everyone,

I have been using Traefik for quite some time now with a custom domain. However, this domain is getting expensive and for now I’m switching to a self signed domain.

I was following some tutorials and this is what I’ve done:

Created my certificates using

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout certs/selfsigned.key -out certs/selfsigned.crt -subj "/CN=home.lan"

and pointed home.lan to the IP of the VM running traefik. Put the certificates inside a /certs folder and updated docker-compose.yml:

traefik:
    container_name: traefik
    image: traefik:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik
    ports:
      - 80:80
      - 8080:8080
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./certs:/certs
      - ./config/traefik.yml:/traefik.yml:ro
      - ./config/acme.json:/acme.json
      - ./config/local.json:/local.json
      - ./config/config.yml:/config.yml:ro
      - ./config/traefik.log:/traefik.log

Simplified version of config.yml

http:
  routers:
    test:
      entryPoints:
        - "https"
      rule: "Host(`home.lan`)"
      service: test
  services:
    test:
      loadBalancer:
        servers:
          - url: <redacted>

traefik.yml

api:
  dashboard: true
  debug: true

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"

serversTransport:
  insecureSkipVerify: true

log:
  filePath: "/traefik.log"
  level: DEBUG

providers:
  docker:
    endpoint: <redacted>
    exposedByDefault: false
  file:
    filename: /config.yml

tls:
  certificates:
    - certFile: /certs/selfsigned.crt
      keyFile: /certs/selfsigned.key
      stores:
        - default

certificatesResolvers:
  local:
    acme:
      tlschallenge: true
      email: a@example.com
      storage: local.json

I also installed the custom certificate on my computer and phone, and in both I get an insecure error. Looking at the traefik logs I see:

2025-11-25T22:20:04Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "home.lan"
2025-11-25T22:20:04Z DBG log/log.go:245 > http: TLS handshake error from 172.30.92.1:49735: remote error: tls: unknown certificate

I tried looking in the forums, YouTube, Google, ChatGPT and none of the solutions seem to work, I always get this result.

2

For a custom TLS cert to work in Traefik, you need a TLS cert with a matching common name, it needs to be loaded in dynamic config file, which is loaded via providers.file. Then you need to enable TLS on entrypoint or router (yaml: tls: {}, labels: tls=true).

Note that also a certResolver needs to be assigned to entrypoint or router to be used by Traefik.

3

I added tls: {} to my entrypoint and the certResolver as follows:

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
    http:
      tls: 
        certResolver: local

This did not do anything, I am still getting the “serving default certificate”. Also, how do I add the certificate to the dynamic config file? The docs mention that that’s for services, routers and middlewares.

4

Currently we are blind, how about you enable Traefik debug log (doc) and check for err, tls, acme.

This piece is dynamic config and needs to go in a separate file, which needs to be loaded in static config via providers.file (doc, issue):

tls:
  certificates:
    - certFile: /certs/selfsigned.crt
      keyFile: /certs/selfsigned.key
5

The problem with my configuration was disabling the dns challenge in my provider. Eventually it worked. However, so many challenges came after that I abandoned the idea of a self signed certificate. It’s just too complicated for Docker.

Anyways, for any people in the future struggling with this, try disabling the DNS challenge. Thank you for all the help!