Self-signed certs (mkcert) with traefik + whoami in docker example - 502 Bad Gateway error

Traefik Traefik v2
1

I can't seem to get a basic example of traefik and whoami running with self-signed certs (and ca) with docker compose. I suspect the issue is something to do with TLS termination? Importantly, I am not using labels, I am using traefik.yml and dynamic.yml configuration.

Currently I get when visiting https://localhost/whoami:

502 Bad Gateway error="remote error: tls: bad certificate"

I have two containers running: Traefik, and whoami.

I used mkcert to generate the certs for whoami. I'm mounting the certs in /certs for both containers and running the whoami container with:
command: --cert /certs/cert.pem --key /certs/key.pem --cacert /certs/rootCA.pem --port 443

I would like traefik to accept a https request, and not forward a http call to whoami (that's easy to get working) but instead talk only over https with it, so all containers are running on https for localhost. Therefore, I understand that I need to tell traefik two things:

  • Here is the CA that you can use
  • Here is the cert and key

Still, here is my configuration:

traefik.yml

log:
  level: DEBUG

entryPoints:
  http:
    address: ':80'
  https:
    address: ':443'

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: app_network

  # Dynamic configuration
  file:
    filename: /etc/traefik/dynamic.yml
    watch: true

dynamic.yml

tls:
  certificates:
    - certFile: /certs/cert.pem
      keyFile: /certs/key.pem

  stores:
    default:
      defaultCertificate:
        certFile: /certs/cert.pem
        keyFile: /certs/key.pem

http:
  serversTransports:
    whoami-transport:
      rootCAs:
        - /certs/rootCA.pem
      certificates:
        - certFile: /certs/cert.pem
          keyFile: /certs/key.pem

  routers:
    whoami:
      rule: Host(`localhost`) && PathPrefix(`/whoami`)
      service: whoami
      entryPoints:
        - https
      tls: {}

  services:
    whoami:
      loadBalancer:
        serversTransport: whoami-transport
        servers:
          - url: https://whoami:443

What am I doing wrong? From what I can see:

  • traefik is being told that for whoami-transport use the rootCA provided
  • the whoami-transport is specified for the whoami service loadbalancer

I have read that I need to change to a tcp setup instead and use passthrough. I haven't tried this yet. AFAIK this is just a https thing, no tcp stuff. whoami is running on 443...

2

Can you share your docker-compose.yml?

3

Please note, I have tried both traefik:v3.2 and traefik:v2.11.11 and they both give the same error in the logs. (There are no other ERRs).

docker-compose.yml

services:
  traefik:
    image: traefik:v3.2 # Also the same with v2.11.11
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - ./infra/certs:/certs
      - ./infra/traefik/traefik.yml:/etc/traefik/traefik.yml
      - ./infra/traefik/dynamic.yml:/etc/traefik/dynamic.yml
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - app_network

  whoami:
    image: traefik/whoami
    container_name: whoami
    command: --cert /certs/cert.pem --key /certs/key.pem --cacert /certs/rootCA.pem --port 443
    volumes:
      - ./infra/certs:/certs
    networks:
      - app_network

networks:
  app_network:
4

The error is probably related to the Docker network. You set network: app_network, but compose does add a prefix to the network, if you don’t add name: to the Docker network definition.

Compare to simple Traefik example.

5

In the end, it was because the whoami container wasn't using the certs properly. Not sure if it was a bug with the container, but as soon as I used my certs with another application I wrote in go, everything was fixed.

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.