Self Signed *.localhost Certificate not used by Traefik

manuelhummler · April 2, 2025, 2:12pm

I have a local traefik setup on my Mac, which I want to use to proxy local running services. I created self signed certificates having *.localhost and localhost allowed. They are available within the docker container and also have the correct reading permissions. Anyway, when checking the debug log, traefik says:

No default certificate, fallback to the internal generated certificate tlsStoreName=default

And on running

openssl s_client -connect proxy.localhost:443 -servername proxy.localhost | openssl x509 -noout -subject -issuer

I don't receive the self signed certificate, but the DEFAULT one, being generated by Traefik.

Connecting to 127.0.0.1
depth=0 CN=TRAEFIK DEFAULT CERT
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=TRAEFIK DEFAULT CERT
verify return:1
subject=CN=TRAEFIK DEFAULT CERT
issuer=CN=TRAEFIK DEFAULT CERT

This is my docker compose file

services:
  traefik:
    image: traefik:v3.3.5
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./traefik_data:/etc/traefik"
      - "./config/:/config:ro"
      - "./certs/:/certs:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`proxy.localhost`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"

This is my traefik.yaml


global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  insecureSkipVerify: true

entryPoints:
  # Redirect HTTP to HTTPS
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  # HTTPS endpoint
  websecure:
    address: ":443"
    http:
      tls:
        domains:
          - main: "localhost"
            sans:
              - "*.localhost"

providers:
  providersThrottleDuration: 2s

  # Docker provider for services running inside Docker
  # docker:
  #   watch: true
    # network: localhost_net # Ensure this matches your Docker network name
    # exposedByDefault: false
    
  # file:
  #   directory: /config/dynamic
  #   watch: true

# Enable Traefik UI
api:
  dashboard: true
  insecure: true

# Log level: INFO|DEBUG|ERROR
log:
  level: DEBUG

tls:
   stores:
     default:
       defaultCertificate:
         certFile: "/certs/localhost.crt"
         keyFile: "/certs/localhost.key"

Does anyone have an idea, why my certificate is not being used?

bluepuma77 · April 2, 2025, 5:12pm

tls is dynamic config and needs to be loaded via providers.file in static config.

Topic		Replies	Views
Traefik not sending self-signed certificates for subdomain localhost Traefik v2 docker , tcp	2	2355	March 15, 2020
Self-signed certificates not recognized Traefik v2 docker	1	427	February 29, 2024
Problem attaching self signed certificate to localhost subdomain Traefik v2 docker , dashboard-api	1	1410	July 20, 2023
Cannot get traefik to work with self-signed certificate - an exception cannot be added for the website Traefik v2 docker	9	2872	October 22, 2021
[HTTPS] How to force Traefik to use local certificates (and not self-generated one instead) Traefik v2 docker , file	3	2283	August 17, 2021

Self Signed *.localhost Certificate not used by Traefik

Related topics