ServersTransport unable to verify a backend https certificate generated by Letsencrypt

Hi - Using traefik 3.2.1

I'm using traefik as a reverse proxy that proxies request to a backend server running cockpit over https. Cockpit is using TLS certificates generated using acme and lets encrypt with E6/ISRG-root-x1 as the Intermediate and root CA authorities.

I've setup my dynamic configuration file like the following:

http:
  routers:
    cockpit-q.domain.com:
      rule: "Host(`cockpit-q.domain.com`)"
      entryPoints:
        - web
        - websecure
      tls:
        options: modern@file
        certResolver: letsencrypt
        domains:
          - main: "cockpit-q.domain.com"
            sans:
              - "cockpit-q.domain.com"
      service: sv_proxy_pass_cockpit-q.domain.com

  serversTransports:
    cockpit-Transport:
      serverName: "cockpit-q-backend.domain.com"
      insecureSkipVerify: false
      rootCAs:
        - /etc/ssl/certs/ca-certificates.crt
        - /etc/traefik/isrgrootx1.pem
        - /etc/traefik/isrg-root-x2.pem

  services:
    sv_proxy_pass_cockpit-q.domain.com:
      loadBalancer:
        servers:
          - url: https://cockpit-q-backend.domain.com:9090
        passHostHeader: true
        serversTransport: cockpit-Transport

I'm getting this in the logs:

{"level":"debug","error":"tls: failed to verify certificate: x509: certificate signed by unknown authority","time":"2024-12-05T02:53:37-06:00","caller":"github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:113","message":"500 Internal Server Error"}

So I guess my question is why can't it verify the certificate? (My guess perhaps is the certificate, intermediate CA and root CA information isn't being processed correctly)

I tried to replicate verifying the backend certificate on the command line, however I'm not sure if traefik strips out the intermediate chain information similar to an openssl x509 command. If I bypass certificated verification I can proxy to the backend no problem.

So -- turns out I was missing the e6 intermediate certificate -- (jeez doesn't debian install this by default ??? - guess not). Anyway I went over to let's encrypt and downloaded the e6 certificate in pem format and then had to update the system. I used these instructions to add a trusted root certificate: certificates - How to add a local CA authority on an air-gapped host of Debian - Unix & Linux Stack Exchange

1 Like