Hi - Using traefik 3.2.1
I'm using traefik as a reverse proxy that proxies request to a backend server running cockpit over https. Cockpit is using TLS certificates generated using acme and lets encrypt with E6/ISRG-root-x1 as the Intermediate and root CA authorities.
I've setup my dynamic configuration file like the following:
http:
routers:
cockpit-q.domain.com:
rule: "Host(`cockpit-q.domain.com`)"
entryPoints:
- web
- websecure
tls:
options: modern@file
certResolver: letsencrypt
domains:
- main: "cockpit-q.domain.com"
sans:
- "cockpit-q.domain.com"
service: sv_proxy_pass_cockpit-q.domain.com
serversTransports:
cockpit-Transport:
serverName: "cockpit-q-backend.domain.com"
insecureSkipVerify: false
rootCAs:
- /etc/ssl/certs/ca-certificates.crt
- /etc/traefik/isrgrootx1.pem
- /etc/traefik/isrg-root-x2.pem
services:
sv_proxy_pass_cockpit-q.domain.com:
loadBalancer:
servers:
- url: https://cockpit-q-backend.domain.com:9090
passHostHeader: true
serversTransport: cockpit-Transport
I'm getting this in the logs:
{"level":"debug","error":"tls: failed to verify certificate: x509: certificate signed by unknown authority","time":"2024-12-05T02:53:37-06:00","caller":"github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:113","message":"500 Internal Server Error"}
So I guess my question is why can't it verify the certificate? (My guess perhaps is the certificate, intermediate CA and root CA information isn't being processed correctly)
I tried to replicate verifying the backend certificate on the command line, however I'm not sure if traefik strips out the intermediate chain information similar to an openssl x509 command. If I bypass certificated verification I can proxy to the backend no problem.