TLS handshake error from 192.168.56.154:44036: remote error: tls: bad certificate

athen · March 17, 2025, 11:44am

Hi Team,

I would appreciate some assistance with this issue. I have installed Traefik and deployed a sample Nginx service to verify that the certificates are being generated. However, the process failed with the following error. The IP address does not appear to be in use anywhere. Could you kindly advise me on how to resolve this?

ERROR :

2025-03-17T11:40:49Z DBG log/log.go:245 > http: TLS handshake error from 192.168.56.154:42683: remote error: tls: bad certificate
2025-03-17T11:40:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "nginx.example.com"
2025-03-17T11:40:49Z DBG log/log.go:245 > http: TLS handshake error from 192.168.56.154:20066: remote error: tls: bad certificate
2025-03-17T11:40:51Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "nginx.example.com"
2025-03-17T11:40:51Z DBG log/log.go:245 > http: TLS handshake error from 192.168.56.154:49680: remote error: tls: bad certificate

Please note that 192.168.56.154 IP is not using in the network.

services:
  traefik:
    image: traefik:v3.2
    hostname: '{{.Node.Hostname}}'
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    networks:
      - traefik-public
    volumes:
      #- ./hosts:/etc/hosts
      - treafik-acme:/letsencrypt/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/log/traefik:/var/log
    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/var/log/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log
      - --providers.swarm.exposedByDefault=false
      - --providers.swarm.network=traefik-public
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=certresolver
      - --certificatesresolvers.certresolver.acme.email=admin@example.com
      - --certificatesresolvers.certresolver.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.certresolver.acme.dnschallenge.provider=gandiv5
        #- --certificatesresolvers.certresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.certresolver.acme.dnschallenge.resolvers=217.70.185.65:53,8.8.8.8:53
    environment:
      GANDIV5_PERSONAL_ACCESS_TOKEN: "${GANDIV5_PERSONAL_ACCESS_TOKEN}"
    deploy:
      mode: global
      labels:
        - traefik.enable=true
        - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
        - traefik.http.routers.mydashboard.service=api@internal
        - traefik.http.routers.mydashboard.middlewares=myauth
        - traefik.http.services.mydashboard.loadbalancer.server.port=1337
        - traefik.http.middlewares.myauth.basicauth.users=admintraefik:$PASSWORD

networks:
  traefik-public:
    name: traefik-public
    driver: overlay
    attachable: true
    external: true

volumes:
  treafik-acme:
    external: true

bluepuma77 · March 17, 2025, 1:06pm

The IP is a private IP, so it's seems a device on your local network is accessing Traefik. If it is not correctly configured or supplies a non-existing HostSNI, then you will see the debug messages in Traefik log.

This doesn't really make sense. Either you define the network in compose (driver, attachable) or you use a network that was already created (external).

athen · March 17, 2025, 1:47pm

Thank you very much for the prompt response. I have modified the network settings but am still getting the same error. Could you please confirm whether the configuration block below is correct?

networks:
  traefik-public:
    name: traefik-public
    external: true

bluepuma77 · March 17, 2025, 2:49pm

The config looks ok.

If you still want answers, you need to provide more details. Home or corporate network? What OS? Any VMs? Any special Docker network settings? Where is 192.168.56.154 coming from (this is not a default Docker network IP)?

athen · March 17, 2025, 3:56pm

Thank you for your response and support. I truly appreciate it..

system · March 20, 2025, 3:57pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[solved] Remote error: tls: bad certificate" with traefik 2.3.5 Traefik v2 docker , letsencrypt-acme	0	4783	December 15, 2020
"remote error: tls: bad certificate" with traefik:v2.0.0-beta1-alpine Traefik v2 docker , letsencrypt-acme	4	8656	January 12, 2020
I keep getting bad cert Traefik v2 docker-swarm	0	415	November 23, 2019
Remote error: tls: unknown certificate Traefik v2 docker	3	3056	November 9, 2023
TLS handshake error - unknown certificate Traefik v2 docker-swarm	6	33714	April 25, 2020

TLS handshake error from 192.168.56.154:44036: remote error: tls: bad certificate

Related topics