TLS handshake error - unknown certificate

I want to set up HTTPS to work using custom certificate (.key and .cert). But when I access the website at https://example.com:9000, I can see in the logs that there was TLS handshake error.

docker-compose-traefik.yml

version: "3.7"

services:
  traefik:
    image: "traefik:v2.0"
    networks:
      - traefik-net
    ports:
      - "9000:9000"
      - "5000:5000"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./config/:/etc/traefik/"
      - "./cert/:/cert/"
    deploy:
      replicas: 1
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik.rule=Host(`example.com`)"
        - "traefik.http.routers.traefik.entrypoints=traefik"
        - "traefik.http.routers.traefik.tls=true"
        - "traefik.http.routers.traefik.service=api@internal"
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"

networks:
  traefik-net:
    external: true
    name: traefik-net

config/traefik.yml

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

providers:
  file:
    directory: "/etc/traefik"
    watch: true
  docker:
    swarmMode: true
    exposedByDefault: false

entrypoints:
  traefik:
    address: ":9000"
  web:
    address: ":5000"

config/dynamic_conf.yml

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /cert/example.com.cert
        keyFile: /cert/example.com.key
  certificates:
    - certFile: /cert/example.com.cert
      keyFile: /cert/example.com.key
      stores:
        - default

The directory cert contains two files. They are self-signed.

  1. example.com.cert
  2. example.com.key.

Debug output

level=debug msg="Adding certificate for domain(s) example.com"
level=debug msg="http: TLS handshake error from 10.255.0.2:53759: remote error: tls: unknown certificate"

What am I doing wrong?

1 Like

hi there, i´m in a similar situation, but here the log also reveals, that a custom default cert is to be generated

level=debug msg="No default certificate, generating one"

this custom cert is the served and does not match the request domain...

level=debug msg="Serving default certificate for request: \"example.com\"

is this the same for you?

I can see the first message, but not the second.

so, the proxy finds your correct cert file and serves this? i had to add the specific domain and put all the cert files into the (one and only) default store to make one traefic use the correct tls cert for each subdomain...

http:
  routers:
    example1:
      rule:  "Host(`sub.example.com`)"
      service: "sub-service"
      entryPoints:
        - web-http
        - web-https
      tls:
        domains:
          - main: "sub.example.com"

hth, marcel

1 Like

Yes. As far as I understand, Traefik picks an appropriate certificate based on the domain for which the certificate was issued. So if you have two certificates, one for *.example.com and another one for *.website.com and you visit dashboard.website.com, it will automatically pick a certificate for that domain.

So you solved this? I'm still trying to fix my instance of it.

I love you, spent absolute hours on this and this sorted my issue.

Thanks!!