TLS : Unable to append certificate

Hi,

I'm trying to use a certificate generated by ionos, my domain provide, but the log always report an error

time="2021-01-24T14:54:24Z" level=debug msg="Configuration received from provider file: {\"http\":{},\"tcp\":{},\"tls\":{\"stores\":{\"default\":{\"defaultCertificate\":{\"certFile\":\"/var/traefik2/tls/mixablerecord.com_ssl_certificate.cer\",\"keyFile\":\"/var/traefik2/tls/mixablerecord.com_private_key.key\"}}}}}" providerName=file
time="2021-01-24T14:12:49Z" level=error msg="Error while creating certificate store: failed to load X509 key pair: tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2021-01-24T14:12:49Z" level=error msg="Unable to append certificate /var/traefik2/tls/mixablerecord.com_ssl_certificate.cer to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default


time="2021-01-24T14:54:44Z" level=debug msg="No default certificate, generating one"
time="2021-01-24T15:02:24Z" level=debug msg="Serving default certificate for request: \"whoami.mixablerecord.com\""
time="2021-01-24T15:02:25Z" level=debug msg="http: TLS handshake error from 192.168.1.254:5006: remote error: tls: bad certificate"

Here my Traefik docker-compose file

version: "3.3"

services:

  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.directory=/certs/"
      - "--providers.file.watch=true"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/var/traefik2/certs/:/certs/"
    networks:
      - traefik

networks:
  traefik:
    external: true

The yaml file with the certificates location, which is located in /var/traefik2/certs directory

tls:
  certificates:
    - certFile: "/var/traefik2/tls/mixablerecord.com_ssl_certificate.cer"
      keyFile: "/var/traefik2/tls/mixablerecord.com_private_key.key"
      stores:
        - default
  stores:
    default:
      defaultCertificate:
        certFile: "/var/traefik2/tls/mixablerecord.com_ssl_certificate.cer"
        keyFile: "/var/traefik2/tls/mixablerecord.com_private_key.key"

The log shows that the file location is well found.
The certificates + key was controled with openssl, all with success

Here is a simple docker-compose file for a "Who Am I" container to test

version: "3"

services:
  whoami:
    image: hypriot/rpi-whoami
    container_name: whoami
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.mixablerecord.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls=true"
    environment:
      - "PORT=8000"
    expose:
      - 8000
    ports:
      - "8000:8000"

    networks:
      - traefik

networks:
  traefik:
    external: true

When I try to access this whoami site inside the local network with the port 8000, I have the right answer.
But It didn't work When I'm trying to access with the https url.

Of course, my freebox router has the port 443 open and redirect the trafic to the local machine, a raspberry pi. Traefik log show the attempt to access.

I spend many times trying and reading other posts about this trouble, but nothing helped. I decided to ask here for some help.

Thank you in advance.

Regards
Steeve

Hello @Sdess,

Thanks for your interest in Traefik!

I think there is a typo in your volume mount - "/var/traefik2/certs/:/certs/
Traefik is looking for certificates in /var/traefik2/tls/

Hi,

Thank you for your answer.
I did put my certificate files in /var/traefik2/tls
And the yaml configuration file in /var/traefik2/certs

Should I put them in the same directory ?
I can and will try. I'll post the result.

Regards

Steeve

HI,

I tested to put the certificates' files in /var/traefik2/certs directory.

And changed the configuration file too:

tls:
  certificates:
    - certFile: "/var/traefik2/certs/mixablerecord.com_ssl_certificate.cer"
      keyFile: "/var/traefik2/certs/mixablerecord.com_private_key.key"
      stores:
        - default
  stores:
    default:
      defaultCertificate:
        certFile: "/var/traefik2/certs/mixablerecord.com_ssl_certificate.cer"
        keyFile: "/var/traefik2/certs/mixablerecord.com_private_key.key"

Always the same error :

time="2021-01-26T06:58:31Z" level=info msg="Traefik version 2.4.0 built on 2021-01-19T17:26:51Z"
time="2021-01-26T06:58:59Z" level=error msg="Error while creating certificate store: failed to load X509 key pair: tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2021-01-26T06:58:59Z" level=error msg="Unable to append certificate /var/traefik2/certs/mixablerecord.com_ssl_certificate.cer to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2021-01-26T07:16:53Z" level=debug msg="Serving default certificate for request: \"whoami.mixablerecord.com\""
time="2021-01-26T07:16:54Z" level=debug msg="http: TLS handshake error from 192.168.1.254:20622: remote error: tls: bad certificate"

What should I try ?

Regards

Steeve

Hello @Sdess,

Just a very quick guess, is the cert file extension correct? (.cer is somehow unusual)
Also, did you checked that the cert files are present in the directory, and did the format of your certificate files is the expected PEM format?

1 Like

Hi,

the .cer extension was giving by my provider, I tried to change it, but I had the same error.
Yes, the files (.cer + .jey) are in the directory, I copied them and checked for them.
I think the certificate is in the right format, I controlled it and the key fils with openSSL.
Here the content of the certificate .cer file (with a little cut in the middle):

-----BEGIN CERTIFICATE-----
MIIFoTCCBImgAwIBAgIQDGz2XSxw+bSYfMPobso3EDANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjEwMTEwMDAwMDAwWhcNMjExMjExMjM1OTU5WjAe
MRwwGgYDVQQDDBMqLm1peGFibGVyZWNvcmQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAk6uLdr6gNfwxg09dHdVwXL/K78tJTmKRBs95bI4IcRa0
EVHHjFVjhE0MK/1MRX088e73J4b8897pkmWFP8ji+U20HpXmU5P+o76EOlkTOzsr
...
PzNRzqRzOPIcrliCqufXc7+EmrwyTV5BMKxglFpN/s+SuIKCMojsAHSwSaRINbRS
uQXz38KrQzNiFc004YTcxbZLgiKutXZ8Rp3LHeMfrUH5rlTMhs/m3hexdanoG+7H
l8X2eCkdhHGFCO4LumkJKQZvPF4vrJzvAXjxSTrwWhaBx3S4fsxQ5mqzAyjbveaU
KrzADhROWYWvEmEoHxg4e/CdGCCx9spzQq9JHKP/vd8IOFrILpEBiDugE/jwakT2
r9hkfyQ=
-----END CERTIFICATE-----

Is it correct ?
Regards
Steeve

HI,

Is there anything else I should try or correct to solve this trouble ?

Regards
Steeve

Hello @Sdess,

Traefik is definitely taking the configuration in account and the error indicates an error when reading the certificate file.
I tend to believe that there is an issue with the format of the provided certificate.
You can check your certificate files with openssl x509 -in cert.crt -text.
If your certificate is in PEM format, this command should print info about the certificate.

Hello,

Thank you again for your answer.
I did try to check the certificate with openssl as I did before, and no trouble

openssl x509 -in mixablerecord.com_ssl_certificate.cer -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:6c:f6:5d:2c:70:(...little cut here..):c3:e8:6e:ca:37:10
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
        Validity
            Not Before: Jan 10 00:00:00 2021 GMT
            Not After : Dec 11 23:59:59 2021 GMT
        Subject: CN = *.mixablerecord.com
...

I think the certificate is OK

Any other ideas ?

Regards

Steeve

Hello @Sdess,

I totally missed that the path for the certificate on the container is not /var/traefik2/certs/, this is the path on your host.

Your TLS configuration should be (thus I'm not sure that you need/want to configure both the default certificate and add the certificate for *.mixablerecord.com hosts) :

# Specifying a certificate that will be used for matching requests
tls:
  certificates:
    - certFile: "/certs/mixablerecord.com_ssl_certificate.cer"
      keyFile: "/certs/mixablerecord.com_private_key.key"
      stores:
        - default
# Specifying the default certificate
  stores:
    default:
      defaultCertificate:
        certFile: "/certs/mixablerecord.com_ssl_certificate.cer"
        keyFile: "/certs/mixablerecord.com_private_key.key"
1 Like

Hi,

Thank you very much, This solved the initial problem, No more error in the log about the certificate copy.
I feel stupid for this mistake.
I hope it will help other in the case.

My container is working in HTTPS

Wonderfull.

Regards

Steeve

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.