Tls: unknown certificate

Traefik Traefik v2
1

Hi, having some issues with a self-signed certificates. Not sure why it doesn't seem to be being recognized. Wanted to double check to see if my traefik.yaml is misconfigured

reverse-proxy_1  | time="2019-10-30T17:48:55Z" level=debug msg="http: TLS handshake error from 192.168.16.1:34924: remote error: tls: unknown certificate"
reverse-proxy_1  | time="2019-10-30T17:48:56Z" level=debug msg="Serving default certificate for request: \"dev.app.com\""
reverse-proxy_1  | time="2019-10-30T17:48:56Z" level=debug msg="Serving default certificate for request: \"dev.app.com\""
reverse-proxy_1  | time="2019-10-30T17:48:56Z" level=debug msg="http: TLS handshake error from 192.168.16.1:34926: remote error: tls: unknown certificate"
reverse-proxy_1  | time="2019-10-30T17:48:56Z" level=debug msg="http: TLS handshake error from 192.168.16.1:34928: remote error: tls: unknown certificate"

docker-compose.yml

  reverse-proxy:
    image: traefik:latest
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./certs/:/certs/
      - ./traefik.yaml:/traefik.yaml
    labels:
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

Contents of ./certs

$ ls -la ./certs
total 56
drwxr-xr-x    9 kakwong  120049300   288B Oct 30 12:30 ./
drwxr-xr-x  101 kakwong  120049300   3.2K Oct 30 13:50 ../
-rw-r--r--    1 kakwong  120049300   956B Oct 30 11:55 cert.crt
-rw-r--r--    1 kakwong  120049300   3.2K Oct 30 11:56 cert.key

traefik.yaml

entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"

providers:
  file:
    watch: true
    debugLogGeneratedTemplate: true
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: true
api:
  insecure: true
tls:
  certificates:
    - certFile: /certs/cert.crt
      keyFile: /certs/cert.key
log:
  level: debug
accessLog:
  filePath: "/etc/log/traefik_access.log"
  bufferingSize: 100
2

Hi @kwngo, as explained in the documentation (https://docs.traefik.io/v2.0/getting-started/configuration-overview/), Traefik has 2 kind of configurations: Static (which follows Traefik lifecycle, generally the traefik.toml or traefik.yml file) and Dynamic (comes from providers, including the file provider).

In your case, you enabled docker and file providers in your static configuration, which is good.
But the tls: directive is expected to be on the dynamic configuration (as described in the documentation for "user defined" TLS certificates: https://docs.traefik.io/v2.0/https/tls/#user-defined). So in your case it is never read by Traefik: so it doesn't know the certificate.

Solution: following documentation, you have to provide the directive filename to the file provider, which should point to the file containing the tls: directive. It can be the file traefik.yml itself, but it is recommended to specify another file like dynamic.yml to split concerns.

If you have any doubt about a directive's location (static or dynamic?), we provide references: https://docs.traefik.io/v2.0/reference/static-configuration/file/

1 Like