Hey ! I'm trying to find what's wrong with my traefic config but got no luck so far, so here I am.
I have a docker-compose with severall apps, and traefik to do the routing and handle SSL/TSL certificates.
I changed DNS supplier from Google to OVH, and then it didn't work. I thought I just had to renew the certificates but restarting traefik after deleting and recreating acme.json file, but it didn't work.
Problem is, I have this error on my webpage : ERR_SSL_KEY_USAGE_INCOMPATIBLE
When I look into the certificate from the browser tools, I get this : TRAEFIK DEFAULT CERT
I tried with a curl, just in case this is cached :
curl -vI https://subdomain.mydomain.fr
- Trying :443...
- Connected to subdomain.mydomain.fr () port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (OUT), TLS alert, unknown CA (560):
- SSL certificate problem: self signed certificate
- Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: curl - SSL CA Certificates
curl failed to verify the legitimacy of the server and therefore could
not establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.
So I started looking into every possibility, but I'm stuck.
Here's my docker-compose.yml file :
version: '3.9'
services:
traefik:
image: traefik:3.3.5
container_name: traefik
command: [--logLevel=DEBUG, --configFile=/traefik.yml]
restart: always
environment:
- "TZ=Europe/Paris"
- "OVH_ENDPOINT=ovh-eu"
- "OVH_APPLICATION_KEY=######"
- "OVH_APPLICATION_SECRET=######"
- "OVH_CONSUMER_KEY=######"
networks:
- traefik_public
- elastic
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/user/infrastructure-master/traefik/config/traefik.toml:/traefik.toml
- /home/user/infrastructure-master/traefik/config/letsencrypt:/letsencrypt
- traefik_log:/var/log/traefik/
labels:
- "traefik.enable=true"
my-app:
image: registry.gitlab.####
container_name: my-app
depends_on:
mq-messaging:
condition: service_started
environment:
- ####
networks:
- traefik_public
- artemis_messaging
- logstash
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 10s
order: stop-first
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-app.rule=Host(`subdomain.domain.fr`)"
- "traefik.docker.network=traefik_public"
- "traefik.http.routers.my-app.entrypoints=websecure"
- "traefik.http.routers.my-app.tls.certresolver=my_prod_certs"
- "traefik.http.services.my-app.loadbalancer.server.port=8091"
mq-messaging:
image: apache/activemq-artemis:2.31.2-alpine
container_name: mq-messaging
environment:
- ####
labels:
- "traefik.enable=true"
- "traefik.http.routers.mq-messaging.rule=Host(`subdomain2.domain.fr`)"
- "traefik.http.routers.mq-messaging.entrypoints=websecure"
- "traefik.http.routers.mq-messaging.tls.certresolver=my_prod_certs"
- "traefik.docker.network=traefik_public"
- "traefik.http.services.mq-messaging.loadbalancer.server.port=8161"
volumes:
- ./artemis/logging.properties:/var/lib/artemis/etc/logging.properties
- ./artemis/jolokia-access.xml:/var/lib/artemis/etc/jolokia-access.xml
- artemis_log:/var/lib/artemis/log/
ports:
- 8161:8161
- 61616:61616
networks:
- traefik_public
- artemis_messaging
- elastic
restart: always
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "2"
keycloak:
image: registry.gitlab.com/####
container_name: keycloak
command: ["start"]
depends_on:
keycloak_db:
condition: service_healthy
environment:
- ####
labels:
- "traefik.http.routers.keycloak.rule=Host(`subdomain3.domain.fr`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls.certresolver=my_prod_certs"
- "traefik.docker.network=traefik_public"
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
- "traefik.enable=true"
volumes:
- keycloak_log:/opt/jboss/keycloak/standalone/log/
networks:
- keycloak_db
- traefik_public
- elastic
restart: always
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "2"
keycloak_db:
image: postgres:10.4
container_name: keycloak_db
command: postgres -c log_filename=keycloak_v3_db-%Y-%m-%d_%H%M%S.log -c config_file=/etc/postgresql.conf
environment:
- ####
volumes:
- keycloak_db_data:/var/lib/postgresql/data
- postgresql_log:/var/log/postgresql
- ./postgresql/config/postgresql.conf:/etc/postgresql.conf
networks:
- keycloak_db
- elastic
restart: always
healthcheck:
test: [ "CMD-SHELL", "pg_isready" ]
interval: 10s
timeout: 5s
retries: 5
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "2"
print-service-operation:
image: registry.gitlab.com/####
environment:
- ####
links:
- mq-messaging
networks:
- artemis_messaging
- logstash
restart: always
deploy:
replicas: 4
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "2"
print-service-reservation:
image: registry.gitlab.com/####
environment:
- ####
links:
- mq-messaging
networks:
- artemis_messaging
- logstash
restart: always
deploy:
replicas: 4
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "2"
external-api-provider:
container_name: external-api-provider
image: registry.gitlab.com/####
environment:
####
networks:
- traefik_public
labels:
- "traefik.enable=true"
- "traefik.http.routers.external-api-provider.rule=Host(`subdomain4.domain.fr`)"
- "traefik.http.routers.external-api-provider.entrypoints=websecure"
- "traefik.http.routers.external-api-provider.tls.certresolver=my_prod_certs"
- "traefik.docker.network=traefik_public"
- "traefik.http.services.external-api-provider.loadbalancer.server.port=3000"
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "2"
deploy:
resources:
limits:
cpus: '0.50'
memory: 50M
reservations:
cpus: '0.25'
memory: 20M
dxfconverter_v3:
image: registry.gitlab.com/####
container_name: dxfConverter
links:
- mq-messaging
networks:
- artemis_messaging
- logstash
restart: always
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "2"
environment:
- ####
networks:
traefik_public:
external: true
keycloak_db:
name: keycloak_db
artemis_messaging:
name: artemis_messaging
logstash:
name: logstash
elastic:
name: elastic
volumes:
traefik_log:
name: traefik_log
keycloak_db_data:
name: keycloak_db_data
postgresql_log:
name: postgresql_log
artemis_log:
name: artemis_log
keycloak_log:
name: keycloak_log
I have a traefik.yml configuration file like this :
accessLog:
filePath: "/var/log/traefik/access.log"
fields:
defaultMode: keep
names:
StartUTC: drop
headers:
defaultMode: keep
api:
dashboard: true
log:
level: DEBUG
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
watch: true
certificatesResolvers:
showyou_prod_certs:
acme:
email: "####"
caServer: "https://acme-v02.api.letsencrypt.org/directory"
storage: "/letsencrypt/acme.json"
keyType: "RSA4096"
dnsChallenge:
provider: ovh
delayBeforeCheck: 60
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
disablePropagationCheck: true
I have an acme.json file, which I deleted, and recreated with the following read/write authorizations :
-rw------- 1 user user 42896 7 avril 10:34 ../traefik/config/letsencrypt/acme.json
In this file I have entries for every subdomain I use, looking like this :
"domain": {
"main": "subdomain.domain.fr"
},
followed by a certificate and a key (which I guess, I shouldn't share)
I can't find any error in traefik logs, but I have a lots of these :
2025-04-09T09:09:49+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
and these listed as debug, but I think they're still errors :
2025-04-09T09:12:25+02:00 DBG log/log.go:245 > http: TLS handshake error from 77.111.247.41:47137: remote error: tls: unknown certificate
2025-04-09T09:12:25+02:00 DBG log/log.go:245 > http: TLS handshake error from 77.111.247.41:52251: remote error: tls: unknown certificate
Any help would be much appreciated, I can provide you with more informations if you name it.