Hello, I am encountering an issue with the creation of TLS certificate,
Basically the setup I have is a root certificate manage by a Windows AD (A) then a intermediary manage by a step-ca instance (B) and finally the leaf created by Traefik (C). What is then suppose to happen is for any instance manage by Traefik is to have a chained certificate looking like this : A->B->C except I only have this: B->C.
here is my Traefik config
version: '3.3'
services:
traefik:
image: traefik:v2.5
restart: unless-stopped
ports:
- 80:80
- 443:443
- 2222:2222
environment:
- LEGO_CA_CERTIFICATES=/root/.step/certs/root_ca.crt
deploy:
placement:
constraints:
- node.labels.traefik-public.traefik-public-certificates == true
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.middlewares.admin-auth.basicauth.users=*******
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.traefik-public-http.rule=Host(`traefik.docker.mydomain`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
- traefik.http.routers.traefik-public-https.rule=Host(`traefik.docker.mydomain`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
- traefik.http.routers.traefik-public-https.service=api@internal
- traefik.http.routers.traefik-public-https.tls.certresolver=stepca
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-public-certificates:/certificates
- /root/.step/certs/root_ca.crt:/root/.step/certs/root_ca.crt
command:
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmMode=true
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --entrypoints.gitssh.address=:2222
- "--certificatesResolvers.stepca.acme.caServer=https://step-ca.mydomain/acme/acme/directory"
- "--certificatesResolvers.stepca.acme.email=useremail@mydomain"
- "--certificatesResolvers.stepca.acme.storage=/certificates/acme.json"
- "--certificatesResolvers.stepca.acme.tlsChallenge=true"
- "--providers.providersthrottleduration=100"
- --accesslog
- --log
- --api
- --pilot.token="token"
networks:
- traefik-public
volumes:
traefik-public-certificates:
networks:
traefik-public:
external: true
Someone has any idea on what is going on, if you need more info please do ask