Hi all, I'm facing a problem with Traefik running on docker.
I've a registered domain for which I can request SSL certificates from Cloudflare, I'm trying to set them up but Traefik is refusing to serve my certificates. As you can see from the compose, I load a dynamic configuration file .toml where I set where to find the certificates. When I started I had a singles CA that was covering my domain and *.mydomain I saw traefik loading it correctly but ended up always serving the default one.
What I tried after is creating a certificate for whoami.mydomain.it and still I see in the log that traefik is effectively loading it but then serves the default auto generated certificate. I also tried to set a new default certificate, but it seems to ignore this instruction.
I'm passing through a cloudflared tunnel and calling the service out of the tunnel as https://traefik:443, but as it recognize I'm calling whoami.mydomain.it I don't think it should be a problem.
Thank you in advance for your help!
Docker compose
version: "3.8"
services:
traefik:
image: "traefik:latest"
container_name: "traefik"
restart: always
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.file.directory=/etc/traefik/dynamic"
- "--providers.file.watch=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/root/traefik/tls.toml:/etc/traefik/dynamic/tls.toml"
- "/root/certs/:/etc/certs/"
networks:
- traefik-proxy
whoami:
image: "traefik/whoami"
container_name: "whoami"
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.it`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
networks:
- traefik-proxy
networks:
traefik-proxy:
external: true
Dynamic config Toml
[[tls.certificates]]
certFile = "/etc/certs/cert.cert"
keyFile = "/etc/certs/private.key"
stores = ["default"]
Logs
Adding certificate for domain(s) cloudflare origin certificate,whoami.domain.it
Adding route for whoami.dcruciano.it with TLS options default
Serving default certificate for request: "traefik"
You need to use the exact URL that matches your rule Host() and your cert.
Alternatively you can (additionally) declare a cert as default, see doc.
As I said, I already tried both without any luck
And did you try to configure default certs as linked above?
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
Yes I did, in the logs no error showed, completely ignored. So i also tried to put this and also to load the certificate for the domain, and in the logs it just showed that the ca for the domain was loaded (still didnt use it) but for the default certificate command it was again completely ignored
How Traefik TLS works. Traefik will first look for a matching cert (by hostname encoded in the cert, works with wildcards) in your list of defined certs:
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
- certFile: /path/to/second-domain.cert
keyFile: /path/to/second-domain.key
If no match is found, then Traefik will use the single cert in the default store:
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
If nothing is defined, it will create a custom Traefik cert, which the browser will warn about.
Make sure your cert files have the correct content:
certFile:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
keyFile:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Yes it looks like this but the cert file has just one beginning and ending, on cloudflare i select pem format, and then at first I tried to put the text in two pem files(cert.pem and private.pem) and then as it wasn’t working I tried to put the text for the cert file in a .cert file and the private key in a .key file. I think it’s okay cause it does read that it is a cloudflare certificate and for which domain
From my experience you need 2 or 3 CERTIFICATE inside the certFile to work, otherwise its not recognized by the browser.
From ChatGPT:
In a TLS (Transport Layer Security) context, a certificate file, especially the .pem format, can contain multiple certificates. Typically, these are:
- End-entity Certificate (or Leaf Certificate): This is the actual certificate for the domain or service in question. It contains information about the entity to which the certificate was issued and the entity that issued the certificate.
- Intermediate Certificate(s): Intermediate certificates act as a bridge between the end-entity certificate and the root certificate. Browsers and operating systems don't directly trust the end-entity certificates. Instead, they trust the root certificates. The intermediate certificates provide a chain of trust from the end-entity certificate to a root certificate.
- Root Certificate: This is a certificate that's trusted by the client (e.g., a web browser). Root certificates are usually pre-installed in the operating system or browser and establish the trust anchor. In many TLS setups, the root certificate might not be included in the certificate file because it's already trusted by the client. The client is expected to already have it.
Ok then explained why it doesn’t use it probably, I don’t have that much experience with tls certificates, don’t know why cloudflare is providing certificates this way. then I guess I’ll have to stick with let’s encrypt default one cause I don’t see other way to generate a different type of certificate from cloudflare, don’t even know which of the three you listed mines are
My post above was wrong - deleted for clarity