Traefik not using Acme SSL cert for API. Cloudflare 525 SSL handshake error

ZerkerEOD · November 28, 2022, 8:28pm

Hello, I had access to my dashboard while I had the api insecure set to true. I just switched it to false and now I am getting the Cloudflare 525 SSL handshake error. It looks like it is provided the Traefik default certificate but I tried adding settings to the dynamic config to have it pull a certificate.

http:
  routers:
    dashboard:
      entrypoints:
        - "web"
        - "websecure"
      rule: Host(`traefik.[redacted]`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
      middlewares:
        - traefikAuth
        - chain
      tls:
        certResolver: production
        domains:
          -main: "traefik.[redacted]"
        options: "modern"

Any help would be great. I would hope that I don't have to keep it with API insecure true to access my dashboard through Cloudflare. All my other services still work through Cloudflare.

bluepuma77 · November 29, 2022, 6:59am

How is production set up in your static config?

bluepuma77 · November 29, 2022, 7:04am

What is CloudFlare doing for you? Is it terminating (decrypting) the TLS/SSL connection? Is it forwarding requests unencrypted or does it forward the TLS connection to Traefik? Or will it just provide a TLS/SSL certificate?

Do you have an active redirect 80->443 on your entrypoints in static config?

ZerkerEOD · November 29, 2022, 1:37pm

I have it set up the following way.

certificatesResolvers:
  production:
    acme:
      email: "[redacted]"
      storage: /etc/traefik/certs/acme.json
      dnsChallenge:
        provider: cloudflare

I have the SSL/TLS set to Full on Cloudflare. I read something about dropping it to Flexible, but I don't want to do that. I do not see anything that protects from Cloudflare to the server and how that is handled. But when I go to the Traefik dashboard, it showed the Traefik default cert when set to insecure, not that it is set to secure in the API, I am getting the sni.cloudflare signed cert when I try to go to the dashboard but I am getting the 525 still.

bluepuma77 · November 29, 2022, 2:35pm

You could try without this. Domain will be taken from Host().

ZerkerEOD · November 29, 2022, 8:02pm

I did this, and I am back to getting a 404 on the site for some reason. No more 525 errors though, just cant access the dashboard.

bluepuma77 · November 30, 2022, 6:50am

I would say that is good, because TLS comes before internal routing.

Have you tried those URLs? Take note of the trailing slash.

http://traefik.[redacted]/dashboard/
https://traefik.[redacted]/dashboard/

Check your Traefik access logs.
Check your Traefik debug logs.
Check your browser's developer tools' network tab.

You still haven't shared your full config (docker, static, dynamic), so it's still hard to help you.

Topic		Replies	Views
Cannot get https to work through cloudflare? Traefik v2 docker , letsencrypt-acme	3	958	January 2, 2023
Traefik unable to use ACME certificate after generating Traefik v2 docker	1	94	April 12, 2024
TLS issues with cloudflare. Docker Compose Traefik v2 docker	2	984	October 2, 2022
Traefik not getting certificates from cloudflare Traefik v2 kubernetes-ingress , letsencrypt-acme	1	968	August 2, 2021
Traefik through cloudflare tunnel Traefik v3 (latest) docker , letsencrypt-acme	2	167	October 14, 2024

Traefik not using Acme SSL cert for API. Cloudflare 525 SSL handshake error

Related topics