Traefik portainer bad certificate

I wanted to upgrade portainer recently from 1.x to 2.x but now have a certificate issue. Inbound traffic is loadbalanced with traefik and attempting to load the portainer UI I get these messages:

traefik_traefik.1.68d2njton45p@swarm01 | time="2022-12-13T14:35:32Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for, not"

portainer_portainer.1.2f95iz88q99v@swarm01 | {"time":1670942132,"message":"http: TLS handshake error from remote error: tls: bad certificate"}

Any ideas how to renew the certificate?

Do you terminate TLS with Traefik or do you forward encrypted traffic? Do you forward to an unencrypted port?

Show you configs (Traefik static, dynamic, docker-compose.yml), we have Portainer running without a problem.

Looks to be encrypted through-out.

I don't know what traefik static or dynamic means? here is the docker-compose.yml for portainer.

    image: portainer/portainer-ce:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify
      - "9443:9443"
      - "9000:9000"
      - "8000:8000"
      - portainer_data:/data
      - agent_network
      - traefik_network
      mode: replicated
      replicas: 1
        constraints: [node.role == manager]
        - traefik.enable=true
        - traefik.http.routers.portainer.rule=Host(``)
        - traefik.http.routers.portainer.entrypoints=websecure
        - traefik.http.routers.portainer.tls.certresolver=traefik-tlschallenge

We use port 9000 without https, like in the example.

If you really want to enforce TLS within you network, you could try insecureskipverify.

It's run in a secure and private network, so I don't mind not having https. On the flip-side this was been working perfectly for almost 3 years now, and it is only since the portainer upgrade that this problem happened. Ideally I would just regenerate the certificates, I will have plain http as a back-up.

The problem might be that Traefik terminates TLS, I don't think Portainer can create a signed cert. And when using a custom unsigned cert, you need to use insecureskipverify.

The compose file here Install Portainer with Docker Swarm on Linux - Portainer Documentation is what I use for mine. Which I think is fine, it's the traefik side that is struggling, given the error in the first post. Which is why I would like to regenerate portainers certificate.

Tried insecureSkipVerify to no avail.

Tried removing acme.json too, in order to regenerate the certificates, but that not only didn't fix the problem all other sites that had the previous certificate setup are now not secure.

Because Portainer is sitting behind Traefik, it can not generate a validated and signed cert. It will always create a custom cert that Traefik will not accept. (yes, there may be exceptions, but why go the hard way?)

Either you go along the official Portainer+Traefik docs with port 9000 or you use insecureskipverify.

Be aware you can't simply use insecureskipverify on a service, but you must create and assign serversTransport.

## Dynamic configuration
      insecureSkipVerify: true
## Dynamic configuration
        serversTransport: mytransport
1 Like

Interesting. I went with Deploying Portainer behind Traefik Proxy - Portainer Documentation but that configuration broke all other sites I have running, and it didn't solve the problem I have either.

Just use

so Traefik uses plain http to connect to non-TLS port 9000 of portainer.

got things working, though obviously don't have the secure connection I used to, which is a massive shame.

Unencrypted connection over an internal Docker network. I think you could encrypt the network.

I created a feature request for this topic.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.