Traefik portainer bad certificate

JohannBaptiste · December 13, 2022, 2:41pm

I wanted to upgrade portainer recently from 1.x to 2.x but now have a certificate issue. Inbound traffic is loadbalanced with traefik and attempting to load the portainer UI I get these messages:

traefik:
traefik_traefik.1.68d2njton45p@swarm01 | time="2022-12-13T14:35:32Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 0.0.0.0, not 10.0.21.178"

portainer:
portainer_portainer.1.2f95iz88q99v@swarm01 | {"time":1670942132,"message":"http: TLS handshake error from 10.0.21.175:59844: remote error: tls: bad certificate"}

Any ideas how to renew the certificate?

bluepuma77 · December 13, 2022, 4:42pm

Do you terminate TLS with Traefik or do you forward encrypted traffic? Do you forward to an unencrypted port?

Show you configs (Traefik static, dynamic, docker-compose.yml), we have Portainer running without a problem.

JohannBaptiste · December 13, 2022, 5:35pm

Looks to be encrypted through-out.

I don't know what traefik static or dynamic means? here is the docker-compose.yml for portainer.

  portainer:
    image: portainer/portainer-ce:latest
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    ports:
      - "9443:9443"
      - "9000:9000"
      - "8000:8000"
    volumes:
      - portainer_data:/data
    networks:
      - agent_network
      - traefik_network
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik_network
        - traefik.http.routers.portainer.rule=Host(`portainer.example.com`)
        - traefik.http.routers.portainer.entrypoints=websecure
        - traefik.http.routers.portainer.tls.certresolver=traefik-tlschallenge
        - traefik.http.services.portainer-service.loadbalancer.server.port=9443
        - traefik.http.services.portainer-service.loadbalancer.server.scheme=https

bluepuma77 · December 13, 2022, 8:53pm

We use port 9000 without https, like in the example.

If you really want to enforce TLS within you network, you could try insecureskipverify.

JohannBaptiste · December 13, 2022, 9:28pm

It's run in a secure and private network, so I don't mind not having https. On the flip-side this was been working perfectly for almost 3 years now, and it is only since the portainer upgrade that this problem happened. Ideally I would just regenerate the certificates, I will have plain http as a back-up.

bluepuma77 · December 13, 2022, 9:39pm

The problem might be that Traefik terminates TLS, I don't think Portainer can create a signed cert. And when using a custom unsigned cert, you need to use insecureskipverify.

JohannBaptiste · December 14, 2022, 10:27am

The compose file here Install Portainer with Docker Swarm on Linux - Portainer Documentation is what I use for mine. Which I think is fine, it's the traefik side that is struggling, given the error in the first post. Which is why I would like to regenerate portainers certificate.

JohannBaptiste · December 14, 2022, 10:36am

Tried insecureSkipVerify to no avail.

JohannBaptiste · December 14, 2022, 10:47am

Tried removing acme.json too, in order to regenerate the certificates, but that not only didn't fix the problem all other sites that had the previous certificate setup are now not secure.

bluepuma77 · December 14, 2022, 11:14am

Because Portainer is sitting behind Traefik, it can not generate a validated and signed cert. It will always create a custom cert that Traefik will not accept. (yes, there may be exceptions, but why go the hard way?)

Either you go along the official Portainer+Traefik docs with port 9000 or you use insecureskipverify.

Be aware you can't simply use insecureskipverify on a service, but you must create and assign serversTransport.

## Dynamic configuration
http:
  serversTransports:
    mytransport:
      insecureSkipVerify: true

## Dynamic configuration
http:
  services:
    myservice:
      loadBalancer:
        serversTransport: mytransport

JohannBaptiste · December 14, 2022, 1:18pm

Interesting. I went with Deploying Portainer behind Traefik Proxy - Portainer Documentation but that configuration broke all other sites I have running, and it didn't solve the problem I have either.

bluepuma77 · December 14, 2022, 2:36pm

Just use

traefik.http.services.frontend.loadbalancer.server.port=9000

so Traefik uses plain http to connect to non-TLS port 9000 of portainer.

JohannBaptiste · December 14, 2022, 3:38pm

switch
traefik.http.services.portainer-service.loadbalancer.server.port=9443
for
traefik.http.services.frontend.loadbalancer.server.port=9000
got things working, though obviously don't have the secure connection I used to, which is a massive shame.

bluepuma77 · December 14, 2022, 6:15pm

Unencrypted connection over an internal Docker network. I think you could encrypt the network.

bluepuma77 · December 16, 2022, 2:16pm

I created a feature request for this topic.

system · December 19, 2022, 2:16pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I keep getting bad cert Traefik v2 docker-swarm	0	323	November 23, 2019
Portainer behind Traefik - Bad certificate - insecureSkipVerify: true does not kick in? Traefik v2 docker	23	333	March 19, 2024
Traefik 2.10 bad certificate error from letsencrypt due dashboard and other services in spite of insecureSkipVerify Traefik v2 docker , letsencrypt-acme , tcp	2	785	September 17, 2023
Problems with migrating from 1.x: Invalid SSL certificate Traefik v2 docker	2	710	January 21, 2020
Traefik/Portainer/Docker wildcard SSL Traefik v2 docker-swarm	4	1467	January 21, 2023

Traefik portainer bad certificate

Related Topics