Because Portainer is sitting behind Traefik, it can not generate a validated and signed cert. It will always create a custom cert that Traefik will not accept. (yes, there may be exceptions, but why go the hard way?)
Either you go along the official Portainer+Traefik docs with port 9000 or you use insecureskipverify.
Be aware you can't simply use insecureskipverify on a service, but you must create and assign serversTransport.
## Dynamic configuration
http:
serversTransports:
mytransport:
insecureSkipVerify: true
## Dynamic configuration
http:
services:
myservice:
loadBalancer:
serversTransport: mytransport