Traefik uses own cert files instead of provided

Can't get my head round Traefik using ready cert/key files instead of ACME (LE). So my docker-compose.yml is as follows:

version: "3.9"

services:

  # TRAEFIK
  traefik:
    image: "traefik:v2.10"
    container_name: "traefik"
    restart: unless-stopped
    environment:
      - TZ=UTC
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.admin-auth.basicauth.users=admin:HASH
      - traefik.http.routers.traefik-public-https.rule=Host(`traefik.MYDOMAIN.COM`)
      - traefik.http.routers.traefik-public-https.entrypoints=https
      - traefik.http.routers.traefik-public-https.tls=true
      - traefik.http.routers.traefik-public-https.service=api@internal
      - traefik.http.routers.traefik-public-https.middlewares=admin-auth
    ports:
      - 80:80
      - 443:443
    deploy:
      placement:
        constraints:
          - node.role==manager
    volumes:
      - /run/docker.sock:/var/run/docker.sock:ro
      - ./certs:/etc/certs
      - ./traefik:/etc/traefik
    networks:
      - default
      
  # ONE OF THE WEB APP CONTAINERS ...
  fhfront:
    container_name: fhfront
    build:
      context: ./front
      dockerfile: Dockerfile
    restart: unless-stopped
    env_file:
      - .env
    expose:
      - 8090
    labels:
      - traefik.enable=true
      - traefik.http.routers.fhfront.rule=Host(`MYDOMAIN.COM`,`www.MYDOMAIN.COM`)
      - traefik.http.routers.fhfront.entrypoints=https
      - traefik.http.middlewares.t-compress.compress=true
      - traefik.http.routers.fhfront.middlewares=t-compress
    networks:
      - default

The certs folder (mapping to /etc/certs in Traefik) contains the two certificate files issued by my CA: certificate.pem and certificate-priv.key. The certificate is valid for my domain - let's say MYDOMAIN.COM.

The traefik folder (mapping to /etc/traefik) contains two Traefik config files:

1. traefik.yml

################################################################
# API and dashboard configuration
################################################################
api:
  # Dashboard
  #
  #
  dashboard: true
  insecure: true

################################################################
# Docker configuration backend
################################################################
providers:
  file:
    filename: "/etc/traefik/dynamic.yml"
    watch: true
  docker:
    watch: true
    exposedByDefault: false
    swarmMode: false

################################################################
# Traefik Logging
################################################################
log:
  level:DEBUG

################################################################
# Entrypoint
################################################################
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
    http:
      tls: true

2. dynamic.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
  certificates:
    - certFile: /etc/certs/certificate.pem
      keyFile: /etc/certs/certificate-priv.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/certificate.pem
        keyFile: /etc/certs/certificate-priv.key

So in theory, Traefik should substitute its default self-provided certs (LE) for the ones indicated in dynamic.yml. However, my browser raises the ERR_CERT_COMMON_NAME_INVALID error:

net::ERR_CERT_COMMON_NAME_INVALID
Subject: TRAEFIK DEFAULT CERT

Issuer: utmcore@A_1771EFFCA7C86E4E_ca

Expires on: ...

Current date: ...

PEM encoded chain: ...

Which kind of says that Traefik uses its own certs and not the one I've provided.

Enable and check Traefik debug log (doc).

Go into container and check presence of /etc/traefik/dynamic.yml.

Make sure the .pem file contains 3 certs, the full chain.

Hi! My PEM file actually contains only one certificate, which I take must be the public key. On the other hand, I do have a separate PEM file (the root CA), but it contains only two certificate blocks... How can I make a valid cert from all these files?

The other checks you suggest I've made many times over. All paths are valid.

The cert file usually contains 3 entries, to include the full cert chain. Check your cert providers documentation.

Do not include the key there!

Alright, thanks for the tip!

I still can't get why Traefik should replace the provided certs with its own default one. The Traefik logs show that the provided local cert was added:

traefik         | time="2024-02-21T23:54:11Z" level=debug msg="Adding certificate for domain(s) fhouse.pro,www.fhouse.pro"
traefik         | time="2024-02-21T23:54:22Z" level=debug msg="No store is defined to add the certificate MIIHWjCCBkKgAwIBAgIMdfGCBlVo9+ZvdklAMA0GCSqGSIb3DQ, it will be a  dded to the default store."
traefik         | time="2024-02-21T23:54:22Z" level=debug msg="Adding certificate for domain(s) MYDOMAIN.COM,www.MYDOMAIN.COM"

But the actual website shows that Traefik uses its own default cert:

TRAEFIK DEFAULT CERT ...
utmcore@A_1771EFFCA7C86E4E_ca

...

bd1623950c5d1565ac5171530118df0ceaa33aece72efbb8cf8967fcb61c5d8f

Also, Traefik doesn't seem to apply the cert to subdomains. The log says:

traefik         | time="2024-02-21T23:57:31Z" level=debug msg="Serving default certificate for request: \"subdomain.MYDOMAIN.COM\""

Try tls: {} instead of true in yaml (not on labels) (doc):

## Dynamic configuration
http:
  routers:
    Router-1:
      rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
      service: service-id
      # will terminate the TLS request
      tls: {}

(Probably same for entrypoint)

Update: seems you enable TLS twice, on entrypoint and on router. Pick one, I think global entrypoint makes more sense, avoids repetition.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.