Hi Folks
I'm trying to implement an internal Public Key Infrastructure (PKI) where:
- Traefik serves as a TLS-terminating reverse proxy that provides a publicly accessible HTTPS endpoint (stepca.ozspeed.xyz) using Let's Encrypt wildcard certificates
- step-ca operates as an internal certificate authority running on 127.0.0.1:8443, issuing short-lived certificates for infrastructure services and SSH authentication
- End-to-end TLS security is maintained through mutual TLS (mTLS) authentication between Traefik and step-ca
I am having trouble getting Traefik to load a `serversTransport` configuration from a file provider. I have a `step-ca` service running on `127.0.0.1:8443` and I want to use a custom root CA to verify the connection.
Problem
Traefik is not loading the `serversTransport` configuration from my dynamic configuration file. The output of `curl -s http://127.0.0.1:8080/api/rawdata | jq ".http.serversTransports"` is always `null`.
Environment
- Traefik Version: 3.5.1
- OS: (proxmox lxc) Debian GNU/Linux - Version: 12
- Proxmox host Linux version 6.14.8-2-pve Debian 14.2.0-19
Configuration
**`/etc/traefik/traefik.yaml` (Static Configuration)**
```yaml
providers:
file:
directory: "/etc/traefik/conf.d/"
watch: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: "websecure"
scheme: "https"
websecure:
address: ":443"
traefik:
address: "127.0.0.1:8080"
api:
dashboard: true
insecure: true
log:
filePath: "/var/log/traefik/traefik.log"
format: "json"
level: "DEBUG"
accessLog:
filePath: "/var/log/traefik/traefik-access.log"
format: "json"
filters:
statusCodes: ["200", "400-599"]
retryAttempts: true
minDuration: "10ms"
bufferingSize: 0
fields:
headers:
defaultMode: "drop"
names:
User-Agent: "keep"
certificatesResolvers:
letsencrypt:
acme:
email: "simon@xyz123.foo"
storage: "/etc/traefik/ssl/acme.json"
dnsChallenge:
provider: "godaddy"
delayBeforeCheck: "30s"
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
```
**`/etc/traefik/conf.d/stepca.yml` (Dynamic Configuration)**
```yaml
http:
routers:
stepca-router:
rule: "Host(`stepca.ozspeed.xyz`)"
service: "stepca-svc"
entryPoints: ["websecure"]
tls: {}
services:
stepca-svc:
loadBalancer:
servers:
- url: " `````https://127.0.0.1:8443````` "
serversTransport: "stepca-transport"
serversTransports:
stepca-transport:
serverName: "stepca.ozspeed.xyz"
rootCAs:
- "/etc/traefik/certs/step-root.crt"
``` ````
Troubleshooting Steps Taken:
1. Verified that the \`step-ca\` service is running and responding correctly.
2. Verified that the \`step-root.crt\` file exists and has the correct permissions.
3. Confirmed that the file provider is working by creating a simple test configuration file, which was loaded correctly.
4. Tried separating the \`serversTransport\` into its own file.
5. Tried adding a deliberate syntax error to the dynamic configuration file, but no errors were logged.
6. Confirmed that there are no conflicting configurations in the static \`traefik.yaml\` file.
The \`serversTransport\` is properly nested under the \`http\` key in the dynamic configuration file, and the service correctly references it using \`serversTransport: "stepca-transport"\`. The fact that our test router loads correctly but the \`serversTransport\` does not suggests that the file provider is working, but there may be a specific issue with how \`serversTransports\` are processed or loaded. No matter what I try, the \`serversTransport\` is never loaded. I am at a loss as to what to try next. Any help would be greatly appreciated.
Thanks!