Transient ERR_CERT_AUTHORITY_INVALID browser issue


In vein I have been trying to debug an issue that exists between browser TLS connections to traefik.

I have a wildcard cert which is self signed and the issuer CA that was used to sign the cert is available to Chrome (viewed in Windows via certmgr).

When I browse to an endpoint with the wildcard self signed cert, I receive an ERR_CERT_AUTHORITY_INVALID message. Inspecting the cert reveals that the 'Issued by' field is populated with the same details as the 'Issued to' field, ie contains the CN of the 'Issued to'. So under those circumstances I can understand why the error is raised as it does not see the cert as being signed by my CA.

But the cert is signed by my CA as if I connect to the traefik instance using openssl s_client and inspect the TLS output I see that the issuer is the correct root CA used to sign the certificate. All other details regarding the certificates are identical.

traefik1 traefik2

The default cert is configured within traefik and for both connections I can see from the debug logs that the default cert is served. I can provide further redacted config extracts if necessary.

I have tested this with Chrome 84.0.4147.125 and Internet Explorer 11. Unfortunately I don't have the ability to test with any other browser. I am using the docker image of traefik, v2.2

I can't see any issues with the certificate or traefik configuration, so I am reaching out to this forum to see if anyone has had a similar experience or can provide further advice? Thanks.

This is confusing!

Are you also setting the -servername option with opensss s_client ?

Does the access logs show the expected router being used ?

Yes, am setting the -servername option as well, which makes no difference to the certificate returned.

However, on further investigation I am not convinced that this is a traefik issue as I have tried the same certificate with HAProxy and see identical results. This might be a (very strange) infrastructure or certificate issue.