Hello!
Running Traefik in local Docker. Running multiple services. Certificate passes one service but when I add another:
tls: failed to verify certificate: x509: certificate is valid for 0.0.0.0, not 172.18.0.3
I think I’m setting the init incorrectly.
labels:
- traefik.enable=true
- traefik.http.routers.portainer.rule=Host(`main.portainer.test.org`)
- traefik.http.routers.portainer.entrypoints=websecure
- traefik.http.services.portainer.loadbalancer.server.port=9443
- traefik.http.routers.portainer.service=portainer
- traefik.http.routers.portainer.tls=true
- traefik.http.routers.portainer.tls.certresolver=stepca
- traefik.http.services.portainer.loadbalancer.server.scheme=https
- traefik.http.serversTransports.portainer.insecureSkipVerify=true
Above is for Portainer.
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: DEBUG
api:
dashboard: true
insecure: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
tls:
stores:
default:
defaultGeneratedCert:
resolver: stepca
domain:
main: "https://ca.test.org:9001"
certificatesResolvers:
stepca:
acme:
email: admin@test.org
storage: "/acme.json"
caServer: "https://ca.test.org:9001/acme/acme/directory"
certificatesDuration: 24
tlsChallenge: true
httpChallenge:
entryPoint: web
Above is for my Traefik config.
I can also include my step-ca ca.json if needed.
{
"root": "/home/step/certs/root_ca.crt",
"federatedRoots": null,
"crt": "/home/step/certs/intermediate_ca.crt",
"key": "/home/step/secrets/intermediate_ca_key",
"address": "0.0.0.0:9001",
"insecureAddress": "",
"dnsNames": [
"step-ca.test.org",
"ca.test.org",
"0.0.0.0",
"192.168.1.10",
"172.18.0.2"
],
I added it anyways. I’m guessing it has to do with dnsNames but do I have to include every Docker IP address???
Three main issues:
tls is only a dynamic config root element (doc), so it should go into a separate dynamic config file, loaded via providers.file in static config.
You create a serversTransport with insecureSkipVerify in labels, but you don’t assign it to the target service.
But dynamic serversTransport can only be created in a dynamic config file (doc). It can not be created via Docker labels (reference, issue).
Or set it globally in static config (doc).
1 Like
You could use http internally:
.portainer.loadbalancer.server.port=9000
1 Like
This worked, thanks!
My main concern would be if I am using HTTPS on a service, Traefik is not using the correct certificate. Would insecureSkipVerify help this?
The issue is that target services create custom certs without a trust-chain, so Traefik does not trust them. Use insecureSkipVerify to tell Traefik to accept the untrusted certs when connecting internally.
1 Like
Understood!
I added the file provider and the dynamic config:
# allow self-signed certificates for proxied web services
serversTransports:
insecureTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: "/etc/traefik/insecuretransport.yaml"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
- ./config/insecuretransport.yaml:/etc/traefik/insecuretransport.yaml:ro
- ./certs/root.crt:/certs/root.crt:ro
Added the label:
-traefik.http.services.portainer.loadbalancer.serverstransport=insecureTransport@file
And it worked! I appreciate it. I’ll still be using 9000 because it’s easier but just for anyone else that is working on this in the future.