Unable to configure a https service using a custom CA file

Traefik Traefik v2 (latest)
1

Hi there,

I am trying to get https working towards service backend. But no matter how I provide the CA certificate, I cannot get it working. I get a 500 internal server error.

Only if I switch on 'insecureSkipVerify' it does its job. I I also tried to put in certificate directly as base64 coded string. Traefik does not complain about config but its just not working as expected.

Here is the extract from my dynamic config (using dynamic directory provider):

http:
  routers:
    mydemo:
      entryPoints:
        - https
      middlewares:
        - forwardedprotohttpsheader
      service:
        mydemo_service
      rule: Host(`{{ mydemo_fqdn }}`) && Path(`/mydemo/foo`)
      tls: {}
  middlewares:
    forwardedprotohttpsheader:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Port: "443"
  services:
    mydemo_service:
      loadBalancer:
        serversTransport: mydemoTransport
        servers:
          - url: https://{{ mydemo_ip }}
  serversTransports:
    mydemoTransport:
      # insecureSkipVerify: true
      rootCAs:
        - /etc/ssl/mydemoCA.crt

Any idea, what's wrong with it?

2

Hello @odawid,

Thanks for your interest in Traefik,

I am trying to get https working towards service backend. But no matter how I provide the CA certificate, I cannot get it working. I get a 500 internal server error.

Could you provide some logs ? (in debug mode if that is feasible)

Only if I switch on 'insecureSkipVerify' it does its job. I I also tried to put in certificate directly as base64 coded string. Traefik does not complain about config but its just not working as expected.

As explained in the documentation the root certificate must be provided as a file path (accessible to Traefik) or as a plain string (not base64 encoded).

Maybe the problem is related to the certificate validation. As the server URL contains an IP the validation process will check that this IP is available as a SAN in the certificate. If your certificate contains only a domain as a SAN, then the ServerName option should be used to specify its value (used for the validation).

Hope this helps!

1 Like
3

Hi Kevin,
I am also facing same issue, my configuration file is ,

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: name1
  namespace: namesapce1

spec:
       rootCAsSecrets:
       - myca
       insecureSkipVerify: false

---
apiVersion: v1
kind: Secret
metadata:
  name: myca
  namespace: namesapce1

data:
   ca.crt: MIIDajCCAlKgAwIBAgIESRvf5jANBgkqhkiG9w0BAQsFADBBMT8wPQYDVQQDEzZzYW1wbGUtZG9tYWluMS1jcmVhdGUtd2VibG9naWMtc2FtcGxlLWRvbWFpbi1qb2ItOG5zd2MwHhcNMjIxMjEzMDYwNjQyWhcNMjMxMjEzMDYwNjQyWjBBMT8wPQYDVQQDEzZzYW1wbGUtZG9tYWluMS1jcmVhdGUtd2VibG9naWMtc2FtcGxlLWRvbWFpbi1qb2ItOG5zd2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCESNdP0RLRemugoOO2rhUnwHmTjlcY2XvSafNb1EGDMACqIV7EX7PMRrlpkjSPeiQqZiMQbwneIMo/ZIodUg9+4/ulMlMQRnILnoqS04YpAdE1K296GL9d0vP73NvJlkbdyHQtZ1KWVM3b0Anyz1e5sjTFcLYyyuV7aK09Fyo3f+HabEFbLF+Wm5MJ68lrK0cLkVBHs+XEc/GBadMtP2SnM0nMJPf+ClrLejdjoNpvEBQe+XukKyQeOB5E5vE2QNp0FCpfBumRwmQAGD9VSjEajgm7C2UxpMb2ZrFvKW3fu8/S0mJzvVjgSuwIiDbAt3w80EYnCnmDX8S4wWz1chg3AgMBAAGjajBoMB0GA1UdDgQWBBSO9zi1oT5E81hu+GBb/5cyuttF8jBHBgNVHREEQDA+hwQK9AAGgjZzYW1wbGUtZG9tYWluMS1jcmVhdGUtd2VibG9naWMtc2FtcGxlLWRvbWFpbi1qb2ItOG5zd2MwDQYJKoZIhvcNAQELBQADggEBAH6SOH9ZolsvkuoASwp9EqdyUxqGPPVMonJlXWhP1/EZ+lM1o/XWei8dBBFjcCpCVSYIyI0ZHcOjETp3fJ8+8pfTFbs9lDlgtH0sXcwo9qGj5zzqTZWO4TRSq1nh7zyaFeYh/fPdvsZtqv7wwXqFq0+KwwyimhHLizmrQ/HMdh4u/QgSC7zCdG2A3FM4+Bs09yla9H3inM28b/d40S9/vfUKK1IKdYCilxcM8oDPRe1I9Jy9R4F8o8J/JfHG2l8vpJ9BorIA9qGNm5fuc+vONQgnG69JYIC+nT2ea47YRF+MQY2Ol53D5hMFKiIVNb4wzzu6kevVYIHNqi8GV+71dWM=

And exception/error message I can see in traefik log is:
time="2022-12-13T09:43:39Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate signed by unknown authority"

Here above certificate is the keystore certificate of my backend server.
Can you please let me know what could be the issue?

4

Can you please format your code? Use </> button or 3 backticks before and after.

5

Formatted it, thanks.