Unable to configure a https service using a custom CA file

Hi there,

I am trying to get https working towards service backend. But no matter how I provide the CA certificate, I cannot get it working. I get a 500 internal server error.

Only if I switch on 'insecureSkipVerify' it does its job. I I also tried to put in certificate directly as base64 coded string. Traefik does not complain about config but its just not working as expected.

Here is the extract from my dynamic config (using dynamic directory provider):

http:
  routers:
    mydemo:
      entryPoints:
        - https
      middlewares:
        - forwardedprotohttpsheader
      service:
        mydemo_service
      rule: Host(`{{ mydemo_fqdn }}`) && Path(`/mydemo/foo`)
      tls: {}
  middlewares:
    forwardedprotohttpsheader:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Port: "443"
  services:
    mydemo_service:
      loadBalancer:
        serversTransport: mydemoTransport
        servers:
          - url: https://{{ mydemo_ip }}
  serversTransports:
    mydemoTransport:
      # insecureSkipVerify: true
      rootCAs:
        - /etc/ssl/mydemoCA.crt

Any idea, what's wrong with it?

Hello @odawid,

Thanks for your interest in Traefik,

I am trying to get https working towards service backend. But no matter how I provide the CA certificate, I cannot get it working. I get a 500 internal server error.

Could you provide some logs ? (in debug mode if that is feasible)

Only if I switch on 'insecureSkipVerify' it does its job. I I also tried to put in certificate directly as base64 coded string. Traefik does not complain about config but its just not working as expected.

As explained in the documentation the root certificate must be provided as a file path (accessible to Traefik) or as a plain string (not base64 encoded).

Maybe the problem is related to the certificate validation. As the server URL contains an IP the validation process will check that this IP is available as a SAN in the certificate. If your certificate contains only a domain as a SAN, then the ServerName option should be used to specify its value (used for the validation).

Hope this helps!