Unable to use own certificate

Hello,

I'm trying to use a wildcard SSL certificate instead of traefik default cert. but I have seen below error logs in container. Please help on this..

Thanks

[root@manager ingress]# docker logs a75df542351a | grep error
time="2021-12-05T18:25:43Z" level=error msg="Error while creating certificate store: failed to load X509 key pair: tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2021-12-05T18:25:43Z" level=error msg="Unable to append certificate /root/ingress/certs/tls.crt to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2021-12-05T18:25:43Z" level=error msg="Error during the build of the default TLS configuration: TLS store default not found" entryPointName=websecure
time="2021-12-05T18:25:43Z" level=error msg="Error during the build of the default TLS configuration: TLS store default not found" entryPointName=traefik
time="2021-12-05T18:25:43Z" level=error msg="Error while creating certificate store: failed to load X509 key pair: tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2021-12-05T18:25:43Z" level=error msg="Unable to append certificate /root/ingress/certs/tls.crt to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2021-12-05T18:25:43Z" level=error msg="Error during the build of the default TLS configuration: TLS store default not found" entryPointName=websecure
time="2021-12-05T18:25:43Z" level=error msg="Error during the build of the default TLS configuration: TLS store default not found" entryPointName=traefik

docker-compose.yml

version: "3.9"

services:

  traefik:
    image: "traefik:latest"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.directory=/certs/"
      - "--providers.file.watch=true"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/root/ingress/certs/:/certs/"
    networks:
      - traefik
    deploy:
      placement:
        constraints: [node.role == manager]

networks:
  traefik:

certs.yml

[root@manager ingress]# cat certs/certs.yml
tls:
  certificates:
    - certFile: "/root/ingress/certs/tls.crt"
      keyFile: "/root/ingress/certs/tls.key"
      stores:
        - default
  stores:
    default:
      defaultCertificate:
        certFile: "/root/ingress/certs/tls.crt"
        keyFile: "/root/ingress/certs/tls.key"

certs

[root@manager ingress]# ll certs/
total 12
-rw-r--r-- 1 root root  288 Dec  5 23:55 certs.yml
-rw-r--r-- 1 root root 2427 Dec  4 14:51 tls.crt
-rw-r--r-- 1 root root 1704 Dec  4 14:51 tls.key

It doesn't find the certs when the container is up.
Try to change the location like this:

tls:
  certificates:
    - certFile: "/certs/tls.crt"
      keyFile: "/certs/tls.key"

Thanks,

I already changed the same and now I can see our SSL certs. but I can see some errors in container logs like below..

[root@manager proxy]# docker logs 208fdb744389 | grep error
time="2021-12-06T07:35:32Z" level=debug msg="http: TLS handshake error from 10.0.0.2:52254: remote error: tls: unknown certificate"
time="2021-12-06T07:35:40Z" level=debug msg="http: TLS handshake error from 10.0.0.2:52256: remote error: tls: unknown certificate"
time="2021-12-06T08:46:37Z" level=debug msg="http: TLS handshake error from 10.0.0.2:52926: remote error: tls: unknown certificate"

Try to comment all lines in block stores in certs.yml:

tls:
  certificates:
    - certFile: /certs/tls.crt
      keyFile: /certs/tls.key
      #stores:
      #  - default
  #stores:
  #  default:
  #    defaultCertificate:
  #      certFile: "/root/ingress/certs/tls.crt"
  #      keyFile: "/root/ingress/certs/tls.key"

Diego

I think your static content is incomplete try to add ...

command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.directory=/certs/"

      - "--providers.docker.exposedbydefault=true"
      - "--providers.docker.network=traefik"  # check your traefik network
      - "--providers.docker.swarmmode=true". # By the default is false

Check all options of docker provider --> CLI - Traefik

PD. I prefer to pass static and dynamic content in files instead cli (easier to see)

Thanks, I added the static content but still I see same unknow certificate error.. and also I tested host rule for ngnix service with tls labels and rule is working but it take more time to reach ngnix welcome page..

time="2021-12-06T18:47:02Z" level=debug msg="Serving default certificate for request: "nginx.example.com""
time="2021-12-06T18:47:02Z" level=debug msg="http: TLS handshake error from 10.0.0.2:51934: remote error: tls: unknown certificate"
time="2021-12-06T18:47:02Z" level=debug msg="Serving default certificate for request: "nginx.example.com""
time="2021-12-06T18:47:02Z" level=debug msg="http: TLS handshake error from 10.0.0.2:51935: remote error: tls: unknown certificate"
time="2021-12-06T18:47:48Z" level=debug msg="Serving default certificate for request: "nginx.example.com""
time="2021-12-06T18:47:48Z" level=debug msg="http: TLS handshake error from 10.0.0.2:51940: remote error: tls: unknown certificate"

I'm using my own certificates also in all my traefik services, so please double check your tls files (crt and key) are fine (no extra space or something).

If the tls files look fine It looks a networking issue when 'traefik' tries to resolve the key pair. Can you ping here how you created the traefik network?

Check your traefik network has attributes as: "driver--> overlay", "scope --> swarm".

Thanks and sorry for late reply..

certificate provided by Go Daddy I verified the crts is fine only and I find out the issue for why so much take time to reach the nginx welcome page.. that was my fault only. I saved so many DNS entries with same name different IP's. so it's trying to connect old entries..

For network part I created the same way only with overlay driver and the swarm scope.

So now I have only one problem is unknown certificate and bad certificate errors in container logs..

time="2021-12-11T12:46:59Z" level=debug msg="http: TLS handshake error from 10.0.0.2:57826: remote error: tls: unknown certificate"
time="2021-12-11T12:46:59Z" level=debug msg="http: TLS handshake error from 10.0.0.2:57827: remote error: tls: unknown certificate"
time="2021-12-11T12:50:29Z" level=debug msg="http: TLS handshake error from 10.0.0.2:57912: remote error: tls: bad certificate"
time="2021-12-11T12:50:29Z" level=debug msg="http: TLS handshake error from 10.0.0.2:57913: remote error: tls: bad certificate"