Untrusted Letsencrypt certificate

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for portainer.domain.com. The certificate is only valid for 68c1344d8bb84d189065866e670d9720.8f18d9a466c9c40b362248d51f9800bb.traefik.default.

Snippet from Traefik compose:

      - --log.level=DEBUG
      - --api.insecure
      - --providers.docker
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false      
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.traefik-tlschallenge.acme.tlschallenge=true
      - --certificatesresolvers.traefik-tlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.traefik-tlschallenge.acme.email=user@email.com
      - --certificatesresolvers.traefik-tlschallenge.acme.storage=/letsencrypt/acme.json

This happens with all Traefik traffic. Any ideas why this does not produce good certificates?


It's because you are using LE staging:

Root Certificate

The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.

That makes sense, can't believe I didn't see that.I have commented out the staging line, but the certificates are still invalid. Does something need refreshing or some TTL to expire?

you have to remove your current /letsencrypt/acme.json

@ldez but why the error says that it's using default traefik cert? It should in any case use the LE one, even if staging?

Maybe because the resolver is not set on the router.

With partial information, I can provide only partial answer.

Removed the acme.json file and with each refresh I now get valid certificates. Thanks for the help.

Somewhat related I feel. I have added a new service today, with all the correct labels, but traefik doesn't deal with it correctly. At the time traefik picked it up, there was no DNS; which is why it initially failed, but now DNS has updated but there is nothing new in traefik. Is there a step I'm missing after adding a domain?


Just in case someone has the same problem (no DNS at the time of testing the website, I forgot to set the CNAME after the traefik rules...), it helped to restart traefik for me (in my case the container).