Untrusted Letsencrypt certificate

n1md4 · November 4, 2019, 12:27pm

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for portainer.domain.com. The certificate is only valid for 68c1344d8bb84d189065866e670d9720.8f18d9a466c9c40b362248d51f9800bb.traefik.default.

Snippet from Traefik compose:

command:
      - --log.level=DEBUG
      - --api.insecure
      - --providers.docker
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false      
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.traefik-tlschallenge.acme.tlschallenge=true
      - --certificatesresolvers.traefik-tlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.traefik-tlschallenge.acme.email=user@email.com
      - --certificatesresolvers.traefik-tlschallenge.acme.storage=/letsencrypt/acme.json

This happens with all Traefik traffic. Any ideas why this does not produce good certificates?

ldez · November 4, 2019, 2:36pm

Hello,

It's because you are using LE staging:

Root Certificate

The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.

n1md4 · November 4, 2019, 3:03pm

That makes sense, can't believe I didn't see that.I have commented out the staging line, but the certificates are still invalid. Does something need refreshing or some TTL to expire?

ldez · November 4, 2019, 6:05pm

you have to remove your current /letsencrypt/acme.json

zespri · November 5, 2019, 2:43am

@ldez but why the error says that it's using default traefik cert? It should in any case use the LE one, even if staging?

ldez · November 5, 2019, 2:45am

Maybe because the resolver is not set on the router.

With partial information, I can provide only partial answer.

n1md4 · November 5, 2019, 9:22am

Removed the acme.json file and with each refresh I now get valid certificates. Thanks for the help.

n1md4 · November 6, 2019, 5:03pm

Somewhat related I feel. I have added a new service today, with all the correct labels, but traefik doesn't deal with it correctly. At the time traefik picked it up, there was no DNS; which is why it initially failed, but now DNS has updated but there is nothing new in traefik. Is there a step I'm missing after adding a domain?

ypa · August 25, 2020, 8:12pm

Hello,

Just in case someone has the same problem (no DNS at the time of testing the website, I forgot to set the CNAME after the traefik rules...), it helped to restart traefik for me (in my case the container).

Regards

Topic		Replies	Views
How to make Traefik trust my company CA (for letsencrypt cert generation) Traefik v2 (latest) letsencrypt-acme	4	2152	February 16, 2021
Traefik does not provide a valid certificate on my website Traefik v2 (latest) docker , letsencrypt-acme , cli	6	3092	August 8, 2022
LetsEncrypt ACME error connection refused Traefik v2 (latest) letsencrypt-acme	9	10409	July 14, 2021
Problem with LetsEncrypt certificate generation Traefik v2 (latest) letsencrypt-acme	1	1336	September 15, 2021
Can't get a valid certificate using Route53 Traefik v2 (latest) docker , letsencrypt-acme , cli	0	988	September 1, 2022

Untrusted Letsencrypt certificate

Root Certificate

Related Topics