Use Traefik with self-signed certificate

Frickeldave · November 25, 2020, 12:50pm

Hi,

i am new to traefik, possible i ask a very silly question. But anyway...
I want to create a single server with traefik as reverse proxy which uses a self-signed certificate. I patched my host-file with "127.0.0.1 -> traefik.cicd.frickeldave" When i try to connect to this url (to open the dashboard), i get following message in the trafik log:

TLS handshake error from 172.31.0.1:56500: remote error: tls: unknown certificate"

In the browser i get a "404 page not found". Here are my configuration files:

docker-compose

traefik:
      build:
        dockerfile:   Dockerfile
        context:      ./traefik
      container_name: traefik
      image:          docker.cicd.frickeldave/traefik:2.3.3-20201119
      restart:        always
      hostname:       traefik
      ports:
        - 80:80
        - 443:443
        - 8080:8080
      environment:
        - TFK_ADMIN_USER=admin
        - TFK_ADMIN_PWD=somethingsecret
        - CRT_VALIDITY=3650
        - CRT_C=DE
        - CRT_S=BAVARIAN
        - CRT_L=HOERGERTSHAUSEN
        - CRT_OU=cicd
        - CRT_CN=traefik.cicd.frickeldave
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
        - traefik-data:/home/appuser/data
      networks:
        - backend
        - frontend
      command:
        - "--global.checknewversion=false"
        - "--global.sendAnonymousUsage=true"
        - "--api=true"
        - "--api.dashboard=true"
        - "--api.debug=true"
        - "--log=true"
        - "--log.level=DEBUG"
        - "--ping=true"
        - "--ping.entryPoint=ping"
        - "--entrypoints.frontend.address=:80"
        - "--entrypoints.frontendssl.address=:443"
        - "--entrypoints.ping.address=:8080"
        - "--providers.docker=true"
        - "--providers.docker.watch=true"
        - "--providers.docker.endpoint=unix:///var/run/docker.sock"
        - "--providers.docker.exposedbydefault=false"
        - "--providers.file.filename=/home/appuser/data/config/tls.yml"
        - "--providers.file.watch=true"
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik.rule=Host(`traefik.cicd.frickeldave`)"
        - "traefik.http.routers.traefik.entrypoints=frontend"
        - "traefik.http.routers.traefik.service=api@internal" 
        - "traefik.http.routers.traefik.middlewares=traefik-auth"
        - "traefik.http.middlewares.traefik-auth.basicauth.users=username:hashed-password"

tls.yml

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /home/appuser/data/certificates/cer.crt
        keyFile: /home/appuser/data/certificates/key.key
  certificates:
    - certFile: /home/appuser/data/certificates/cer.crt
      keyFile: /home/appuser/data/certificates/key.key
      stores:
        -default

The certificate will be created in the docker-container before traefik is starting. The command for that is:

openssl req -x509 -newkey rsa:${CRT_LENGTH} -keyout /home/appuser/data/certificates/key.key -out /home/appuser/data/certificates/cer.crt -days $CRT_VALIDITY -nodes -subj "$SSLSUBJECT"

In the log i also ge tthe following message (don't know if that is realted to my error):

traefik    | time="2020-11-25T12:33:14Z" level=debug msg="Adding certificate for domain(s) traefik.cicd.frickeldave"
traefik    | time="2020-11-25T12:33:14Z" level=debug msg="No default certificate, generating one"

Any idea, what i doing wrong?

Regards

Dave

jspdown · November 27, 2020, 11:46am

Hello @Frickeldave and thanks for your interest in Traefik.

I tried your docker file with valid certificates and I didn't get the "No default certificate" log. Could you send us your complete logs (from the beginning).

Frickeldave · December 2, 2020, 6:35pm

Hi @jspdown,

sorry for my very late response and thank you for the invested time. Here we have the full log output:

Attaching to traefik
traefik    | first start, set initialstart variable to 1
traefik    | Check if its initial start
traefik    | initialstart variable is set to 1
traefik    | First start. Create initial certificates
traefik    | Check certificate directory
traefik    | createcerts: Directory already exist, skip....
traefik    | Create a self signed certificate with a validity of 3650 days
traefik    | Subject is "/C=DE/ST=BAVARIAN/L=HOERGERTSHAUSEN/O=cicd/CN=traefik.cicd.frickeldave"
traefik    | Generating a RSA private key
traefik    | .................................................................................................................................................................................................................................++++
traefik    | ...................................++++
traefik    | writing new private key to '/home/appuser/data/certificates/key.key'
traefik    | -----
traefik    | success
traefik    | use password from compose-file
traefik    | Adding password for user 
traefik    | Starting traefik
traefik    | = '/home/appuser/app/traefik' is not a Traefik command: assuming shell execution.
traefik    | time="2020-12-02T18:32:23Z" level=info msg="Configuration loaded from flags."
traefik    | time="2020-12-02T18:32:23Z" level=info msg="Traefik version 2.3.3 built on 2020-11-19T17:43:21Z"
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Static configuration loaded {\"global\":{},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"frontend\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"frontendssl\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}},\"ping\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000},\"file\":{\"watch\":true,\"filename\":\"/home/appuser/data/config/tls.yml\"}},\"api\":{\"dashboard\":true,\"debug\":true},\"ping\":{\"entryPoint\":\"ping\",\"terminatingStatusCode\":503},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"
traefik    | time="2020-12-02T18:32:23Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
traefik    | time="2020-12-02T18:32:23Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Start TCP Server" entryPointName=frontend
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Start TCP Server" entryPointName=ping
traefik    | time="2020-12-02T18:32:23Z" level=info msg="Starting provider *file.Provider {\"watch\":true,\"filename\":\"/home/appuser/data/config/tls.yml\"}"
traefik    | time="2020-12-02T18:32:23Z" level=info msg="Starting provider *traefik.Provider {}"
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Start TCP Server" entryPointName=frontendssl
traefik    | time="2020-12-02T18:32:23Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Configuration received from provider file: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{\"stores\":{\"default\":{}}}}" providerName=file
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"ping\":{\"entryPoints\":[\"ping\"],\"service\":\"ping@internal\",\"rule\":\"PathPrefix(`/ping`)\",\"priority\":2147483647}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{},\"ping\":{}}},\"tcp\":{},\"tls\":{}}" providerName=internal
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Adding certificate for domain(s) traefik.cicd.frickeldave"
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Provider connection established with docker 19.03.13 (API 1.40)" providerName=docker
traefik    | time="2020-12-02T18:32:23Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"frontend\"],\"middlewares\":[\"traefik-auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.cicd.frickeldave`)\"}},\"services\":{\"traefik-cicd\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.28.0.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"traefik-auth\":{\"basicAuth\":{\"users\":[\"username:hashed-password\"]}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Adding certificate for domain(s) traefik.cicd.frickeldave"
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Added outgoing tracing middleware ping@internal" entryPointName=ping routerName=ping@internal middlewareName=tracing middlewareType=TracingForwarder
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=ping
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Adding certificate for domain(s) traefik.cicd.frickeldave"
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="No default certificate, generating one"
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Added outgoing tracing middleware ping@internal" routerName=ping@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=ping
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Creating middleware" entryPointName=ping middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=traefik@docker middlewareType=TracingForwarder middlewareName=tracing entryPointName=frontend
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Creating middleware" entryPointName=frontend middlewareName=traefik-auth@docker middlewareType=BasicAuth routerName=traefik@docker
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Adding tracing to middleware" entryPointName=frontend routerName=traefik@docker middlewareName=traefik-auth@docker
traefik    | time="2020-12-02T18:32:24Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=frontend middlewareName=traefik-internal-recovery

Regards

Dave

Frickeldave · December 3, 2020, 4:06pm

Some additional information regarding this issue for further analysis:

The full commandline of my openssl command is:
openssl req -x509 -newkey rsa:2048 -keyout /home/appuser/data/certificates/key.key -out /home/appuser/data/certificates/cer.crt -days 3560 -nodes -subj "/C=DE/ST=Bavarian/L=Muenich/O=cicd/CN=cicd.frickeldave"

When i try to curl from within the container, i get the following message:

$ curl https://localhost
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
/ $ curl https://localhost --insecure
404 page not found

On some sites i found, that i have to set the permissions to 600 for the keyfile and 644 for the crt-file. But that doesn't change anything.

When runnning a netstat -tulpn in the container i see that "someone" is listening on the defined ports:

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.11:42261        0.0.0.0:*               LISTEN      -
tcp        0      0 :::443                  :::*                    LISTEN      -
tcp        0      0 :::8080                 :::*                    LISTEN      -
tcp        0      0 :::80                   :::*                    LISTEN      -
udp        0      0 127.0.0.11:51405        0.0.0.0:*                           -

jspdown · December 4, 2020, 9:22am

I didn't see it at first but there's a typo in you tls.yml file:

certificates:
    - certFile: /home/appuser/data/certificates/cer.crt
      keyFile: /home/appuser/data/certificates/key.key
      stores:
        - default

- default instead of -default. I tied it and it solves the No default certificate, generating one.

Then, regarding the 404 you get when you curl https://localhost --insecure, it perfectly fine with your configuration. Your frontendssl is not specified in "traefik.http.routers.traefik.entrypoints=frontend" and therefore nothing is exposed on port 443.

Frickeldave · December 4, 2020, 1:20pm

@jspdown Thats it. Saved my day. Thank you very much.

system · December 7, 2020, 1:20pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tls: unknown certificate Traefik v2 (latest) docker	1	7379	October 31, 2019
Use my own certificates for docker containers, but get -404 page not found- error Traefik v2 (latest) docker	1	742	November 23, 2021
Help with configuring Traefik with Self Signed certificates Traefik v2 (latest) docker	4	960	October 6, 2020
Use self-signed certificates with docker/docker-compose Traefik v2 (latest) docker	1	1902	March 2, 2020
Traefik v2.10 Configuration Issue with Custom SSL Certificate and Docker Traefik v2 (latest) docker	1	314	December 24, 2023

Use Traefik with self-signed certificate

Related Topics