Using Self-Signed certs on v3.4

Traefik Traefik v3 (latest)
1

Complete newbie here not just to traefik and reverse proxies but also to the idea of running one’s own CA. I have a freshly minted key and cert pair that I am ready to use, just having a few problems with traefik. My problem is that traefik is still using the default TLS certificate (as per my browser saying so). Heres the boiler plate stuff:

docker-compose.yml

networks:
  frontend:
    external: true
    name: frontend

services:
  traefik:
    container_name: traefik
    image: traefik:v3.4
    restart: unless-stopped 
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      # So that traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      # Point traefik to the config file and make it read only
      - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
      # Certs
      - ./certs:/certs:rw
    networks:
      - frontend

traefik.yaml

global:
  sendAnonymousUsage: false
log:
  level: DEBUG
api:
  dashboard: true
  insecure: true
entryPoints:
  web:
    address: :80
  websecure:
    address: :443
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "/opt/docker-compose/traefik/config/tls.yaml"

tls.yaml

tls:
  stores:
    default:
      defaultCertificate:
          certFile: /opt/docker-compose/traefik/certs/search.lan.cert
          keyFile:  /opt/docker-compose/traefik/certs/search.lan.key

Help would be awesome, thanks in advance!

2

You need to tell entrypoint to enable TLS globally (doc) or enable it on router.

entryPoints:
  websecure:
    address: ':443'
    http:
      tls: {}
3

Hmm, didnt seem to work. Im getting this error in the logs, but have not specified opnsense anywhere - I am using an OPNsense CA feature for the certs. Is this information encoded into the cert itself?

ERR github.com/traefik/traefik/v3/cmd/traefik/traefik.go:383 > Router uses a nonexistent certificate resolver certificateResolver=opnsense routerName=searx-https@docker
4

It seems you have some labels on your containers that want to use an "opnsense" certResolver, which would need to be defined in Traefik static config.

I would remove TLS from routers and configure it globally, either with custom TLS or with LetsEncrypt, check simple Traefik example.