Why isn't traefik delivering my SSL-cert and uses a self-signed one?

Traefik Traefik v2
1

Hello everyone,

I am stuck on a little annoying point but I cannot figure out where I did the mistake.

If I enter my url (gitlab.example.org) I am getting a cert warning, as traefik delivers a self-signed cert.

This is the docker-compose.yml I am using for Traefik:

version: "3.3"

services:

  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./config.yml:/etc/traefik/dynamic_conf/conf.yml:ro
      - ./certs/:/certs/
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - web
    restart: unless-stopped
networks:
  web:
    driver: bridge

The config.yml contains:

tls:
  certificates:
    - certFile: /certs/cert_custom.crt
      keyFile: /certs/cert_custom.key

version: '3'

services:
  gitlab:
    image: 'gitlab/gitlab-ce:latest'
    container_name: gitlab
    restart: unless-stopped
    hostname: 'gitlab.example.org'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://gitlab.example.org'
        nginx['listen_port'] = 80
        nginx['listen_https'] = false
        nginx['redirect_http_to_https'] = false
        nginx['web_set_headers'] = {
          "X-Forwarded-Proto" => "https",
          "X-Forwarded-Ssl" => "on"
        }
      
        gitlab_rails['db_adapter'] = "postgresql"
        gitlab_rails['db_database'] = "gitlab"
        gitlab_rails['db_username'] = "postgres"
        gitlab_rails['db_password'] = "<...>"
        gitlab_rails['db_host'] = "gitlab_database"
    ports:
      - "2222:22"
    networks:
      - traefik_web
      - default
    volumes:
      - gitlab-config:/etc/gitlab
      - gitlab-logs:/var/log/gitlab
      - gitlab-data:/var/opt/gitlab
      - gitlab-certs:/certs
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_web"
      - "traefik.http.routers.gitlab.entrypoints=web"
      - "traefik.http.routers.gitlab.rule=Host(`gitlab.example.org`)"
      - "traefik.http.middlewares.gitlab-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.gitlab.middlewares=gitlab-https-redirect"
      - "traefik.http.routers.gitlab-secure.entrypoints=websecure"
      - "traefik.http.routers.gitlab-secure.rule=Host(`gitlab.example.org`)"
      - "traefik.http.routers.gitlab-secure.tls=true"
      - "traefik.http.routers.gitlab-secure.service=gitlab"
      - "traefik.http.services.gitlab.loadbalancer.server.port=80"
  database:
    image: postgres:12-alpine
    container_name: gitlab_database
    restart: unless-stopped
    networks:
      - default
    environment:
      POSTGRES_PASSWORD: "<...>"
      POSTGRES_DB: gitlab
    volumes:
        - gitlab-postgres-data:/var/lib/postgresql/data
volumes:
  gitlab-postgres-data:  
  gitlab-config: 
  gitlab-logs:
  gitlab-certs:
  gitlab-data:
networks:
  traefik_web:
    external: true

Any idea what I am doing wrong?

2

Hello @ahoiHGF

Does the domain name match the certificate SAN name? If so, the valid domain should be presented instead of the default (built-in) certificate.

3

Hi, @jakubhajek:
Are wildcard SAN valid? Running into similar issues right now, with an *.example.com cert.