I have traefik setup correctly for :80 and trying to configure it to work correctly for :443.
I have validated that the routing is good by testing with http through :443 and that works no problem, so next step is setting up https. I have setup a certFile and keyFile that the logs are showing are being picked up correctly. However when it comes to actually using https it fails with SSL peer has no certificate for the requested DNS name. even though the logs show that the certificate would in fact be correct for the url.
All I can think of is that traefik doesn't handle deep subdomains?
The certificate is issues for *.app.site.com and the url accessed is client.app.site.com (obviously the specifics have been anonymized, but that is the scheme in use)
Is there any inherent issue? I'm absolutely lost as to what else could possibly be wrong since everything I check works correctly outside of traefik refusing to use the certificate.
I tried adding an explicit tls to the entrypoint as per the docs (Traefik EntryPoints Documentation - Traefik) as you suggested but still not luck so here are the files. Obviously the certs are in the cert directory as per config.
Anonymized to not leak name of my company/product, but other than url and specific name of network are copy-pasted, backend config omitted for brevity
## STATIC CONFIG (restart traefik to update)
# shows you a log msg if a newer image tag can be used
global:
checkNewVersion: true
# log default is ERROR, but WARN is more helpful
log:
level: DEBUG
# level: INFO
# enable dashboard on 8080 with NO AUTH
api:
insecure: true
dashboard: true
# enable ping so the `traefik healthcheck` works
ping: {}
# auto-proxy containers if they have proper labels
# and also use this file for dynamic config (tls)
providers:
docker:
exposedByDefault: false
watch: true
file:
fileName: /etc/traefik/traefik.yaml
watch: true
# listen on 80/443, and redirect all 80 to 443 via 301
entryPoints:
web:
address: :80
# comment out these lins if you don't want to redirect everything
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
# permanent: true
websecure:
address: :443
http:
tls:
domain:
main: client.app.site.com
## DYNAMIC CONFIG
tls:
certificates:
- certFile: /certs/wild-app.site.com.crt
keyFile: /certs/wild-app.site.com.key
# when troubleshooting certs, enable this so traefik doesn't use
# its own self-signed. By default if it can't find a matching
# cert, it'll just create its own which will cause cert warnings
# in browser and can be confusing to troubleshoot
options:
default:
sniStrict: true
The logs show Add certificate for domain(s) *.app.site.com so it is recognizing it correctly, but refuses to serve it
tls:
certificates:
- certFile: /certs/wild-app.site.com.crt
keyFile: /certs/wild-app.site.com.key
# when troubleshooting certs, enable this so traefik doesn't use
# its own self-signed. By default if it can't find a matching
# cert, it'll just create its own which will cause cert warnings
# in browser and can be confusing to troubleshoot
options:
default:
sniStrict: true
updating the compose to add and file loading to /etc/traefik-tls.yaml; logs show it's being loaded correctly.
Changed the websecure:http:tls in place to tls: {} as suggested but still nothing.
It's really making no sense to me why it's not working