Reputation: 481
Traefik entrypoints and default certificate
Question 1
https://docs.traefik.io/configuration/entrypoints/#default-certificate seems to indicate that if I do not specify any certFile or keyFile, a self-signed certificate will be generated by Traefik, and used instead.
There can only be one defaultCertificate set per entrypoint. Use a single set of square brackets [ ], instead of the two needed for normal certificates. If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead.
However, when I try this and enter https://localhost/whoami I get an SSL error by Chrome (ERR_SSL_PROTOCOL_ERROR). Logs also show level=error msg="failed to load X509 key pair: tls: failed to find any PEM data in certificate input". Have I misunderstood the configuration in that documentation?
This is the code I have to test this.
test.yml
version: '3.6'
services:
traefik:
image: traefik
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/etc/traefik/traefik.toml
deploy:
placement:
constraints:
- node.role == manager
labels:
- "traefik.port=8080"
- "traefik.frontend.rule=PathPrefixStrip:/traefik"
networks:
- traefiknet
whoami:
image: emilevauge/whoami
deploy:
labels:
- "traefik.port=80"
- "traefik.frontend.rule=PathPrefixStrip:/whoami"
networks:
- traefiknet
networks:
traefiknet:
traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[api]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.defaultCertificate]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
swarmMode = true
network = "test_traefiknet"
Start with:
docker stack deploy -c test.yml test
Question 2
Note that I also tested to do like it reads on this page: https://docs.traefik.io/configuration/entrypoints/#static-certificates
If an empty TLS configuration is provided, default self-signed certificates are generated.
However, that also did not work. My question is however, what is the difference between this configuration and the configuration shown in question 1 in the toml file?
Upvotes: 2
Views: 9999
Answers (1)
Reputation: 481
I found out the answer. I needed to remove [entryPoints.https.tls.defaultCertificate]. Unfortunately I did not find the documentation very clear in this regard.
Upvotes: 2
Related Questions
- "No default certificate, generating one" when a default certificate is provided
- Traefik v2.6 multiple certresolvers
- SSL is required to authenticate keycloak behind traefik
- Traefik with self-signed certificate
- SSL passthrough with Traefik
- Docker, Traefik 2.2, and Default Certificate
- traefik's tls: client didn't provide a certificate when accessing https endpoint
- Traefik is using default cert even though acme.json file is generated correctly
- Multiple HTTPS entry points with ACME LetsEncrypt DNS in Traefik
- Traefik - Cannot use self sign certificates