Reputation: 427
Your connection is not private (this certificate can't be verified up to a trusted verification authority)
I have hard times setting up Traefik's "Let's encrypt" automated certificates for my site. It keeps popping Error message: "Your connection is not private". When I check the certificate it looks like this shown here on screenshot
Is this feature broke with Traefik? How can I make it work. Am I doing something wrong?
Here's my traefik.toml file:
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:$apr1$yhytIYv.$p0hPOLpt/NE9aAr7c1HsV1"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "[email protected]"
storage = "acme.json"
onDemand = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
Also, I'm starting the container this way:
docker network create proxy
docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD/traefik.toml:/traefik.toml \
-v $PWD/acme.json:/acme.json \
-p 80:80 \
-p 443:443 \
-l traefik.frontend.rule=Host:monitor.btcsha.com \
-l traefik.port=8080 \
--network proxy \
--name traefik \
traefik:1.7-alpine --docker
Upvotes: 1
Views: 2816
Answers (2)
Reputation: 427
Ok, I somehow made it work. I think the issue was that I had to remove the old acme.json file. Then when I created a new one I forgot to give it a "chmod 600 acme.json"
And yes, Idez was right with "caServer = "https://acme-v02.api.letsencrypt.org/directory"
Now it works. So for future references, here is my traefik.toml:
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[web.auth.basic]
users = ["admin:$apr1$yhytIYv.$p0hPOLpt/NE9aAr7c1HsV1"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "[email protected]"
storage = "acme.json"
onDemand = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
... and I start docker with the following command:
docker network create proxy
docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD/traefik.toml:/traefik.toml \
-v $PWD/acme.json:/acme.json \
-p 80:80 \
-p 443:443 \
-l traefik.frontend.rule=Host:monitor.btcsha.com \
-l traefik.port=8080 \
--network proxy \
--name traefik \
traefik:1.7-alpine --docker
Upvotes: 2
Reputation: 3130
You are using the Let's Encrypt Staging (caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"), so the Root Certificate is not valid and it's the expected behavior.
Please read https://letsencrypt.org/docs/staging-environment/
To have real certificates, you need to use Let's Encrypt production endpoint (caServer = "https://acme-v02.api.letsencrypt.org/directory") which is the default in Traefik.
Upvotes: 0
Related Questions
- Traefik ssl containers - '500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.x.x.x
- Error response from daemon: Get https://192.168.1.5/v2/: x509: certificate signed by unknown authority
- Traefik with self-signed certificate
- Traefik Self Signed Certificate
- Docker Traefik can't resolve DNS (Fails reaching server and obtaining certificates)
- Traefik - local https not working. Unable to reach server
- Traefik and https private repository - tls error
- Traefik: HTTPS access between applications does not work
- TLS failed in Docker
- docker SSL connection error