Docker setup with Traefik reverse proxy - NET:ERR_CERT_AUTHORITY_INVALID on one domain despite identical setup and config of another domain that works

Question

I have a Docker setup with Traefik as the reverse proxy. I have one NGINX container serving a static page. Two domains (example-A.com and example-B.de) are supposed to expose that same static page. While example-A.com works properly as expected, example-B.de gets a NET:ERR_CERT_AUTHORITY_INVALID error.

example-A.com is registered with Google domains. Its A-record with name "@" points to my Docker host's IP address.

example-B.de is registered with another domain registrar. Its A-record points to my Docker host's IP address (i.e. the identical IP as for example-A.com). I can't configure name "@" with this registrar, I can only set the A record and the target IP.

My traefik.toml is:

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.dashboard]
    address = ":8080"
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        users = ["admin:xxxxxxxxx"]
  [entryPoints.http]
    address = ":80"
      [entryPoints.http.redirect]
        entryPoint = "https"
  [entryPoints.https]
    address = ":443"
      [entryPoints.https.tls]

[api]
entrypoint="dashboard"

[acme]
email = "xxxxxxx@gmail.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
  [acme.httpChallenge]
  entryPoint = "http"

[docker]
domain = "my-main-domain.net"
watch = true
network = "traefik"

My docker-compose.yml is:

version: "3"

services:
  my-web:
    image: nginx:alpine
    container_name: my-web
    volumes:
    - /home/my-directory:/usr/share/nginx/html:ro
    networks:
    - traefik
    labels:
    - traefik.enable=true
    - traefik.frontend.rule=Host:example-B.de,example-A.com
    restart: always
  jupyter:
    [config here... with "traefik.frontend.rule=Host:subdomain1.my-main-domain.net"... remainder of config]
  ghost:
    [config here... with "traefik.frontend.rule=Host:subdomain2.my-main-domain.net"... remainder of config]

networks:
  traefik:
    external: true

The strange behavior is that example-A.com works as expected (HTTP and HTTPS) while example-B.de fails with NET:ERR_CERT_AUTHORITY_INVALID (HTTPS; HTTP is routed to HTTPS, i.e. same error) despite the exact same setup in docker-compose.yml within the same container on the same Docker host (see traefik.frontend.rule) and running under the same traefik.toml.

Another strange behavior: I get above NET:ERR_CERT_AUTHORITY_INVALID error on my cell phone (Chrome). On my computer (Chrome) it shows "404 page not found" (from Traefik) and "Not secure" in the URL bar with details "TRAEFIK DEFAULT CERT - Self-signed Root Certificate - This certificate has not be signed by a third party".

The other two docker services in my docker-compose.yml (jupyter and ghost) are running as expected.

I restarted traefik, and did a docker run down & up on docker-compose.yml.

The only difference I can spot is the different domain registrar and the difference in DNS A records as explained above.

The issue seems to be related to SSL, however to my (limited) knowledge, the domain registrar has nothing to do with the SSL certs. Also, the DNS setup does not seem to be the issue here as the browser resolves the domain properly, however then shows the error instead of the page.

Is someone able to spot an issue in my setup or configs and can point me to a fix or how to investigate further?

Answer 1

As @codinghaus pointed out in his comment, the solution is to add a CAA record to the domain at the domain registrar. I added the property tag "issue" with value "letsencrypt.org". Then I restarted traefik as well as my docker-compose.yml.