mkcert icon indicating copy to clipboard operation
mkcert copied to clipboard
verified publisher icon FiloSottile

Cert is not accepted by Traefik

Open kruscho opened this issue 3 months ago • 0 comments

Environment

  • Operating system (including version): Ubuntu 24.04.3 LTS
  • mkcert version (from mkcert -version): 1.4.4
  • Server (where the certificate is loaded): Docker/Traefik
  • Client (e.g. browser, CLI tool, or script): Firefox Snap 142.0.1

What you did

After installing mkcert, i startet by mkcert -install and generated some certs by sudo mkcert -cert-file /opt/containers/traefik/certs/svcinternal-cert.pem -key-file /opt/containers/traefik/certs/svcinternal-cert-key.pem *.homebox.lan. After that, I installed docker and traefik with the following files

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  # DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
  level: DEBUG

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "/dynamic.yml"
    watch: true

and a dynamic.yml

tls:
  certificates:
  - certFile: /etc/certs/svcinternal-cert.pem
    keyFile: /etc/certs/svcinternal-cert-key.pem

http:
  middlewares:
    # secHeaders@file
    # - Set Sameorigin
    # - Set HSTS
    # - enforce HTTPS
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        customFrameOptionsValue: "SAMEORIGIN"
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000

and configured the compose like this

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    environment:
      - LEGO_EXPERIMENTAL_CNAME_SUPPORT=true
    labels:
      - "traefik.enable=true"
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.http.routers.api.entrypoints=https"
      - "traefik.http.routers.api.rule=Host(`traefik.homebox.lan`)"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=secHeaders@file"

    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/traefik.yml:ro
      - ./config/dynamic.yml:/dynamic.yml:ro
      - ./certs:/etc/certs:ro
      - ./log:/var/log
    networks:
      - proxy

networks:
  proxy:
    external: true

What went wrong

As soon as i want to reach the URL (also happens with other URLs), the certificate is only accepted as a self-signed certificate. I also got the following info by letting traefik run without daemon:

remote error: tls: unknown certificate authority

I also can see, that the mkcert development CA is available within the certification manager of firefox. If I ignore the warning and trust the self-signed certificate, traefik-dashboard (or other services) can be accessed.

kruscho avatar Sep 08 '25 19:09 kruscho