Skip to content

Cert is not accepted by Traefik #646

New issue
New issue
Open
Open
Cert is not accepted by Traefik#646
@kruscho

Description

@kruscho
kruscho
opened on Sep 8, 2025

Environment

  • Operating system (including version): Ubuntu 24.04.3 LTS
  • mkcert version (from mkcert -version): 1.4.4
  • Server (where the certificate is loaded): Docker/Traefik
  • Client (e.g. browser, CLI tool, or script): Firefox Snap 142.0.1

What you did

After installing mkcert, i startet by mkcert -install and generated some certs by sudo mkcert -cert-file /opt/containers/traefik/certs/svcinternal-cert.pem -key-file /opt/containers/traefik/certs/svcinternal-cert-key.pem *.homebox.lan.
After that, I installed docker and traefik with the following files

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  # DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
  level: DEBUG

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "/dynamic.yml"
    watch: true

and a dynamic.yml

tls:
  certificates:
  - certFile: /etc/certs/svcinternal-cert.pem
    keyFile: /etc/certs/svcinternal-cert-key.pem

http:
  middlewares:
    # secHeaders@file
    # - Set Sameorigin
    # - Set HSTS
    # - enforce HTTPS
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        customFrameOptionsValue: "SAMEORIGIN"
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000

and configured the compose like this

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    environment:
      - LEGO_EXPERIMENTAL_CNAME_SUPPORT=true
    labels:
      - "traefik.enable=true"
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.http.routers.api.entrypoints=https"
      - "traefik.http.routers.api.rule=Host(`traefik.homebox.lan`)"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=secHeaders@file"

    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/traefik.yml:ro
      - ./config/dynamic.yml:/dynamic.yml:ro
      - ./certs:/etc/certs:ro
      - ./log:/var/log
    networks:
      - proxy

networks:
  proxy:
    external: true

What went wrong

As soon as i want to reach the URL (also happens with other URLs), the certificate is only accepted as a self-signed certificate. I also got the following info by letting traefik run without daemon:

remote error: tls: unknown certificate authority

I also can see, that the mkcert development CA is available within the certification manager of firefox. If I ignore the warning and trust the self-signed certificate, traefik-dashboard (or other services) can be accessed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions