Home > Net >  Traefik ssl containers - '500 Internal Server Error' caused by: x509: certificate is valid
Traefik ssl containers - '500 Internal Server Error' caused by: x509: certificate is valid

Time:08-27

I am using traefik:v2.8.2 and containers running apache on port 80 and 443. Apache redirect the port 80 request to port 443.

Below is my traefik.yml file -

# configure logs
log:
  level: DEBUG # Set to 'DEBUG' for troubleshooting

# configure entry points
entryPoints:
  web:
    address: ":80"
    http:
      redirections: # http to https redirection
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
  postgres:
    address: ":5432"
# configure providers
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock" # connection to the docker daemon
    exposedByDefault: false # ignore containers without label 'traefik.enable=true'
  file:
    directory: "/etc/traefik/conf" # directory for dynamic traefik configuration files
    watch: true # changes are processed immediately

# configure api service
api:
  dashboard: true # enable the traefik dashboard

and below is my tls configuration

tls:
  certificates:
    - certFile: "/etc/traefik/certs/knandan-cert.pem"
      keyFile: "/etc/traefik/certs/knandan-key.pem"

And below is my docker-compose.yml file

version: "3.8"

services:
  traefik:
    networks:
      - d_local
    image: traefik:v2.8.2
    container_name: "d_traefik"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    command:
      - --serverstransport.insecureskipverify=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro 
      - ./certs/:/etc/traefik/certs/:ro 
      - ./static_conf.yml:/traefik.yml:ro 
      - ./conf/:/etc/traefik/conf/:ro 
    labels:
      - traefik.enable=true 
      - traefik.docker.network=d_local
      - traefik.http.routers.traefik.entrypoints=websecure 
      - traefik.http.routers.traefik.rule=Host(`knandan.app`) 
      - traefik.http.routers.traefik.tls=true 
      - traefik.http.routers.traefik.service=api@internal 
      - traefik.http.services.traefik.loadbalancer.server.port=8080

  d_apiapp:
    build:
      context: apiapp
      dockerfile: .docker/Dockerfile
    container_name: apiapp
    restart: unless-stopped
    image: apiapp
    domainname: api.knandan.app
    ports:
      - "8080:80"
    networks:
      - d_local
    volumes:
      - "./apiapp:/srv/app"
      - "./certs:/etc/ssl/crt"
    labels:
      - traefik.enable=true
      - traefik.http.routers.apiapp.entrypoints=websecure
      - traefik.http.routers.apiapp.rule=Host(`api.knandan.app`)
      - traefik.http.routers.apiapp.tls=true
      - traefik.http.services.apiapp.loadbalancer.server.port=443
      - traefik.http.services.apiapp.loadbalancer.server.scheme=https
networks:
  d_local:
    external: true

When I run the docker-compose up I can see the traefik dashboard. But when I open the api.knandan.app I get Internal Server Error

After checking the logs I came to know that some ssl verification is failing, below is the error -

time="2022-08-18T07:04:09Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.18.0.2" 

I noticed that traefik is running my container on the container ip not on hostname

level=debug msg="Creating server 0 https://172.18.0.2:443" routerName=apiapp@docker serverName=0 serviceName=apiapp entryPointName=websecure

Can someone please help me resolve this issue? Thanks is advance.

Below is my apache configuration - which is running behind the traefik to run the Laravel application

  1. 000-default.conf

    apache redirect confitguration

  2. 000-default-ssl.conf

apache ssl configuration

CodePudding user response:

Probably Traefik is using a default auto-signed certificate, I guess that with custom certificate it is not supported wildcard certificate.

So try to add default certificate in your configuration file:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/knandan-cert.pem
        keyFile: /etc/traefik/certs/knandan-cert.key

Here is a useful link

Also you should check if the directory indicated in the apiapp volumes is correct, if apiapp is an ubuntu based image it should be /etc/ssl/certs and not /etc/ssl/crt.

CodePudding user response:

Don't use underscore in container name. The container name will be used then as a host name which is not valid.

  • Related