'Is there a way to import a company root CA in traefik?

I have a docker swarm with traefik running in it and I want to be able to serve Grafana in https which is currently in http.

I've tried with the following traefik compose configuration:

version: "3.6"

services:

  traefik:
    image: traefik
    command:
      - --defaultentrypoints=http,https
      - --docker
      - --docker.swarmMode
      - --docker.exposedByDefault=false
      - --docker.domain=sdb.it
      - --docker.watch
      - --entryPoints=Name:http Address::80
      - --entryPoints=Name:https Address::443 clientCA:/etc/ssl/certs/rootca.crt TLS:/etc/ssl/certs/sonarqube.crt,/etc/ssl/certs/sonarqube.key;/etc/ssl/certs/sdbit-grafana.pem,/etc/ssl/certs/sdbit-grafana.key
      - --rootcas=/etc/ssl/certs/rootca.crt
      - --insecureskipverify
      - --logLevel=DEBUG
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 80:80
      - 443:443
    networks:
      - traefik
    secrets:
      - source: sdbit-sonarqube-docker.sdb.it.crt
        target: /etc/ssl/certs/sonarqube.crt
        mode: 644
      - source: sdbit-sonarqube-docker.sdb.it.key
        target: /etc/ssl/certs/sonarqube.key
        mode: 644
      - source: sdbit-grafana.sdb.it.pem
        target: /etc/ssl/certs/sdbit-grafana.pem
        mode: 644
      - source: sdbit-grafana.sdb.it.key
        target: /etc/ssl/certs/sdbit-grafana.key
        mode: 644
      - source: sdb-root-ca.crt
        target: /etc/ssl/certs/rootca.crt
        mode: 644
    deploy:
      placement:
        constraints:
          - node.role == manager

volumes:
  certificates:
    external: true
networks:
  traefik:
    external: true
secrets:
  sdbit-sonarqube-docker.sdb.it.crt:
    external: true
  sdbit-sonarqube-docker.sdb.it.key:
    external: true
  sdbit-grafana.sdb.it.pem:
    external: true
  sdbit-grafana.sdb.it.key:
    external: true
  sdb-root-ca.crt:
    external: true

and these labels on grafana:

  grafana:
    image: maven-repo.sdb.it:18080/grafana/grafana:6.0.1
    user: "104"
    depends_on:
      - prometheus
    ports:
      - 3000:3000
    volumes:
      - grafana_data:/var/lib/grafana
    configs:
      - source: grafana_custom_ldap
        target: /etc/grafana/custom_ldap.toml
    environment:
        .....
    labels:
        traefik.docker.network: traefik
        traefik.enable: "true"
        traefik.frontend.rule: Host:sdbit-grafana.sdb.it
        traefik.frontend.redirect.entryPoint: https
        traefik.domain: sdb.it
        traefik.port: 3000
    networks:
      - back-tier
      - front-tier
      - traefik
    restart: always
    deploy:
      placement:
        constraints:
          - node.role==worker

When traefik starts up it shows no errors in logs, but as soon as I try to point my browser to sdbit-grafana.sdb.it in traefik logs I can see:

time="2019-03-27T14:11:35Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:45240: remote error: tls: unknown certificate authority",

The certificate I'm trying to make work is taken from a company CA, and the pem file contains the root certificate.

As you can see from the compose file I tried to use the rootcas, the clientCA in https endpoint and also the insecureskipverify.

Any ideas?



Solution 1:[1]

I don't know where you found the lines defining entrypoints in traefik (- --entryPoints=Name:https Address::443 clientCA:/etc/ssl/certs/rootca.crt) but the entrypoints documentation says otherwise. I personally use

      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.metrics.address=:8080
      - --entrypoints.web.http.redirections.entrypoint.to=:443
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true

Concerning the certificates, as per this doc, there should be a dynamic configuration file, I set it up using a volume and the following :

      - --providers.file.directory=/etc/traefik/conf.d/
      - --providers.file.watch=true

and adding a tls.yml file inside this conf.d directory with the following content :

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key

Your use case could also use the power of the default cert definition :

tls:
  stores:
    default:
      defaultCertificate:
        certFile: path/to/cert.crt
        keyFile: path/to/cert.key

I also suggest you try lets encrypt certificates with auto renewal for it is simpler and at least as secure. As a side note I suggest you hide the domain in your question using http://example.com/ Hopes this help

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Corentin Jacquet