[GH-ISSUE #646] Cert is not accepted by Traefik #345

New issue

Open

opened 2026-02-25 22:33:08 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 22:33:08 +03:00

Owner

Originally created by @kruscho on GitHub (Sep 8, 2025).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/646

Environment

Operating system (including version): Ubuntu 24.04.3 LTS
mkcert version (from mkcert -version): 1.4.4
Server (where the certificate is loaded): Docker/Traefik
Client (e.g. browser, CLI tool, or script): Firefox Snap 142.0.1

What you did

After installing mkcert, i startet by mkcert -install and generated some certs by sudo mkcert -cert-file /opt/containers/traefik/certs/svcinternal-cert.pem -key-file /opt/containers/traefik/certs/svcinternal-cert-key.pem *.homebox.lan.
After that, I installed docker and traefik with the following files

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  # DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
  level: DEBUG

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "/dynamic.yml"
    watch: true

and a dynamic.yml

tls:
  certificates:
  - certFile: /etc/certs/svcinternal-cert.pem
    keyFile: /etc/certs/svcinternal-cert-key.pem

http:
  middlewares:
    # secHeaders@file
    # - Set Sameorigin
    # - Set HSTS
    # - enforce HTTPS
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        customFrameOptionsValue: "SAMEORIGIN"
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000

and configured the compose like this

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    environment:
      - LEGO_EXPERIMENTAL_CNAME_SUPPORT=true
    labels:
      - "traefik.enable=true"
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.http.routers.api.entrypoints=https"
      - "traefik.http.routers.api.rule=Host(`traefik.homebox.lan`)"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=secHeaders@file"

    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik.yml:/traefik.yml:ro
      - ./config/dynamic.yml:/dynamic.yml:ro
      - ./certs:/etc/certs:ro
      - ./log:/var/log
    networks:
      - proxy

networks:
  proxy:
    external: true

What went wrong

As soon as i want to reach the URL (also happens with other URLs), the certificate is only accepted as a self-signed certificate. I also got the following info by letting traefik run without daemon:

remote error: tls: unknown certificate authority

I also can see, that the mkcert development CA is available within the certification manager of firefox. If I ignore the warning and trust the self-signed certificate, traefik-dashboard (or other services) can be accessed.

Originally created by @kruscho on GitHub (Sep 8, 2025). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/646 ## Environment * Operating system (including version): Ubuntu 24.04.3 LTS * mkcert version (from `mkcert -version`): 1.4.4 * Server (where the certificate is loaded): Docker/Traefik * Client (e.g. browser, CLI tool, or script): Firefox Snap 142.0.1 ## What you did  After installing mkcert, i startet by `mkcert -install` and generated some certs by `sudo mkcert -cert-file /opt/containers/traefik/certs/svcinternal-cert.pem -key-file /opt/containers/traefik/certs/svcinternal-cert-key.pem *.homebox.lan`. After that, I installed docker and traefik with the following files traefik.yml ```yml global: checkNewVersion: true sendAnonymousUsage: false log: # DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. level: DEBUG api: dashboard: true entryPoints: http: address: ":80" https: address: ":443" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false file: filename: "/dynamic.yml" watch: true ``` and a dynamic.yml ```yml tls: certificates: - certFile: /etc/certs/svcinternal-cert.pem keyFile: /etc/certs/svcinternal-cert-key.pem http: middlewares: # secHeaders@file # - Set Sameorigin # - Set HSTS # - enforce HTTPS secHeaders: headers: browserXssFilter: true contentTypeNosniff: true customFrameOptionsValue: "SAMEORIGIN" sslRedirect: true #HSTS Configuration stsIncludeSubdomains: true stsPreload: true stsSeconds: 15552000 ``` and configured the compose like this ```yml services: traefik: image: traefik:latest container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true ports: - 80:80 - 443:443 environment: - LEGO_EXPERIMENTAL_CNAME_SUPPORT=true labels: - "traefik.enable=true" - "com.centurylinklabs.watchtower.enable=true" - "traefik.http.routers.api.entrypoints=https" - "traefik.http.routers.api.rule=Host(`traefik.homebox.lan`)" - "traefik.http.routers.api.tls=true" - "traefik.http.routers.api.service=api@internal" - "traefik.http.routers.traefik.middlewares=secHeaders@file" volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./config/traefik.yml:/traefik.yml:ro - ./config/dynamic.yml:/dynamic.yml:ro - ./certs:/etc/certs:ro - ./log:/var/log networks: - proxy networks: proxy: external: true ``` ## What went wrong  As soon as i want to reach the URL (also happens with other URLs), the certificate is only accepted as a self-signed certificate. I also got the following info by letting traefik run without daemon: `remote error: tls: unknown certificate authority` I also can see, that the mkcert development CA is available within the certification manager of firefox. If I ignore the warning and trust the self-signed certificate, traefik-dashboard (or other services) can be accessed.