Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Traefik ssl containers - '500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.x.x.x

I am using traefik:v2.8.2 and containers running apache on port 80 and 443. Apache redirect the port 80 request to port 443.

Below is my traefik.yml file -

# configure logs
  level: DEBUG # Set to 'DEBUG' for troubleshooting
# configure entry points
entryPoints:
    address: ":80"
    http:
      redirections: # http to https redirection
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
  postgres:
    address: ":5432"
# configure providers
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock" # connection to the docker daemon
    exposedByDefault: false # ignore containers without label 'traefik.enable=true'
  file:
    directory: "/etc/traefik/conf" # directory for dynamic traefik configuration files
    watch: true # changes are processed immediately
# configure api service
  dashboard: true # enable the traefik dashboard
and below is my tls configuration
  certificates:
    - certFile: "/etc/traefik/certs/knandan-cert.pem"
      keyFile: "/etc/traefik/certs/knandan-key.pem"
And below is my docker-compose.yml file
version: "3.8"
services:
  traefik:
    networks:
      - d_local
    image: traefik:v2.8.2
    container_name: "d_traefik"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    command:
      - --serverstransport.insecureskipverify=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro 
      - ./certs/:/etc/traefik/certs/:ro 
      - ./static_conf.yml:/traefik.yml:ro 
      - ./conf/:/etc/traefik/conf/:ro 
    labels:
      - traefik.enable=true 
      - traefik.docker.network=d_local
      - traefik.http.routers.traefik.entrypoints=websecure 
      - traefik.http.routers.traefik.rule=Host(`knandan.app`) 
      - traefik.http.routers.traefik.tls=true 
      - traefik.http.routers.traefik.service=api@internal 
      - traefik.http.services.traefik.loadbalancer.server.port=8080
  d_apiapp:
    build:
      context: apiapp
      dockerfile: .docker/Dockerfile
    container_name: apiapp
    restart: unless-stopped
    image: apiapp
    domainname: api.knandan.app
    ports:
      - "8080:80"
    networks:
      - d_local
    volumes:
      - "./apiapp:/srv/app"
      - "./certs:/etc/ssl/crt"
    labels:
      - traefik.enable=true
      - traefik.http.routers.apiapp.entrypoints=websecure
      - traefik.http.routers.apiapp.rule=Host(`api.knandan.app`)
      - traefik.http.routers.apiapp.tls=true
      - traefik.http.services.apiapp.loadbalancer.server.port=443
      - traefik.http.services.apiapp.loadbalancer.server.scheme=https
networks:
  d_local:
    external: true
When I run the docker-compose up I can see the traefik dashboard. But when I open the api.knandan.app I get Internal Server Error
After checking the logs I came to know that some ssl verification is failing, below is the error -
time="2022-08-18T07:04:09Z" level=debug msg="'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, ::1, not 172.18.0.2" 
I noticed that traefik is running my container on the container ip not on hostname
level=debug msg="Creating server 0 https://172.18.0.2:443" routerName=apiapp@docker serverName=0 serviceName=apiapp entryPointName=websecure
Can someone please help me resolve this issue? Thanks is advance.
Below is my apache configuration - which is running behind the traefik to run the Laravel application
000-default.conf
000-default-ssl.conf
                did you try removing ports for d_apiapp service? you are exposing the container on the host network, it seems the traefik reach api container using docker networks and you should not need to expose it. did you try to add hostname keyword to your app container?
– Lety
                Aug 20, 2022 at 13:00
                Hi @Lety thanks for your comment but I don't think exposing the container on the host network will affect the traefik in any way, but I still tried but got the same error. I also tried adding the hostname but no result.
– Keshari Nandan
                Aug 20, 2022 at 15:49
                there is both image and build keyword, from docker-compose manual: When service definition do include both Image attribute and a Build section, Compose implementation can’t guarantee a pulled image is strictly equivalent to building the same image from sources. Without any explicit user directives, Compose implementation with Build support MUST first try to pull Image, then build from source if image was not found on registry. May be you are using a wrong image? you should choose only one of them
– Lety
                Aug 20, 2022 at 16:19
                Sorry, I'm trying to help, but I did not find any wrong directive. Only I did not see the Encrypt certificate support for Traefik, how to you generate the ssl certificate? did you see your service in the Traefik admin dashboard?
– Lety
                Aug 20, 2022 at 18:31
                Hi Lety thanks, I generated the SSL certificate using the mkcert (github.com/FiloSottile/mkcert). I can see the service in the Traefik Admin dashboard. I do see the request is going to the container but the request is being rejected due to the SSL error. As per the log request, it goes to the container-ip from the traefik and there certificate becomes invalid because the certificate is for the domain, not the IP address.
– Keshari Nandan
                Aug 21, 2022 at 12:32
Probably Traefik is using a default auto-signed certificate, I guess that with custom certificate it is not supported wildcard certificate.
So try to add default certificate in your configuration file:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/knandan-cert.pem
        keyFile: /etc/traefik/certs/knandan-cert.key
Here is a useful link
Also you should check if the directory indicated in the apiapp volumes is correct, if apiapp is an ubuntu based image it should be /etc/ssl/certs and not /etc/ssl/crt.
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.