serversTransport.rootCAs not being honored

[rwjack]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

Trying to configure TLS on my backends by following this guide:

https://doc.traefik.io/traefik/routing/overview/#rootcas

I'm running traefik on debian 11 with systemd.

I have modified the static configuration file /etc/traefik/traefik.yml with the following, and yes, the traefik user can read the file. Logs don't show anything interesting.

serversTransport:
  rootCAs:
    - /etc/traefik/certs/self-signed-ca.pem

I keep getting 500 internal server error on all my https backends. http ones work regularly

I'm using a single service for my backend, I just changed the url: http -> https. The 500 was coming from traefik 100%, I can curl the service directly.
Nothing is even reaching the backend service, the request fails when it reaches traefik. (I checked the backend service logs)

It seems that the rootCAs rule is not honored for some reason, because when setting:

serversTransport:
  insecureSkipVerify: true

Everything works as it should, except the above flag is not production approved.

Any thoughts? This seems like a bug...

What did you see instead?

My Desktop -> Traefik

Traefik -> backend service:

$ nc -vz backend-https-host 443
backend-https-host [ip redacted] 443 (?) open

What version of Traefik are you using?

Version: 2.9.5
Codename: banon
Go version: go1.19.3
Built: 2022-11-17T15:04:26Z
OS/Arch: linux/amd64

What is your environment & configuration?

config.yml:

tls:
  options:
    default:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

http:
  routers:
    redacted:
      rule: Host(`sub.domain.tld`)
      entryPoints:
        - web-secure
      middlewares:
        - security-headers
      service: service1
      tls:
        certResolver: le
        domains:
          - main: "sub.domain.tld"

  services:
    service1:
      loadBalancer:
        servers:
          - url: https://backend-host:443

  middlewares:
    security-headers:
      headers:
        referrerPolicy: same-origin
        forceSTSHeader: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        contentTypeNosniff: true
        browserXssFilter: true
        customRequestHeaders:
          X-Forwarded-Proto: https
        frameDeny: true

traefik.yml:

providers:
  file:
    filename: /etc/traefik/config.yml
    watch: true

serversTransport:
  rootCAs:
    - /etc/traefik/certs/self-signedCA.pem # also in system trust store and readable by traefik user
  insecureSkipVerify: false

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https
          permanent: true

  web-secure:
    address: :443

certificatesResolvers:
  le:
...
redacted
...

If applicable, please paste the log output in DEBUG level

No response

[mpl]

Hello @rwjack ,

Can you please show us the logs, with DEBUG level activated?

[rwjack]

It seems I missed something in the debug logs, I was using an incorrect SAN...