ROCKET_TLS server as backend: BadCertificate

[DaCHack]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

• Set up traefik as reverse proxy to vaultwarden container (using a ROCKET_TLS server internally listening on port 80 but expecting HTTPS)
• Set up vaultwarden to use the internal SSL service with a letsencrypt certificate
• Configured traefik to use an own letsencrypt certificate for the frontend and forward to port 80 of vaultwarden with - "traefik.http.services.vaultwarden.loadbalancer.server.scheme=https"

Expected to see vaultwarden functional when using https://internal.domain.com.

What did you see instead?

BadCertificate error on service-side (vaultwarden logs):
[rocket_http::tls::listener][WARN] tls handshake with X.X.X.X:59756 failed: received fatal alert: BadCertificate

Seems to be an issue with how traefik handles vaultwarden's certificate as other clients work fine when directly connecting to vaultwardens port 80 via the docker network.

• "--serverstransport.rootcas=/vault-ca.crt"
  does not seem to help even though with this file including the rootCA and certificate of the service expectation would be that the server's certificate is accepted without further checking (which is not possible since traefik addresses the service via its IP and not its domain.

What version of Traefik are you using?

3.1.6

What is your environment & configuration?

services:

  traefik:
    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      #- "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=XXXX"
      - "--certificatesresolvers.letsencrypt.acme.email=XXXX"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--serverstransport.rootcas=/vault-ca.crt"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - "XXXX_API_KEY=XXXX"
    volumes:
      - "/opt/appdata/traefik/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/opt/appdata/acme-lego-cron/certificates/test.test.com.crt:/vault-ca.crt"
    networks:
      - default
      - vaultwarden_default

networks:
  vaultwarden_default:
    external: true

services:

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: "vaultwarden"
    restart: unless-stopped
    environment:
      ROCKET_TLS: '{certs="/ssl/XXX.pem",key="/ssl/XXX.key"}'
#TODO: Replace with credentials file
      ADMIN_TOKEN: 'XXX'
    volumes:
      - /opt/appdata/acme-lego-cron/certificates:/ssl/
      - /opt/appdata/vaultwarden:/data/
    ports:
      - 8001:80/tcp
    healthcheck:
      disable: true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`test.test.com`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
      - "traefik.http.services.vaultwarden.loadbalancer.server.scheme=https"

If applicable, please paste the log output in DEBUG level

2024-10-25T09:14:11Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 7793ba43b45bb1b0
2024-10-25T09:14:11Z DBG github.com/traefik/traefik/v3/pkg/server/service/proxy.go:100 > 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs"

[juliens]

Hello @DaCHack ,

Thanks for reaching out!

To keep the repository focused, we ask that all questions be asked in the community forum. It is pretty active, so you might find that your question has already been answered there. If not, you can ask and get help from other community members pretty quickly.