0

I have a docker-compose with severall apps, and traefik to do the routing and handle SSL/TSL certificates.

I changed DNS supplier from Google to OVH, and then it didn't work. I thought I just had to renew the certificates but restarting traefik after deleting and recreating acme.json file, but it didn't work.

Problem is, I have this error on my webpage : ERR_SSL_KEY_USAGE_INCOMPATIBLE

When I look into the certificate from the browser tools, I get this : TRAEFIK DEFAULT CERT

I tried with a curl, just in case this is cached :

curl -vI https://subdomain.mydomain.fr

  • Trying :443...
  • Connected to subdomain.mydomain.fr () port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: self signed certificate
  • Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

So I started looking into every possibility, but I'm stuck.

Here's my docker-compose.yml file :

version: '3.9'

services:
  traefik:
    image: traefik:3.3.5
    container_name: traefik
    command: [--logLevel=DEBUG, --configFile=/traefik.yml]
    restart: always
    environment:
      - "TZ=Europe/Paris"
      - "OVH_ENDPOINT=ovh-eu"
      - "OVH_APPLICATION_KEY=######"
      - "OVH_APPLICATION_SECRET=######"
      - "OVH_CONSUMER_KEY=######"
    networks:
      - traefik_public
      - elastic
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/user/infrastructure-master/traefik/config/traefik.toml:/traefik.toml
      - /home/user/infrastructure-master/traefik/config/letsencrypt:/letsencrypt
      - traefik_log:/var/log/traefik/
    labels:
      - "traefik.enable=true"

  my-app:
    image: registry.gitlab.####
    container_name: my-app
    depends_on:
      mq-messaging:
        condition: service_started
    environment:
      - ####
    networks:
      - traefik_public
      - artemis_messaging
      - logstash
    deploy:
      replicas: 1
      update_config:
        parallelism: 1
        delay: 10s
        order: stop-first
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.my-app.rule=Host(`subdomain.domain.fr`)"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.routers.my-app.entrypoints=websecure"
      - "traefik.http.routers.my-app.tls.certresolver=my_prod_certs"
      - "traefik.http.services.my-app.loadbalancer.server.port=8091"

  mq-messaging:
    image: apache/activemq-artemis:2.31.2-alpine
    container_name: mq-messaging
    environment:
      - ####
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mq-messaging.rule=Host(`subdomain2.domain.fr`)"
      - "traefik.http.routers.mq-messaging.entrypoints=websecure"
      - "traefik.http.routers.mq-messaging.tls.certresolver=my_prod_certs"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.services.mq-messaging.loadbalancer.server.port=8161"
    volumes:
      - ./artemis/logging.properties:/var/lib/artemis/etc/logging.properties
      - ./artemis/jolokia-access.xml:/var/lib/artemis/etc/jolokia-access.xml
      - artemis_log:/var/lib/artemis/log/
    ports:
      - 8161:8161
      - 61616:61616
    networks:
      - traefik_public
      - artemis_messaging
      - elastic
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"


  keycloak:
    image: registry.gitlab.com/####
    container_name: keycloak
    command: ["start"]  
    depends_on:
      keycloak_db:
        condition: service_healthy
    environment:
      - ####
    labels:
      - "traefik.http.routers.keycloak.rule=Host(`subdomain3.domain.fr`)"
      - "traefik.http.routers.keycloak.entrypoints=websecure"
      - "traefik.http.routers.keycloak.tls.certresolver=my_prod_certs"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
      - "traefik.enable=true"
    volumes:
      - keycloak_log:/opt/jboss/keycloak/standalone/log/
    networks:
      - keycloak_db
      - traefik_public
      - elastic
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"

  keycloak_db:
    image: postgres:10.4
    container_name: keycloak_db
    command: postgres -c log_filename=keycloak_v3_db-%Y-%m-%d_%H%M%S.log -c config_file=/etc/postgresql.conf
    environment:
      - ####
    volumes:
      - keycloak_db_data:/var/lib/postgresql/data
      - postgresql_log:/var/log/postgresql
      - ./postgresql/config/postgresql.conf:/etc/postgresql.conf
    networks:
      - keycloak_db
      - elastic
    restart: always
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready" ]
      interval: 10s
      timeout: 5s
      retries: 5
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"

  print-service-operation:
    image: registry.gitlab.com/####
    environment:
      - ####
    links:
      - mq-messaging
    networks:
      - artemis_messaging
      - logstash
    restart: always
    deploy:
      replicas: 4
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"

  print-service-reservation:
    image: registry.gitlab.com/####
    environment:
      - ####
    links:
      - mq-messaging
    networks:
      - artemis_messaging
      - logstash
    restart: always
    deploy:
      replicas: 4
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"

  external-api-provider:
    container_name: external-api-provider
    image: registry.gitlab.com/####
    environment:
        ####
    networks:
        - traefik_public
    labels:
        - "traefik.enable=true"
        - "traefik.http.routers.external-api-provider.rule=Host(`subdomain4.domain.fr`)"
        - "traefik.http.routers.external-api-provider.entrypoints=websecure"
        - "traefik.http.routers.external-api-provider.tls.certresolver=my_prod_certs"
        - "traefik.docker.network=traefik_public"
        - "traefik.http.services.external-api-provider.loadbalancer.server.port=3000"
    logging:
        driver: "json-file"
        options:
            max-size: "10m"
            max-file: "2"
    deploy:
        resources:
            limits:
                cpus: '0.50'
                memory: 50M
            reservations:
                cpus: '0.25'
                memory: 20M

  dxfconverter_v3:
    image: registry.gitlab.com/####
    container_name: dxfConverter
    links:
      - mq-messaging
    networks:
      - artemis_messaging
      - logstash
    restart: always
    logging:
        driver: "json-file"
        options:
          max-size: "10m"
          max-file: "2"
    environment:
      - ####

networks:
  traefik_public:
    external: true
  keycloak_db:
    name: keycloak_db
  artemis_messaging:
    name: artemis_messaging
  logstash:
    name: logstash
  elastic:
    name: elastic
volumes:
  traefik_log:
    name: traefik_log
  keycloak_db_data:
    name: keycloak_db_data
  postgresql_log:
    name: postgresql_log
  artemis_log:
    name: artemis_log
  keycloak_log:
    name: keycloak_log

I have a traefik.yml configuration file like this :

accessLog:
  filePath: "/var/log/traefik/access.log"
  fields:
    defaultMode: keep
    names:
      StartUTC: drop
    headers:
      defaultMode: keep

api:
  dashboard: true

log:
  level: DEBUG

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    watch: true

certificatesResolvers:
  showyou_prod_certs:
    acme:
      email: "####"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      storage: "/letsencrypt/acme.json"
      keyType: "RSA4096"
      dnsChallenge:
        provider: ovh
        delayBeforeCheck: 60
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
        disablePropagationCheck: true

I have an acme.json file, which I deleted, and recreated with the following read/write authorizations :

-rw------- 1 user user 42896 7 avril 10:34 ../traefik/config/letsencrypt/acme.json

In this file I have entries for every subdomain I use, looking like this :

"domain": {
   "main": "subdomain.domain.fr"
 },

followed by a certificate and a key (which I guess, I shouldn't share)

I can't find any error in traefik logs, but I have a lots of these :

2025-04-09T09:09:49+02:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""

and these listed as debug, but I think they're still errors :

2025-04-09T09:12:25+02:00 DBG log/log.go:245 > http: TLS handshake error from 77.111.247.41:47137: remote error: tls: unknown certificate 2025-04-09T09:12:25+02:00 DBG log/log.go:245 > http: TLS handshake error from 77.111.247.41:52251: remote error: tls: unknown certificate

Any help would be much appreciated, I can provide you with more informations if you name it.

Improve this question
1
  • It seems the defined certResolver in traefik.yml does not match certresolver=my_prod_certs Commented Apr 15 at 16:25

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.