Traefik: Self-Signed SSL Certificate error loading

Hey everyone,
I am currently setting up Traefik as a loadbalancer / reverse-proxy in NixOS-unstable.
Everything is working fine until I try to load a selfsigned cert.pem and key.pem in the data directory of traefik.

Input:

Configuration:

  services.traefik = {
    enable = true;
    dynamicConfigOptions = {
      http.middlewares.prefix-strip.stripprefixregex.regex = "/[^/]+";
      http = {
        services = {
          rtl.loadBalancer.servers = [ { url = "http://169.254.1.29:3000/"; } ];
          spark.loadBalancer.servers = [ { url = "http://169.254.1.17:9737/"; } ];
        };
        routers = {
          rtl = {
            rule = "PathPrefix(`/rtl`,`/rtl/`)";
            entryPoints = [ "websecure" ];
            service = "rtl";
            tls = true;
          };
          spark = {
            rule = "PathPrefix(`/spark`,`/spark/`)";
            entryPoints = [ "websecure" ];
            middlewares = "prefix-strip";
            service = "spark";
            tls = true;
          };
        };
      };
      tcp = {
        services = {
          electrs.loadBalancer.servers = [ { address = "169.254.1.16:50001"; } ];
        };
        routers = {
          electrs = {
            rule = "HostSNI(`*`)";
            entryPoints = [ "electrs" ];
            service = "electrs";
            tls = true;
          };
        };
      };
      tls = {
        certificates = {
          certFile = "/var/lib/traefik/cert.pem";
          keyFile = "/var/lib/traefik/key.pem";
        };
      };
    };
    staticConfigOptions = {
      accessLog = {};
      entryPoints = {
        web = {
          address = ":80";
          http.redirections.entrypoint = {
            to = "websecure";
            scheme = "https";
          };
        };
        websecure.address = ":443";
        electrs.address = ":50002";
      };
    };
  };

Certificate

a new cert.pem and key.pem pair in /var/lib/traefik/ via

openssl req -x509 -newkey rsa:4096 -keyout /var/lib/traefik/key.pem -out /var/lib/traefik/cert.pem -sha256 -days 365 -nodes

Expected Output

The cert gets loaded and works

Actual Output

time="2022-10-26T22:10:42+02:00" level=error msg="Unable to append certificate  to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default
time="2022-10-26T22:10:42+02:00" level=error msg="Unable to append certificate  to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default

Thanks for your help

I could be wrong, but I believe that openssl command just creates a CSR and not a cert. So you’ll need to sign (or self-sign) the CSR to generate an actual cert file.

Yeah I tried to sign a cert with the CA Cert and use that, but it yields the same result …
The faulty line seems to be traefik/certificate.go at a002ccfce3af7b64f6f9525338d4830f260b509e · traefik/traefik · GitHub
But I have no idea what went wrong or how to satisfy the tls.X509KeyPair
Will read up further on that
Thanks for your help though!

I FOUND IT! It was such a stupid mistake, but very subtle:


The certificates section requires a list of maps instead of a map.
That said, traefiks way to log messages is so confusing it is beyond me.
Thanks for your help

2 Likes