How to trust custom CA's with traefik

kuhn_michael · March 28, 2025, 10:59am

NethServer Version: 8
Module: traefik 3.0.2

Hi,

I’m running my own CA for my apps to request certificates from. Unfortunately, I can’t find a way to add the CA’s root certificate to the traefik container and therefore the ACME process fails in NethServer 8. Here is what I’ve tried:

First try, not working:
My Root CA Certificate has been added to the server’s cert pool of trusted CAs and I can curl/wget the directory without any error.
I’ve added following lines to /home/traefik1/.config/state/environment:
LEGO_CA_SYSTEM_CERT_POOL=true
LEGO_CA_CERTIFICATES=/home/traefik1/.config/state/ca-certificates/lab-ca-2025-root-ca.pem
LEGO_CA_SERVERNAME=lab-ca.fritz.box

Second try, also not working:
I’ve added following lines to /home/traefik1/.config/state/traefik.yml
certificatesResolvers:
acmeServer:
acme:
…
caSystemCertPool: true
caServerName: “lab-ca.fritz.box”
caCertificates:
- /home/traefik1/.config/state/ca-certificates/lab-ca-2025-root-ca.pem

Third try, working but not permanently:
runagent -m traefik1
podman exec -ti traefik sh
Download / copy certificate to /usr/local/share/ca-certificates
update-ca-certificates

Fourth try, unfortunately not working:
I’ve tried to run the commands above every time the traefik container is startet. Therefore I’ve edited /home/traefik1/.config/systemd/user/traefik.service and added
–volume=./ca-certificates:/usr/local/share/ca-certificates:z \ to ExecStart and
ExecStartPost=-runagent write-hosts && runagent -m traefik1 && /usr/bin/podman exec -ti traefik update-ca-certificates

Do you have any idea what else I could try or what mistakes I’ve made? Thanks a lot.

mrmarkuz · March 28, 2025, 11:21am

It should work permanently when adding the cert to the NS8 host instead of the container, see also Request / Upload TLS-Certificate - #11 by mrmarkuz

davidep · March 28, 2025, 11:30am

You can also look at this discussion

Furthermore a recently added feature can ease the implementation. It is relevant for setting LEGO_* vars and it has been discussed here:

kuhn_michael · March 31, 2025, 9:45am

Thanks for the link, but as mentioned above, I already did this. The host can access the directory without any problems:
[root@rocky9 ~]# wget -O - https://lab-ca.fritz.box/directory
–2025-03-31 11:44:22-- https://lab-ca.fritz.box/directory
Resolving lab-ca.fritz.box (lab-ca.fritz.box)… 10.10.20.116
Connecting to lab-ca.fritz.box (lab-ca.fritz.box)|10.10.20.116|:443… connected.
HTTP request sent, awaiting response… 200 OK

kuhn_michael · March 31, 2025, 9:47am

Thanks for the two links, I’ll look into it. Strangely, search didn’t bring them up when I was looking for a solution.

kuhn_michael · April 1, 2025, 9:46am

Thanks for all the links, unfortunately none of the proposed solutions worked. Strange but I don’t know why.
What actually worked was a small change in traefik.service. I mount a folder with my CA certs with
–volume=./ca-certificates:/usr/local/share/ca-certificates:z
and added a second ExecStartPost line:
ExecStartPost=-runagent write-hosts
ExecStartPost=-podman exec -ti traefik update-ca-certificates
I didn’t expect this syntax, to be honest.