traefik 2.0 vs insecure SSL certificates

Guess I should quickly explain why someone would want to mess with bad SSL certificates. I mean, it sounds insecure as hell and you are right if you’re shaking your head. But sadly there are applications unable to deliver good certificates or exchange them. Best example is Ubnt and their controller for their software. They still don’t make it easy to exchange the bad certificates.

As that controller runs in a docker container here, it’s pretty logical to do a certificate replacement by proxying the web interface through Traefik. I mean, it’s GA Version is 2.0 – so what could possibly go wrong? Here’s the compose passage:

image: linuxserver/unifi-controller
restart: unless-stopped
- "3478:3478/udp"
- "10001:10001/udp"
- "6789:6789"
- "8080:8080"
- "8880:8880"
- "8443:8443"
- "8843:8843"
- traefik_proxy
- "traefik.enable=true"
- "traefik.http.routers.unifi.rule=Host(`${UNIFI_HOSTNAME}`)"
- "traefik.http.routers.unifi.entrypoints=http"
- "traefik.http.middlewares.unifi.redirectscheme.scheme=https"

- "traefik.http.routers.unifi-secure.rule=Host(`${UNIFI_HOSTNAME}`)"
- "traefik.http.routers.unifi-secure.entryPoints=https"
- "traefik.http.routers.unifi-secure.tls=true"
- ""
- ""

- TZ="Europe/Vienna"
- type: volume
source: unifi_data
target: /config
nocopy: true

And now this is where stuff breaks: traefik 2.0 seems to have a problem ignoring SSL certificates validity. As a temp. workaround you may want to jump the new 2.1 train which is available as release candidate. Looking through the bug list on Github, this issue was reported quite a while ago.

The matching error message as seen in the debug log:

‘500 Internal Server Error’ caused by: x509: cannot validate certificate for because it doesn’t contain any IP SANs


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.