DST Root CA X3 issues with Traefik V1 and Consul in K8s

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: develop.dis-apeer.com

I ran this command:

It produced this output:

My web server is (include version): Traefik 1.7.24

The operating system my web server runs on is (include version): Alpine Linux v3.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

So I am are running a Traefik V1 reverse proxy + Consul (for KV storage) from a stable Helm chart in a K8s cluster.
I am wondering is there any possibility to make Traefik not use "DST Root CA X3" as the trusted CA cert.
Anyone else using this tooling?

Welcome to the community!

I am not sure how to apply this in the helm chart, but it is clear that traefik supports the option. The example stanza within the documentation is even the applicable chain name for your desired scenario:
https://doc.traefik.io/traefik/https/acme/#preferredchain

3 Likes

Would be awesome if this would be possible in Traefik V1, but unfortunately this documentation refers to V2.

@ipczapeer

I believe you're going to have to wait for this issue to be closed ACME cannot select preferred chain in v1.7 which generates broken certificates (expired root CA in chain) · Issue #8480 · traefik/traefik · GitHub by this PR acme: add support of preferredchain in Traefik v1 by ldez · Pull Request #8482 · traefik/traefik · GitHub

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.