Traefik v2 certificate NET::ERR_CERT_AUTHORITY_INVALID

rp346 · October 1, 2019, 5:59pm

I have setup Traefik v2 in EKS and configure certificate resolver with following config

[certificatesResolvers]
  [certificatesResolvers.letsencrypt]
    [certificatesResolvers.letsencrypt.acme]
      email = "admin@rablighting.com"
      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
      storage = "/etc/traefik/storage/acme.json"
      [certificatesResolvers.letsencrypt.acme.dnsChallenge]
        provider = "route53"
        delayBeforeCheck = 0
        resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

Traefik container were able to get the certificate, which I verified by checking the contents of /etc/traefik/storage/acme.json.

But when I try to open HTTPS dashboard URL I get NET::ERR_CERT_AUTHORITY_INVALID error message in all browsers (Chrome, Safari, Firefox)

NET::ERR_CERT_AUTHORITY_INVALID
Subject: dev.lightcloud.ca
Issuer: Untrusted CA
Expires on: Dec 30, 2019
Current date: Oct 1, 2019

This Traefik environment running on AWS eks (v1.3) with traefik:v2.0
I am on Macbook (macOS : 10.13.6) with admin privileges & Chrome (Version 77.0.3865.90)

JuergenAuer · October 1, 2019, 6:21pm

Hi @rp346

please answer the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

rp346 · October 1, 2019, 6:43pm

Updated with more details.

JuergenAuer · October 1, 2019, 6:55pm

Hi @rp346

checking your domain via https://check-your-website.server-daten.de/?q=dev.lightcloud.ca that's

rp346:

But when I try to open HTTPS dashboard URL I get NET::ERR_CERT_AUTHORITY_INVALID error message in all browsers (Chrome, Safari, Firefox)
NET::ERR_CERT_AUTHORITY_INVALID
Subject: dev.lightcloud.ca
Issuer: Untrusted CA
Expires on: Dec 30, 2019
Current date: Oct 1, 2019

the expected result.

Your certificate is 90 days "valid"

CN=dev.lightcloud.ca
	01.10.2019
	30.12.2019
expires in 90 days	*.dev.lightcloud.ca, dev.lightcloud.ca - 2 entries

but you use the test system

so your certificate is from

CN=Fake LE Intermediate X1
	24.05.2016
	24.05.2036
expires in 6080 days

That's not a trusted certificate.

Change the caServer to the productive url

https://acme-v02.api.letsencrypt.org/directory

system · October 31, 2019, 8:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
X509 error while generating Let's Encrypt certificate with Traefik Help	13	4098	July 21, 2021
Can't Use Certbot w/Traefik Help	2	2656	April 8, 2019
Traefik 1.7 as loadbalancer / ingress dns-01 / acme challenge not working Help	6	1954	November 7, 2021
Only being issued with cert with example.org Help	28	2401	March 14, 2021
Traefik and Cloudflare ACME Help	6	2833	July 16, 2023

Traefik v2 certificate NET::ERR_CERT_AUTHORITY_INVALID

Related topics