TLS configuration being ignored

I have built a network of 3 service web, api and authentication. When I call function on the api or auth services that dont need authorization. However the moment I call one that requires authorization I get a certificate error saying it is untrusted.

I have google around and found the deamon.json file under my user directory in one called .docker. When I change this file to set the tlsCert, tlsCacert and the tlsKey they do show up in the setting of the docker desktop. However even after the restart running docker tlsverify ps errors as I can find a file, this file is not the one I configured. If i rename my pem file it goes on to the next file but again not one mention in my config. I have double check my json is correct even checked it is valid using jsonlint.

I have looked at every other reason as to why my docker is ignore my tls setting but I am at a loss.

Can anybody help me out with this?

Damion

What service is giving you what exact error? Is it in a web browser, using curl or are you seeing the error in logs?

How is authorization configured and handled? You use mTLS?

The web service will not start as it cant authorise the call to the authentication service. The authentication service works fine when I call an anonymous function but the moment I call one that requires authentication I get “The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot”.

Everywhere I have read instructs me to change the deamon.json to add
“tls”: true,
“tlscacert”: “C:\path\to\your\certificate.crt”,
“tlscert”: “C:\path\to\your\cert.crt”,
“tlskey”: “C:\path\to\your\key.key”

However the docker service will not restart with the “tls”: entry. I have even tried tlsverify but that also causes the service not to restart. With out these entries I cant start the docker service but the certificates are being ignored

Potentially there are 3 TLS certs involved: the one Traefik is serving to the client/browser, the one to the auth service when using ForwardAuth inside Traefik and the one to your target service within Traefik.

None of those have anything to do with daemon.json.

1 Like