Pydia Cells docker + traefik : bad certificate

The exact error is

2022-09-25T13:52:38.829Z        DEBUG           http: TLS handshake error from 172.28.0.2:47478: remote error: tls: bad certificate

The docker-compose.yml :

version: "3.7"
services:
  mysql:
    image: mysql:8
    container_name: mysql
    restart: unless-stopped
    volumes:
      - ./mysql_data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_DATABASE=cells
      - MYSQL_USER=${MYSQL_USER_LOGIN}
      - MYSQL_PASSWORD=${MYSQL_USER_PWD}
    command:
      - mysqld
      - --character-set-server=utf8mb4
      - --collation-server=utf8mb4_unicode_ci

  cells:
    image: pydio/cells:latest
    container_name: cells
    restart: unless-stopped
    expose:
      - 443
    volumes:
      - ./cache:/var/cells
      - ./data:/data
      - ./install-conf.yml:/pydio/config/install.yml:ro
    environment:
      - CELLS_INSTALL_YAML=/pydio/config/install.yml
      - CELLS_LOG=debug
      - CELLS_WORKING_DIR=/var/cells
      - CELLS_DATA=/data
      - CELLS_BIND=0.0.0.0:443
      - CELLS_EXTERNAL=https://${FQDN}
      - CELLS_ENABLE_METRICS=false
      - CELLS_ADMIN_PWD=${CELLS_ADMIN_PWD}
      - MYSQL_USER_LOGIN=${MYSQL_USER_LOGIN}
      - MYSQL_USER_PWD=${MYSQL_USER_PWD}
    labels:
      - traefik.enable=true
      - traefik.http.services.cells.loadbalancer.server.scheme=https
      - traefik.http.routers.cells.rule=Host(`${FQDN}`)
      - traefik.http.routers.cells.entrypoints=websecure
      - traefik.http.routers.cells.tls=true
      - traefik.http.routers.cells.tls.certresolver=production
    depends_on:
      - mysql

networks:
  default:
    external: true
    name: proxy

pydio cells logs (I replaced my domain name with FQDN):
https://pastebin.com/raw/XFV4T4RU

So when I start up the docker-compose, https://FQDN gives me ‘Internal Server Error’

The logs tell me it’s a certificate issue. I know for a fact that it’s not a problem with the certificate that Treafik uses, I have ~15 other services running just fine with it.
I don’t really know what to do now.
Any suggestion on making this certificate work ?

Hello and welcome to the forum.

Problem is that the self-signed generated by Cells for the traffic between Traefik and cells is not accepted by Traefik

You have 3 choices:

  • you skip validation of the Cells cert in Traefik
  • you perform TLS termination in TRaefik and use plain http between Cells and Traefik
  • you provide Cells with a cert that is accepted by traefik

so if I understand correctly, this certificate is only used for TLS within the internal network behind traefik?
I think I could go without it. How could I modify my configuration to fix it ?

so if I understand correctly, this certificate is only used for TLS within the internal network behind traefik?

Yes, TLS for the “outside world” is provided by traefik. You only need TLS from you reverse proxy to Cells if you use the Cells Sync Client.

I think I could go without it. How could I modify my configuration to fix it ?

What about reading the doc :slight_smile: ?
https://pydio.com/en/docs/kb/deployment/running-cells-container-behind-traefik-reverse-proxy

let us know if something is not clear enough or outdated.

Happy file sharing

Thank you for your help. I have to tell you that I am well aware of this documentation and you can be sure that I have read several times every single forum thread here about traefik and I have also seen every bit of documentation available.
Because the docker-compose.yml at that link does not work, I went a step further and found a more recent version of it on github. You will find that the github version is slightly different, specifically the part with:

  - CELLS_INSTALL_YAML=/pydio/config/install.yml
  - CELLS_BIND=0.0.0.0:443

Now, neither docker-compose.yml works for me: I get the same certificate error. I forgot that the internal TLS certificate is necessary for the sync function, in that case I need to make it work.
It’s hard for me to say if something is out-of-dated but it feels to me like I’m missing a small piece of the puzzle.
Which steps would you take to provide Cells with a certificate that is accepted by traefik ?
I didn’t find documentation on it, only about the certificate from traefik to the internet

Hello

And we thank you for this :), it’s good to hear

Have you tried to skip verification of Cells certificate at the Traefik server level, typically by adding

 - --serverstransport.insecureskipverify=true

in the commands section of the traefik container ?

This tells Traefik to not try to validate the certificate that is exposed by the Cells service (in the config you’ve shown, cells is exposing a self-signed dynamically generated cert).
This is OK if your services (Traefik, Cells, your other servers communicate via a reasonably secured private network).

ah thanks, that works for me. I incorrectly assumed that insecureskipverify=true would make the connections insecure but if you tell me that it’s only in the docker bridge network shared by Treafik and Cells then it’s acceptable. I’m usually very reluctant to changing the Traefik config as it could affect my other services.
Thank you very much for your patience and help.