Skip to content

Instantly share code, notes, and snippets.

@hivelogic2018

hivelogic2018/qna.md

Created August 17, 2025 13:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hivelogic2018/6dcdbe85e67ae155ac088d47f45cd17a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hivelogic2018/6dcdbe85e67ae155ac088d47f45cd17a to your computer and use it in GitHub Desktop.
Download ZIP
how to make and force Teleport using the trusted certificates from Traefik ?
Raw
qna.md

To make and force Teleport to use the trusted certificates from Traefik, you need to configure it to use the certificates that Traefik's ACME resolver has obtained from Let's Encrypt. This is the correct, secure way to solve the 500 Internal Server Error without using insecureSkipVerify.

This process involves four main steps:

  1. Extract the Certificates: The certificates obtained by Traefik are stored in the /var/traefik/certs/cloudflare-acme.json file inside your Traefik container. You will need to access this file and extract the certificate and private key. This is a manual step you must perform.
  2. Create a Shared Volume: You will need to create a shared volume or a host mount that allows both Traefik and Teleport containers to access the same directory where the certificates will be stored.
  3. Update Teleport's Configuration: You must modify your Teleport container's teleport.yaml file to tell it to use the new, trusted certificates instead of its self-signed ones.
  4. Restart the Services: Finally, you'll need to restart both the Traefik and Teleport containers to apply the changes.

Step 1: Extract the Certificate and Key

The cloudflare-acme.json file is a JSON object containing your certificates and private keys. You will need to extract the base64-encoded certificate and privateKey for your zingastay.com domain and its wildcard.

A simpler way is to use a tool like traefik-acme-dumper or a script to automate this. However, since you can't run tools easily, you must manually copy these values and base64-decode them into separate teleport.crt and teleport.key files.

Step 2: Configure a Shared Certificate Volume

In your traefik-compose.yaml and your teleport-compose.yaml file, you need to define a named volume or a host path to share the certificates. The simplest way is to use a host path.

traefik-compose.yaml:

services:
  traefik:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/:/etc/traefik/:ro
      - ./certs/:/var/traefik/certs/:rw
      # This is the new shared volume. You can choose any path.
      - ./shared-certs/:/shared-certs:rw

teleport-compose.yaml:

services:
  teleport:
    volumes:
      - /etc/teleport:/etc/teleport
      # Mount the same volume as Traefik
      - ./shared-certs/:/shared-certs:ro

After updating these files, you can place your teleport.crt and teleport.key files in the ./shared-certs/ directory on your host.

Step 3: Modify Teleport's teleport.yaml

Now, update your teleport.yaml file to tell the proxy to use the new certificate and key.

Find the proxy_service block and add a public_addr and a web_listen_addr to point to the correct certificates.

teleport:
  version: v2
  # ...
proxy_service:
  # This tells Teleport where to listen
  web_listen_addr: 0.0.0.0:3080
  # These are the certificates from Traefik
  https_keypairs:
    - cert_file: /shared-certs/teleport.crt
      key_file: /shared-certs/teleport.key
  # This should be your domain name
  public_addr:
    - teleport.zingastay.com:443
  # ...

Step 4: Restart the Containers

Finally, restart both containers to apply the changes.

docker compose up -d traefik
docker compose up -d teleport

This will force Teleport to use a valid, trusted certificate, and you can then safely remove serversTransport: insecureSkipVerify: true from your Traefik configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment