From 9163f919c8b237363e12eee3aa9ed8c688a2ba72 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sat, 11 Apr 2026 11:45:02 +0200
Subject: [PATCH] fix: move TLS default cert config to Traefik dynamic config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Traefik v3 ignores tls.stores.default in the static config, causing it
to serve its auto-generated fallback cert instead of the platform cert.
Moving the default certificate store to the dynamic config (file
provider) fixes this — Traefik now serves the correct cert and also
picks up cert rotations without a restart.

This was the root cause of OIDC PKIX failures: the server imported the
CA into its JVM truststore, but Traefik was serving a different cert
entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/traefik-dynamic.yml | 7 +++++++
 traefik.yml                | 6 ------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/docker/traefik-dynamic.yml b/docker/traefik-dynamic.yml
index a153f68..d20cd3e 100644
--- a/docker/traefik-dynamic.yml
+++ b/docker/traefik-dynamic.yml
@@ -15,3 +15,10 @@ http:
         regex: "^(https?://[^/]+)/?$"
         replacement: "${1}/platform/"
         permanent: false
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/traefik/certs/cert.pem
+        keyFile: /etc/traefik/certs/key.pem
diff --git a/traefik.yml b/traefik.yml
index 27df844..ee265b1 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -22,9 +22,3 @@ providers:
   file:
     filename: /etc/traefik/dynamic.yml
 
-tls:
-  stores:
-    default:
-      defaultCertificate:
-        certFile: /etc/traefik/certs/cert.pem
-        keyFile: /etc/traefik/certs/key.pem