Comments (9)
Hi @Daniel-dev22, thanks for your contribution :). This is an interesting proposal, let's see what the community thinks about it, and depending on the feedback, we might implement an enhancement in the future.
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
Can you share your MTLs configuration? Are you requiring and verifying the certificate?
MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
Can you share your MTLs configuration? Are you requiring and verifying the certificate?
MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.
This part of the configuration looks like this:
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
cert:
minVersion: VersionTLS12
sniStrict: true
clientAuth:
clientAuthType: RequireAndVerifyClientCert
caFiles:
- /etc/traefik/cert/device.ca.crt
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
tls:
options: cert
certresolver: letsencrypt
domains:
- main: "example.com"
sans:
- "*.example.com"
middlewares:
- gzip
http:
routers:
foo:
rule: Host(`example.com`)
entryPoints: https
service: foo
services:
foo:
loadBalancer:
servers:
- url: "http://server-foo:80"
It works fine on Chrome and other mobile browsers:
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
Can you share your MTLs configuration? Are you requiring and verifying the certificate?
MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.
This part of the configuration looks like this:
tls: options: default: minVersion: VersionTLS12 sniStrict: true cert: minVersion: VersionTLS12 sniStrict: true clientAuth: clientAuthType: RequireAndVerifyClientCert caFiles: - /etc/traefik/cert/device.ca.crt entryPoints: http: address: ":80" https: address: ":443" http: tls: options: cert certresolver: letsencrypt domains: - main: "example.com" sans: - "*.example.com" middlewares: - gzip http: routers: foo: rule: Host(`example.com`) entryPoints: https service: foo services: foo: loadBalancer: servers: - url: "http://server-foo:80"
Not sure how I could have it setup incorrectly my server side has. This works where 1 traefik instance successfully communicates to the server side over MTLs. So I would assume if that works but the browser doesn't prompt it's setup partially correct? What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
tls:
stores:
default:
defaultGeneratedCert:
resolver: le
domain:
main: domain.net
options:
mtls-tunnel:
clientAuth:
# in PEM format. each file can contain multiple CAs.
caFiles:
- /etc/traefik/mtls/ca.pem
clientAuthType: RequireAndVerifyClientCert
Client side has
http:
mtls:
certificates:
- certFile: /etc/traefik/mtls/client.pem
keyFile: /etc/traefik/mtls/client-key.pem
from traefik.
What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt
device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
from traefik.
What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crtdevice.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?
Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.
Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.
from traefik.
What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crtdevice.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?
Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.
Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.
Yep that was it. Just added the client key and client cert into a p12 and installed on the client and it works now. I'm getting a prompt. Thank you for the sanity check @Scribing this can be closed now.
from traefik.
Just added the client key and client cert into a p12 and installed on the client and it works now.
👏
from traefik.
Related Issues (20)
- Environment Variables HOT 3
- Basic Auth Automatically encode Base64 - basicauth.users HOT 2
- Body truncation issue in traffic plugin under certain conditions HOT 1
- A Router rule that exactly match all same-name header values. HOT 3
- Extend `headerLabels` Support to All Prometheus Metrics HOT 1
- TCP weighted service not respecting weights HOT 1
- Sectigo Certresolver does not populate cert field in JSON file HOT 1
- Unable to obtain ACME certificate for domains HOT 1
- Order cannot contain more than 100 DNS names
- container image on ghcr HOT 1
- Traefik provides default TLS certificate instead of one from a secret HOT 7
- Add TCP Health Check using SYN, SYN-ACK, and RST packets HOT 2
- Traefik 3.x can not download customized plugin HOT 2
- Support for HTTP Calls in Existing WASM Plugins System
- Traefik Configuration Checks HOT 2
- Can't upload docker images larger than 400MB or 2GB via traefik 3.0 3.0.1 3.0.2 proxy HOT 5
- Traefik sends 400 Bad Request if any header has some special char and also request not even get logged in access log HOT 2
- DownstreamStatus is 0 in v3 when server-sent event response is aborted from client HOT 7
- Support BackendTLSPolicy from Gateway API
- Support AWS IRSA with EKS Fargate?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from traefik.