Comments (8)
Update.
Seems there is routing problem when using websecure endpoint.
I tried to test a certificate itself. Therefore I switched from IngressRoute to IngressRouteTCP to be able to use TLS passthrough. But it appeared that routing doesn't work when I try to use IP-address: HostSNI(`10.1.0.71`)
.
If I use HostSNI(`*`)
and TLS passthrough, then communication works, my certificate is OK. Here is working manifest:
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test-nginx-ingressroute
namespace: test
annotations:
kubernetes.io/ingress.class: traefik-external
spec:
entryPoints:
- web
- websecure
routes:
- match: HostSNI(`*`)
services:
- name: test-nginx
port: 443
tls:
passthrough: true
So, the problem still persists. As I understand, Traefik doesn't route https traffic correctly with IngressRoute
from traefik.
Ah, I can't use IP-address with HostSNI. But at least I see that the certificate is fine and routing works for http traffic and using HostSNI(`*`)
.
IngressRoute, however, can't match the certificate for some reason, even though, the IP address in the routing configuration matches IP SANs in the certificate.
from traefik.
Hello @ostapkostyk,
Thanks for reaching out!
To keep the repository focused, we ask that all questions be asked in the community forum. It is pretty active, so you might find that your question has already been answered there. If not, you can ask and get help from other community members pretty quickly.
from traefik.
Hello nmengin,
Sorry if I didn't understand something or missed something, but my intestion wasn't to post a question here, rather to point that Traefik doesn't work correctly.
I asked in community, got no answer, then I investigated further and now, to the best of my knowledge, I assume that Traefik just doesn't work correctly.
If you see that this is not a bug but rather my configuration is wrong, could you point me where I'm wrong?
To my understanding, Traefik doesn't mach TLS certificate in case I use IP SANs in the certificate and Host rule in IngressRoute.
from traefik.
Hello @ostapkostyk,
Let's reopen the issue, maybe we were mistaken at first when understanding that it was a question about TLS configuration.
So, the problem still persists. As I understand, Traefik doesn't route https traffic correctly with IngressRoute
The problem you are facing is not related to HTTP, the TLS termination happens before the request to be sent, and the IngressRoute is not in cause.
Serving default certificate for request: ""
This error log states that the default certificate is served because of an empty server name in the client hello.
The client doesn't provide the serverName and no matching certificate can be found.
What is the use case you are trying to achieve? Could you please elaborate?
As of now, the certificate lookup is based only on the serverName, but looking for a certificate matching the local address IP would not fit in your case, if the IP in the Host
matcher of the IngressRoute is the service one.
from traefik.
I thought I was the only one experiencing this issue. I've been burnt out from trying different configurations, and I keep coming to the same conclusion.
In my case, I can successfully issue a certificate, but only for the Traefik Dashboard using secretName
through a certificate in the Traefik namespace, pulled from a production Let's Encrypt cluster issuer.
However, all other services deployed with an Ingress Route don't get issued a certificate, despite having a valid and successfully issued certificate for the hostname and namespace from ACME.
In the Traefik Dashboard, I can see that my test Nginx server has a web secure entry point with a TLS certificate from Let's Encrypt.
But when I run openssl s_client -connect nginx.local.lab.tech:443, it indicates that the certificate is self-signed and not from Let's Encrypt.
I tested this with both staging and production ACME servers.
My Environment:
- RKE2 with IPVS
- MetalLB
- Cert Manager using Let's Encrypt with DNS-01 challenge from Cloudflare
- Traefik 3.0.1
from traefik.
Hello @rtribotte,
As of now, the certificate lookup is based only on the serverName
Thanks, this explains the behavior quite clearly.
My usecase:
We have a k3s cluster on bare metal. I'd like to expose some services only within local network (administration services). For not technical reasons there is no DNS service in the network and I can't set it up (no access). Therefore certificates are issued with IP-addresses as IP SANs, but unfortunately Traefik can't match them.
Technical configuration
I use Vault from HashiCorp as PKI, Cert-Manager to manage certificates. Just for testing I deployed simple nginx web-server and try to route traffic with Traefik's IngressRoute.
What I tried:
- route traffic without TLS: works
- route traffic with TLS from Traefik (without TLS between Traefik and nginx): doesn't work due to default certificate from Traefik
- Encrypt traffic from nginx and use tls passthough mode in Traefik: doesn't work for individual service and I don't want to set this flag globally
- use default TLSStore from Traefik: it works and currently is my workaround. Just can't manage certificates individually for each service (don't need it now)
The IP address in the IngressRoute for matching is from the host network, it's not an IP from kubernetes environment. Actually, this IP comes from MetalLB load-balancer.
Thank you for your interest to this issue! If you need manifests, I'll be happy to provide them on request.
from traefik.
Related Issues (20)
- Extend `headerLabels` Support to All Prometheus Metrics HOT 1
- TCP weighted service not respecting weights HOT 1
- Sectigo Certresolver does not populate cert field in JSON file HOT 1
- Unable to obtain ACME certificate for domains HOT 1
- Order cannot contain more than 100 DNS names
- container image on ghcr HOT 1
- Add TCP Health Check using SYN, SYN-ACK, and RST packets HOT 2
- Traefik 3.x can not download customized plugin HOT 2
- Support for HTTP Calls in Existing WASM Plugins System
- Traefik Configuration Checks HOT 2
- Can't upload docker images larger than 400MB or 2GB via traefik 3.0 3.0.1 3.0.2 proxy HOT 5
- Traefik sends 400 Bad Request if any header has some special char and also request not even get logged in access log HOT 2
- DownstreamStatus is 0 in v3 when server-sent event response is aborted from client HOT 7
- Support BackendTLSPolicy from Gateway API
- Support AWS IRSA with EKS Fargate?
- bug: `TLSStore` with Wildcard Certificate and `sniStrict: true` does not work
- Traefik Routing: Protocol and Port Mismatch Not Captured
- Errors Middleware + IngressRoute : Could not get Capture / value not found in context HOT 2
- Dashboard JS blocked because of a disallowed MIME type (“text/plain”) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from traefik.