Traefik provides default TLS certificate instead of one from a secret about traefik HOT 8 OPEN

Update.

Seems there is routing problem when using websecure endpoint.

I tried to test a certificate itself. Therefore I switched from IngressRoute to IngressRouteTCP to be able to use TLS passthrough. But it appeared that routing doesn't work when I try to use IP-address: HostSNI(`10.1.0.71`).

If I use HostSNI(`*`) and TLS passthrough, then communication works, my certificate is OK. Here is working manifest:

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test-nginx-ingressroute
  namespace: test
  annotations: 
    kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: HostSNI(`*`)
      services:
        - name: test-nginx
          port: 443
  tls:
    passthrough: true

So, the problem still persists. As I understand, Traefik doesn't route https traffic correctly with IngressRoute

from traefik.

Ah, I can't use IP-address with HostSNI. But at least I see that the certificate is fine and routing works for http traffic and using HostSNI(`*`).
IngressRoute, however, can't match the certificate for some reason, even though, the IP address in the routing configuration matches IP SANs in the certificate.

from traefik.

Hello @ostapkostyk,

Thanks for reaching out!
To keep the repository focused, we ask that all questions be asked in the community forum. It is pretty active, so you might find that your question has already been answered there. If not, you can ask and get help from other community members pretty quickly.

from traefik.

Hello nmengin,

Sorry if I didn't understand something or missed something, but my intestion wasn't to post a question here, rather to point that Traefik doesn't work correctly.
I asked in community, got no answer, then I investigated further and now, to the best of my knowledge, I assume that Traefik just doesn't work correctly.

If you see that this is not a bug but rather my configuration is wrong, could you point me where I'm wrong?

To my understanding, Traefik doesn't mach TLS certificate in case I use IP SANs in the certificate and Host rule in IngressRoute.

from traefik.

Hello @ostapkostyk,

Let's reopen the issue, maybe we were mistaken at first when understanding that it was a question about TLS configuration.

So, the problem still persists. As I understand, Traefik doesn't route https traffic correctly with IngressRoute

The problem you are facing is not related to HTTP, the TLS termination happens before the request to be sent, and the IngressRoute is not in cause.

Serving default certificate for request: ""

This error log states that the default certificate is served because of an empty server name in the client hello.
The client doesn't provide the serverName and no matching certificate can be found.

What is the use case you are trying to achieve? Could you please elaborate?
As of now, the certificate lookup is based only on the serverName, but looking for a certificate matching the local address IP would not fit in your case, if the IP in the Host matcher of the IngressRoute is the service one.

from traefik.

I thought I was the only one experiencing this issue. I've been burnt out from trying different configurations, and I keep coming to the same conclusion.

In my case, I can successfully issue a certificate, but only for the Traefik Dashboard using secretName through a certificate in the Traefik namespace, pulled from a production Let's Encrypt cluster issuer.

However, all other services deployed with an Ingress Route don't get issued a certificate, despite having a valid and successfully issued certificate for the hostname and namespace from ACME.

In the Traefik Dashboard, I can see that my test Nginx server has a web secure entry point with a TLS certificate from Let's Encrypt.

But when I run openssl s_client -connect nginx.local.lab.tech:443, it indicates that the certificate is self-signed and not from Let's Encrypt.

I tested this with both staging and production ACME servers.

My Environment:

• RKE2 with IPVS
• MetalLB
• Cert Manager using Let's Encrypt with DNS-01 challenge from Cloudflare
• Traefik 3.0.1

from traefik.

Hello @rtribotte,

As of now, the certificate lookup is based only on the serverName

Thanks, this explains the behavior quite clearly.

My usecase:
We have a k3s cluster on bare metal. I'd like to expose some services only within local network (administration services). For not technical reasons there is no DNS service in the network and I can't set it up (no access). Therefore certificates are issued with IP-addresses as IP SANs, but unfortunately Traefik can't match them.

Technical configuration
I use Vault from HashiCorp as PKI, Cert-Manager to manage certificates. Just for testing I deployed simple nginx web-server and try to route traffic with Traefik's IngressRoute.

What I tried:

• route traffic without TLS: works
• route traffic with TLS from Traefik (without TLS between Traefik and nginx): doesn't work due to default certificate from Traefik
• Encrypt traffic from nginx and use tls passthough mode in Traefik: doesn't work for individual service and I don't want to set this flag globally
• use default TLSStore from Traefik: it works and currently is my workaround. Just can't manage certificates individually for each service (don't need it now)

The IP address in the IngressRoute for matching is from the host network, it's not an IP from kubernetes environment. Actually, this IP comes from MetalLB load-balancer.

Thank you for your interest to this issue! If you need manifests, I'll be happy to provide them on request.

from traefik.