ACME tries to get a certificate for all domains

Traefik Traefik v1
1

I have a private certificate which I use for the internal network. If I don't set any ACME config in traefik it works perfectly fine but when I add ACME configuration for a different domain (the company's public one) it tries to get certificates for both domains.

Working configuration without ACME:

  traefik.toml: |
    # traefik.toml
    logLevel = "WARNING"
    defaultEntryPoints = ["http","https","internalhttp", "internalhttps"]
    InsecureSkipVerify = true
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
      entryPoint = "https"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
      [entryPoints.internalhttp]
      address = ":6969"
      [entryPoints.internalhttps]
      address = ":6943"
      [entryPoints.internalhttps.tls]
      [[entryPoints.internalhttps.tls.certificates]]
      certFile = "/certs/internal.xyz.crt"
      keyFile = "/certs/internal.xyz.key"

Configuration with ACME for a public domain

  traefik.toml: |
    # traefik.toml
    logLevel = "WARNING"
    defaultEntryPoints = ["http","https","internalhttp", "internalhttps"]
    InsecureSkipVerify = true
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
      entryPoint = "https"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]
      [entryPoints.internalhttp]
      address = ":6969"
      [entryPoints.internalhttps]
      address = ":6943"
      [entryPoints.internalhttps.tls]
      [[entryPoints.internalhttps.tls.certificates]]
      certFile = "/certs/internal.xyz.crt"
      keyFile = "/certs/internal.xyz.key"
    [acme]
    email = "info@public.io"
    storage = "traefik/acme/account"
    entryPoint = "https"
    onHostRule = true
    caServer = "https://acme-v02.api.letsencrypt.org/directory"
    [acme.httpChallenge]
      entryPoint = "http"
    [[acme.domains]]
      main = "public.io"

I can see the following error:

time="2019-08-06T10:11:35Z" level=error msg="Error getting ACME certificates [traefik.internal.xyz] : cannot obtain certificates: acme: Error -> One or more domains had a problem:\n[traefik.internal.xyz] acme: error: 400 :: urn:ietf:params:acme:error:connection :: unknownHost :: No valid IP addresses found for traefik.internal.xyz, url: \n"

I can also see this error:

time="2019-08-06T10:52:09Z" level=error msg="Cannot unmarshall private key []"
time="2019-08-06T10:52:09Z" level=error msg="Error building ACME client &{Email: Registration:<nil> PrivateKey:[] KeyType: DomainsCertificate:{Certs:[] lock:{w:{state:0 sema:0} writerSem:0 readerSem:0 readerCount:0 readerWait:0}} ChallengeCerts:map[] HTTPChallenge:map[]}: private key was nil"

Then the internal endpoints stop working.

I am using traefik v1.7.12

2

This means that all frontends are wired to all entrypoints.

Any frontend that is wired to the https entrypoint will request an acme certificate.

You may have to play around with your default entrypoints, and perhaps override the ones you want with entrypoint labels.

Second:

You have configured your storage to pull from a KV store, but you have provided no configuration that such a store exists.

Is this intended? If not, that is why the private key can't be found...because one doesn't exist.

3

Thanks for the answer @daniel.tomcej, related to first thing:
Ok, I can change the defaultEntryPoints although I always use:

traefik.ingress.kubernetes.io/frontend-entry-points: "internalhttp, internalhttps"

in each ingress.

The second related to the storage is intended, I use consul as KV store, and what I do is running a pod with the toml config shown above and the command traefik storeconfig and I can see the entries in the consul store.

Do you want me to paste any other configuration?

4

If you are running a KV store,

Can you please provide the spec you use for your traefik pods?

5 
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
        - name: consul
          hostPath:
            path: /consul
        - name: certs
          hostPath:
            path: /certs
      containers:
      - image: traefik:v1.7.11-alpine
        name: traefik-ingress-lb
        volumeMounts:
          - mountPath: "/consul"
            name: "consul"
          - mountPath: "/certs"
            name: "certs"
        ports:
          - containerPort: 80
            hostPort: 80
          - containerPort: 8080
            hostPort: 8080
          - containerPort: 443
            hostPort: 443
          - containerPort: 6943
            hostPort: 6943
          - containerPort: 6969
            hostPort: 6969
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=DEBUG
        - --consul.endpoint=https://server.dc1.domain.xyz:8501
        - --consul.tls
        - --consul.tls.ca=/consul/domain.xyz-agent-ca.pem
        - --consul.tls.cert=/consul/dc1-client-domain.xyz-0.pem
        - --consul.tls.key=/consul/dc1-client-domain.xyz-0-key.pem
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - master-node-1
                #- master-node-2
                #- master-node-3
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
6

Thanks @daniel.tomcej, the problem was the defaultEntryPoints.