Bound port 443 but no TLS handshake with MQTTs and k3s

dns2utf8-novaziun · May 1, 2024, 11:07am

Hi all

I have a setup k3s that either works with HTTP on port 80 and HTTPS on port 443 and then routes everything interally correctly, but no MQTTS accessible from the outside.

Or a setup with k3s where there is no TLS handshake on port 443, but on 8443 for HTTPS and correct TLS termination on port 8887 for MQTTS.

When I tried to bind 443 with traefik 2.10 directly it would fail with "traefik.go:80: command traefik error: error while building entryPoint websecure: error preparing server: error opening listener: listen tcp :443: bind: permission denied".

How can I get both HTTPS and MQTTS to play nicely side by side?
There are multiple MQTT brokers that are choosen with HostSNI( DomainABC )
I am using this helm chart config:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    logs:
      level: INFO
      #level: DEBUG
      access:
        enabled: true
    persistence:
      enabled: true
      path: /certs
      size: 128Mi

    # bind directly to the ouside world
    hostNetwork: true

    additionalArguments:
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --entrypoints.websecure.http.tls.domains[0].main=example.net
      - --entrypoints.websecure.http.tls.domains[0].sans=*.example.net,*.sub.example.net
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=namecheap
      - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
      - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers[0]=1.1.1.1
      - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers[1]=8.8.8.8
      - --certificatesresolvers.myresolver.acme.storage=/certs/acme.json

    # add extra ports
    ports:
      mqtts:
        port: 8883
        expose: true
        exposedPort: 8883
        protocol: TCP
    # addin this does not work (permission denied for some reason(
    #  websecure:
    #    port: 8443
    #    expose: true
    #    exposedPort: 8443
    #    protocol: TCP

Topic		Replies	Views
Problem setting up an MQTT broker + TLS + LETSENCRYPT certificate Traefik v2 docker , tcp	1	1735	September 13, 2022
TLS over TCP using Kubernetes Gateway API Traefik v2 tcp	0	584	March 8, 2023
404 on all the ingresses with TLS on AKS Traefik v2 kubernetes-ingress	3	481	February 23, 2024
How to pass-through TLS with Traefik Kubernetes Ingress? Traefik v2 kubernetes-ingress	1	2616	July 17, 2023
Enforce https on websecure EntryPoint Traefik v2 kubernetes-ingress , middleware	0	547	March 16, 2023

Bound port 443 but no TLS handshake with MQTTs and k3s

Related topics