CA certificate from secret is not served

sl1288 · June 11, 2022, 12:20am

I did create an secret with cert-manager which contains the server certificate and the ca certificate.

apiVersion: v1
data:
  ca.crt: LS0tLS...
  tls.crt: LS0tLS...
  tls.key: LS0tLS...
kind: Secret

After adding an IngressRoute with secretName set, I call "openssl s_client" to fetch the certificates from the https port.

What did you see instead?

"openssl s_client" only shows the "tls.crt" certificate, the "ca.crt" certificate is missing.

What version of Traefik are you using?

rancher/mirrored-library-traefik:2.6.2

What is your environment & configuration?

apiVersion: v1
kind: Secret
metadata:
  name: ca-key-pair
  namespace: cert-manager
data:
  tls.crt: LS0tLS1CRUd...
  tls.key: LS0tLS1CRUd...
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cert-manager-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: ca-key-pair
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: web-certificate
  namespace: web-namespace
spec:
  commonName: kunde.tld
  duration: 8760h
  dnsNames:
    - kunde.tld
  secretName: web-certificate
  issuerRef:
    name: cert-manager-issuer
    kind: ClusterIssuer
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: web
  namespace: web-namespace
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`kunde.tld`)
      kind: Rule
      services:
        - name: backend
          port: 80
  tls:
    secretName: web-certificate

rtribotte · June 15, 2022, 12:11pm

Hello @sl1288,

The ingressRoute supports only Kubernetes secrets to be referenced in the TLS section.
In the example IngressRoute you provided, you have referenced a CRD Certificate from CertManager.

sl1288 · June 15, 2022, 5:52pm

The name of the secret is also "web-certificate" and the normal certificate from that secret is used correctly only the ca certificate is not used.

Is it a problem to use the same name for different "kind" of objects ?

rtribotte · June 16, 2022, 8:07am

Is it a problem to use the same name for different "kind" of objects ?

No, this is not the issue, this is allowed.

Thus, in the resources definitions, you have shared, I see no Kubernetes Secret with the name web-certificate.
Can you share the full Traefik debug logs?

sl1288 · June 19, 2022, 3:54pm

YAML Config

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZNekNDQXh1Z0F3SUJBZ0lVWVJnRDZSV0xreVF1VS9zNXo1UTdURUtaNHBrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0RURUxNQWtHQTFVRUF3d0NRMEV3SGhjTk1qSXdOakU1TVRVeE9ERTFXaGNOTkRJd05qRTBNVFV4T0RFMQpXakFOTVFzd0NRWURWUVFEREFKRFFUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCCkFOUEl2K3pWbTdpZjJyZU9MN3A3aWk2NEc0Q1VmM0V6dS8zWUNOcUlGOTF6VFNyajJ5c0dLbWZDeDVpSkVHbEIKRHJBUlNaMVRYT2hHRTg0em1aQlVNRUdBTExRWGd6OEJyMTJHckdlcWN4cVhpYmcyWEQrNmx2Nm85NERhejljQQpFNkVQMmtoYTFtTlZZLzY1Zis2QzE1blV3aCt3dk5UcEtyL2poOUZ3VlpXK1JIYXhBZCtKZ3VyQXQrOFBIVmV5Cm1JTE9QRzAzTmtpa0ZPdkhicGhxK1NZWXBDYlR3VG00d25LM3FRNUpCSFlHZDU4aUNmNW9OOG9WMnZkY2RsNm4Kc21EQk81SlFWY0FFQmpCWmlsR2l2VThaZEwvb1R0aUhmUmEwVWRMSEtldzZkTCtWcnJTd1h5NHBNUTVVbkdZbwpLclVnb3FKcWcvYTRQM0ovL3JpNWRCdDlGazNuN0RQWUpLRlgraU4rRjVVcCtDUmhhbzd3TC9ZQkJFUWJQaCtRCmZtZkNPdjI0VUtFZUxyREV4NHFCWlJJZS9tYkdmR3JBalQxQmtuWkE3MDM0V1V0VVZ0Ui9CcFJwNllvQndPOGYKWVE2MFZzZDFwVkZURDR5RXNlalhicGlpUEdiZlM5Q3JrbXVFQTBQei9UcjZwZXlyVjZ6Y1ZvSTlhOXJiN1RJLwp6MHVGeTlQUkdoZzdqb3ZNcTVWV25uWnlsall4UktyZjZyZjlDdXpnVTJmeXVWWXJLSFdXeW1LMGpOcnRjWlQ2Cjh5QThBZEI4Z2R3SWFEWWgwVnl4dU5meHpSYW5PNHdaT1d1SFV3cFk2UUN6YjRtOThhWXRRcUlWTW5RTE1lV0QKMkc5WmYwMjRTaUEwK05HMkVLd3pmalhlMVhKSUpVR1FsaWcwejdHYWZKK3hBZ01CQUFHamdZb3dnWWN3SFFZRApWUjBPQkJZRUZBRk4xdHBXTjBkY1JCMWdFSFdScXNTaWQzcDBNRWdHQTFVZEl3UkJNRCtBRkFGTjF0cFdOMGRjClJCMWdFSFdScXNTaWQzcDBvUkdrRHpBTk1Rc3dDUVlEVlFRRERBSkRRWUlVWVJnRDZSV0xreVF1VS9zNXo1UTcKVEVLWjRwa3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QUxCZ05WSFE4RUJBTUNBUVl3RFFZSktvWklodmNOQVFFTApCUUFEZ2dJQkFFamN5M1R3TmJqUFEzODc1VjUrVTFLSjV0WFFiM3ZxU2VRQ2QrRDlaR1F6VmtKT1pjYVhBbHI5CjFCcE9INUlRN3ROSzMvR3lxS3hEbkh3czI1eE1mMmI5djBPbXhtUFRRZVJXMG1PdDlPckZCZHBEZjZKOUpDZVoKTjhISUErRlA1ZllVWUlpY2JhQm9nT2R6ejdiRFRVTHpmQ044UmZLK1hHUFZxQ3BuS0NGUVBpV1QxOTljZ092ZQpGMTFteVprcVZVQUxFTTlsR0JvYm9hek9rNFRLVENGaStvTEc0N25xZ0o5eWsrVDBIYS9NRHhjSXJRTE4wZXFqCnhEU0hqRWNyVmpTZVhxZE16d3Y4ME1JMXh5MEJsYU93R2NTLzJVaytOcDJSUkViY05SUEtBTXFSZjBybEEzRkQKUmtaWlV6RXRrUDJrOUxzNnhYRE80a0VTazhRa2taaDFEVVJqaEN1UDVkRXc4VXdkNEd3b3hEc2ZoZ0NCYkxKYwpTVWpxZlBJN3d0VThFNDNzTGNKNEtEeUdjRXNLQkFhOTZzRmJBVmV0MEFGU2Y2dWtUWlMwYWFmaGJ6cVcwMmNJCnV0anowUEE1OURjQUE2Y1J3azJGWkg5eVVqZmFFUkY2ZGY3WjUwVit6dGcxYnl4UmwxQzYvanRTalZnWXowRGQKY0Jic01UNWRtQUJrbnBTRjRzQXJ6Y1JKV09SaEZleXZvSDJ4c2tNWXBTd0NSdDlnYkpSUjgwamFZOHJuNzdiZAo0OW5DTExDei9JVlp1KzY2cGZxd3hPRUhBVkJQaW51czcxU0tHT3U2blpFREMveTd6eVc0ZTIvTThkaDFaQndrCm1uY09DRlRDaG8xQnZKcWdsN1dJa0d1LzRDb2VmMnZFak1OelFQMm9CZDZUZUZmSnIxbDYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVBekNDQWV1Z0F3SUJBZ0lSQUxnM2dqOWVYK3RFcG5SNXMydVp4cjR3RFFZSktvWklodmNOQVFFTEJRQXcKRFRFTE1Ba0dBMVVFQXd3Q1EwRXdIaGNOTWpJd05qRTVNVFV5TkRJM1doY05Nak13TmpFNU1UVXlOREkzV2pBVQpNUkl3RUFZRFZRUURFd2xyZFc1a1pTNTBiR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUN2K2hLdm5mQmQ0cGRDeFQ0RThweEhwTUJuYWs3NmpWazlDc0wySWNIdG56a3dYbmJsRjlHZWI3MEgKeDhJak90OVBxMUJPV2cvOWJKU2J2blFFaDdkbEZUbURnb2RyQTFqRmxGUkFGcGM2dTgvaTh6S0ltUzREOENrcgpQd1dyZmliVllJdHhHNDNPUTV3WWNLU0JlM2xWTlVIQ3JKREFibGJPWnJmRHpzUGRSUjFsVkJRTExzWEZCbUpUCmVYQm14cEMycFBXK2wyaUVMZXZIVnBvemUzRnIzRDVIaVZUTjdvQXU4Q2QvRG1RSXN6Q0RDeVc4Z0N1QW4zalkKTHhwSVZUZ05iWUM0UG9wWlR6dU9yTTVTcFJaUmcxSlRMM3ZJMDhMT0xISGR6YWtSQkdVQXAyMnNMMktQRFBSTwpCUndKV3VLWmMxdGpkREwxNmdSdllZYUlKeGxqQWdNQkFBR2pWekJWTUE0R0ExVWREd0VCL3dRRUF3SUZvREFNCkJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkFGTjF0cFdOMGRjUkIxZ0VIV1Jxc1NpZDNwME1CUUcKQTFVZEVRUU5NQXVDQ1d0MWJtUmxMblJzWkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQTB0UkphaDIrZHpLbQp1R2d5R1ZGT010M05YWlphZHdDWjluSmZSYzVuMDFDRmYwNzY0WkRmWnhTcUMrMzE3NnowSHpxTmJwaTF1a0Z1CmZmbGV0cUpEWnZRYXFKVnhEaW1lMVg4Y1dzdyswUXF3QkxzY2orRm4zWEtPbVRhNmlOZ3dnRW9YaVYvb0RRM3UKLzdabmdOUTI5N3U0OExPUVJrRjd2K2RudXQvT0l0NC9FRERZVGliclFTMGc4elliNEVvNlAyVzZXeUNsK1VqSQpEUHZ3aEZYZ1ZleWthd2ttRmoxTWVuSWorcWFZU3lBWEhKeUxvVXNIMExJVXo1YkRIaHYzT0ppS2RJOGhOMHU0CmRTeUJ1NHF4b2pBb0RjcXB0Yzd3bVp1cXlDOUVWWC81b1cyRlBkalpqejVrYnNvWlp6SG8zQWVJaVdWdFdrYW0KdnZZUmUzUVhYTVVyNk53RDRoWmJXcmdBWFB2SGV1ME16N2FJd09MVEZoSW9wNEJvdUIzWmhPbURvak1oTjVqMApkZDMwczkvdVNQTmsxay9oYlBqblpkUEJySXlqci9aN3lZMFRYUTE4OTkvS1lhS2VmMFRuc3hxWjZaV0hoVEhpClJNMC9hb1ZiSE1BaWowY3FuVzNaQi9EczlzVlkyR3ExazB2Qkx3T1M5T2VoczN0NVUrRVZJTjUrbllHdVhHNEIKREE2R3FCSUNMejM3ZEdjbWRFTGRHMmJOZ3RvbG5nMFFPeU1mSERaNFdxV3pWT0JJRTEzNDBKbmhtc2pGU1QzdAppRm1hVlJZM1RkWWhwQTliZk5WWUhOUk5FQmxHb3NtekdYZkN6ak5vanh5T0lFbER6d0ZxU0pGNE0xbmw0L1FGCjRBVkJraWtyWmJsVldDa1lURnRqTFkrckxRTGVIU0k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBci9vU3I1M3dYZUtYUXNVK0JQS2NSNlRBWjJwTytvMVpQUXJDOWlIQjdaODVNRjUyCjVSZlJubSs5QjhmQ0l6cmZUNnRRVGxvUC9XeVVtNzUwQkllM1pSVTVnNEtIYXdOWXhaUlVRQmFYT3J2UDR2TXkKaUprdUEvQXBLejhGcTM0bTFXQ0xjUnVOemtPY0dIQ2tnWHQ1VlRWQndxeVF3RzVXem1hM3c4N0QzVVVkWlZRVQpDeTdGeFFaaVUzbHdac2FRdHFUMXZwZG9oQzNyeDFhYU0zdHhhOXcrUjRsVXplNkFMdkFuZnc1a0NMTXdnd3NsCnZJQXJnSjk0MkM4YVNGVTREVzJBdUQ2S1dVODdqcXpPVXFVV1VZTlNVeTk3eU5QQ3ppeHgzYzJwRVFSbEFLZHQKckM5aWp3ejBUZ1VjQ1ZyaW1YTmJZM1F5OWVvRWIyR0dpQ2NaWXdJREFRQUJBb0lCQVFDa0grUzdtOThwZ1FLNApTSU9lVTdQRDhmbHN1aTZzNlpXNEk4aFBqSTUxRTVKZjlVcUlRaDNEMmMwQWE2TTUvbGQxMDM1VGhSWHlzd2txCjlJYjZEcVhTQmVpZEtla291bmRaMXd4NHRWa1ljei9oR0JjaVpWTVFZelhTV3JYc0N2MG05eU0yTzQrWE4yRm4KUGU5L3Yrd2F0MC84dzd0QmJlZFNHMlQ2bjJYM2dFZVJsdnVycEl3K1VsZzdMYTFkQ3lFNnI4OUI4SzR0dGpNVwp3Qi9qcVVwSkFTMG9FREQ0ZXN1VHJpdUF3aGhEcVdLVUljM09QSmp2Qkxla3c1QU1QTW0zU0FxdjRBQ0hUUHhQCkxNN3dPM0ZaYlpDeVBQc1h3M0lsenJ4czVqcHhtSEFNRHdjS09XZnNYc0V0WFM1dVRXcXlrU2ZiV21FSVR2eDgKVThTMXQrTXhBb0dCQU9xZlpjK2RZb292MjYwV290YnpFRWZoWHgrRElQcDgxSVdOWmFpTFVZaTgwcFM5NHpoWQpvSUZkUDZsODdValVxWmQ2Ukx6eU1rN2NhdDYwM0V5V3gvWXVqbFJVR0FZQkRzNWExYVdQbUF1clJ1Z0FzSkFVCnR0VC9oMEtUZDJ4d0Znd3RnaGNDV1ZLT0ljVEtFblhQeXRtcDRiV1VFUWd4aC9TUWVxTVFEMmpyQW9HQkFNQUMKd1RlVXNZSUJRV0dIVUlqZENGWDhMR0JsYThoZlU1bHg2WlFMcmpxMnpoaU9LWkdGbkZEZnNqSXlWb3RjdFFYZQpZQ0hENmxPb054SUdmcU9HM3FnYUdGS1RlWitNN2YySXRQNjNOSFI4MWRLdXJsd2tvZ3FGWGg4THEweWRzODhXClNhejBFMkRWaFdpQUorelA0V2l2SHMvUDdDZlVDTmt2OEpha092TnBBb0dBREI1Sml1eXRIMGdUaDZBb3J3T0UKN3NHRVFVTnJtNlNBOFpqNUREaU44SXNZTVZpUmVPS1MvN3VLUXozUm43WmtRQSt2cHphM1JIMThBNTdCMWk3ZgppeWFpY1ZhYW13ekk3LzJmRlZzU1ZsLzFYSnhVZ2t5Zm1PYk4zTEZ6TktXaGJlV1gxNHBtaEs0VXJtNWxmN0pJCjN1ODRXa0dZazV6RFVlMTRlQjJuUGhzQ2dZQm1qNUloWEIxTXNkcjRlMHk3TGtWTG1IMGpxRWpnS0hzQkZXV00KbklpZCtCTXg3bzJwbTFLWnFFTUlxUGF0VGdHcmR0S21kbjF0M2dZOGJKZXNSVmdkTm9NVGFJNm9lS0NPc2p6cgphWFJ0WEZqaVJrZ0FFOWt5QVhiNjRrTEhrOXo5bW93VUEvTnQzOTk0cUN1clJJYkVZZlgxVHJ4M3NieGdOa2t1ClRkN25NUUtCZ0JQeUpMZUdmdmVGT3JESUUvNElXL3hmSlNiNldYdlhWbUp1MWErYWR0dWVWaFRiaE12R1RTRVYKQjA2MG0yUlB1RUNEaFF6UE93VkdvOEErVWIwekE1SUxNMXdFTEwxNVlMQzN3Q3dZaTg4UzlvbUEzMXB5OHRLYQpEWlBwODlJWlZqbDk1dkhVSk1iOTJnbXhOTjJJRVRVMmJ1RHlxVExoTStRcVJmZHJuSVN5Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  annotations:
    cert-manager.io/alt-names: kunde.tld
    cert-manager.io/certificate-name: web-certificate
    cert-manager.io/common-name: kunde.tld
    cert-manager.io/ip-sans: ""
    cert-manager.io/issuer-group: ""
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: cert-manager-issuer
    cert-manager.io/uri-sans: ""
  creationTimestamp: "2022-06-19T15:24:27Z"
  name: web-certificate-secret
  namespace: namespace
  resourceVersion: "3152"
  uid: 81cd6ec1-779d-4a75-9959-6e5546983e99
type: kubernetes.io/tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: web
  namespace: namespace
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`kunde.tld`)
      kind: Rule
      services:
        - name: web-server
          port: 80
  tls:
    secretName: web-certificate-secret

openssl s_client

openssl.exe s_client -connect kunde.tld:443 -servername kunde.tld
CONNECTED(000001D0)
depth=0 CN = kunde.tld
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = kunde.tld
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=kunde.tld
   i:/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEAzCCAeugAwIBAgIRALg3gj9eX+tEpnR5s2uZxr4wDQYJKoZIhvcNAQELBQAw
DTELMAkGA1UEAwwCQ0EwHhcNMjIwNjE5MTUyNDI3WhcNMjMwNjE5MTUyNDI3WjAU
MRIwEAYDVQQDEwlrdW5kZS50bGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCv+hKvnfBd4pdCxT4E8pxHpMBnak76jVk9CsL2IcHtnzkwXnblF9Geb70H
x8IjOt9Pq1BOWg/9bJSbvnQEh7dlFTmDgodrA1jFlFRAFpc6u8/i8zKImS4D8Ckr
PwWrfibVYItxG43OQ5wYcKSBe3lVNUHCrJDAblbOZrfDzsPdRR1lVBQLLsXFBmJT
eXBmxpC2pPW+l2iELevHVpoze3Fr3D5HiVTN7oAu8Cd/DmQIszCDCyW8gCuAn3jY
LxpIVTgNbYC4PopZTzuOrM5SpRZRg1JTL3vI08LOLHHdzakRBGUAp22sL2KPDPRO
BRwJWuKZc1tjdDL16gRvYYaIJxljAgMBAAGjVzBVMA4GA1UdDwEB/wQEAwIFoDAM
BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFAFN1tpWN0dcRB1gEHWRqsSid3p0MBQG
A1UdEQQNMAuCCWt1bmRlLnRsZDANBgkqhkiG9w0BAQsFAAOCAgEA0tRJah2+dzKm
uGgyGVFOMt3NXZZadwCZ9nJfRc5n01CFf0764ZDfZxSqC+3176z0HzqNbpi1ukFu
ffletqJDZvQaqJVxDime1X8cWsw+0QqwBLscj+Fn3XKOmTa6iNgwgEoXiV/oDQ3u
/7ZngNQ297u48LOQRkF7v+dnut/OIt4/EDDYTibrQS0g8zYb4Eo6P2W6WyCl+UjI
DPvwhFXgVeykawkmFj1MenIj+qaYSyAXHJyLoUsH0LIUz5bDHhv3OJiKdI8hN0u4
dSyBu4qxojAoDcqptc7wmZuqyC9EVX/5oW2FPdjZjz5kbsoZZzHo3AeIiWVtWkam
vvYRe3QXXMUr6NwD4hZbWrgAXPvHeu0Mz7aIwOLTFhIop4BouB3ZhOmDojMhN5j0
dd30s9/uSPNk1k/hbPjnZdPBrIyjr/Z7yY0TXQ1899/KYaKef0TnsxqZ6ZWHhTHi
RM0/aoVbHMAij0cqnW3ZB/Ds9sVY2Gq1k0vBLwOS9Oehs3t5U+EVIN5+nYGuXG4B
DA6GqBICLz37dGcmdELdG2bNgtolng0QOyMfHDZ4WqWzVOBIE1340JnhmsjFST3t
iFmaVRY3TdYhpA9bfNVYHNRNEBlGosmzGXfCzjNojxyOIElDzwFqSJF4M1nl4/QF
4AVBkikrZblVWCkYTFtjLY+rLQLeHSI=
-----END CERTIFICATE-----
subject=/CN=kunde.tld
issuer=/CN=CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

Debug Logs

time="2022-06-19T15:22:50Z" level=info msg="Configuration loaded from flags."
time="2022-06-19T15:22:50Z" level=info msg="Traefik version 2.7.0 built on 2022-05-24T17:07:05Z"
time="2022-06-19T15:22:50Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"metrics\":{\"address\":\":9100/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"traefik\":{\"address\":\":9000/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":8000/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":8443/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"tls\":{}},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"kubernetesIngress\":{\"ingressEndpoint\":{\"publishedService\":\"kube-system/traefik\"}},\"kubernetesCRD\":{}},\"api\":{\"dashboard\":true},\"metrics\":{\"prometheus\":{\"buckets\":[0.1,0.3,1.2,5],\"addEntryPointsLabels\":true,\"addServicesLabels\":true,\"entryPoint\":\"metrics\"}},\"ping\":{\"entryPoint\":\"traefik\",\"terminatingStatusCode\":503},\"log\":{\"level\":\"debug\",\"format\":\"common\"},\"pilot\":{\"dashboard\":true}}"
...
time="2022-06-19T15:23:09Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2022-06-19T15:23:09Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Service" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Service" providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=error msg="Error configuring TLS: secret namespace/web-certificate-secret does not exist" namespace=namespace providerName=kubernetescrd ingress=web
time="2022-06-19T15:24:26Z" level=error msg="subset not found for namespace/web-server" ingress=web namespace=namespace providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1alpha1.IngressRoute" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=error msg="Error configuring TLS: secret namespace/web-certificate-secret does not exist" ingress=web namespace=namespace providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=error msg="subset not found for namespace/web-server" namespace=namespace providerName=kubernetescrd ingress=web
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=error msg="subset not found for namespace/web-server" ingress=web namespace=namespace providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"kube-system-traefik-dashboard-d012b7f875133eeab4e5\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/dashboard`) || PathPrefix(`/api`)\"}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:27Z" level=error msg="subset not found for namespace/web-server" providerName=kubernetescrd ingress=web namespace=namespace
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:27Z" level=debug msg="No store is defined to add the certificate MIIEAzCCAeugAwIBAgIRALg3gj9eX+tEpnR5s2uZxr4wDQYJKo, it will be added to the default store."
time="2022-06-19T15:24:27Z" level=debug msg="Adding certificate for domain(s) kunde.tld"
time="2022-06-19T15:24:27Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" entryPointName=metrics middlewareName=tracing middlewareType=TracingForwarder routerName=prometheus@internal
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=metrics middlewareName=traefik-internal-recovery
time="2022-06-19T15:24:27Z" level=debug msg="Added outgoing tracing middleware ping@internal" routerName=ping@internal entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2022-06-19T15:24:27Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=kube-system-traefik-dashboard-d012b7f875133eeab4e5@kubernetescrd middlewareName=tracing middlewareType=TracingForwarder
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareType=Metrics middlewareName=metrics-entrypoint entryPointName=traefik
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=websecure middlewareName=metrics-entrypoint
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=metrics
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=traefik
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=websecure
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=metrics middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:33Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"kube-system-traefik-dashboard-d012b7f875133eeab4e5\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/dashboard`) || PathPrefix(`/api`)\"},\"namespace-web-8bb1e5490bca8946f993\":{\"entryPoints\":[\"web\",\"websecure\"],\"service\":\"namespace-web-8bb1e5490bca8946f993\",\"rule\":\"Host(`kunde.tld`)\",\"tls\":{}}},\"services\":{\"namespace-web-8bb1e5490bca8946f993\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.42.0.24:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
time="2022-06-19T15:24:33Z" level=debug msg="No store is defined to add the certificate MIIEAzCCAeugAwIBAgIRALg3gj9eX+tEpnR5s2uZxr4wDQYJKo, it will be added to the default store."
time="2022-06-19T15:24:33Z" level=debug msg="Adding certificate for domain(s) kunde.tld"
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware ping@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=ping@internal middlewareName=tracing
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=kube-system-traefik-dashboard-d012b7f875133eeab4e5@kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" routerName=prometheus@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Metrics middlewareName=metrics-entrypoint
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=web
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=websecure
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=metrics middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 middlewareName=pipelining middlewareType=Pipelining
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 middlewareName=metrics-service
time="2022-06-19T15:24:33Z" level=debug msg="Creating load-balancer" routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 entryPointName=web
time="2022-06-19T15:24:33Z" level=debug msg="Creating server 0 http://10.42.0.24:80" entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 serverName=0
time="2022-06-19T15:24:33Z" level=debug msg="child http://10.42.0.24:80 now UP"
time="2022-06-19T15:24:33Z" level=debug msg="Propagating new UP status"
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware namespace-web-8bb1e5490bca8946f993" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" serviceName=namespace-web-8bb1e5490bca8946f993 entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd middlewareName=pipelining middlewareType=Pipelining
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 middlewareName=metrics-service middlewareType=Metrics entryPointName=websecure
time="2022-06-19T15:24:33Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993
time="2022-06-19T15:24:33Z" level=debug msg="Creating server 0 http://10.42.0.24:80" entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 serverName=0
time="2022-06-19T15:24:33Z" level=debug msg="child http://10.42.0.24:80 now UP"
time="2022-06-19T15:24:33Z" level=debug msg="Propagating new UP status"
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware namespace-web-8bb1e5490bca8946f993" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery entryPointName=websecure middlewareType=Recovery
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=traefik
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=metrics
time="2022-06-19T15:24:33Z" level=debug msg="Adding route for kunde.tld with TLS options default" entryPointName=web
time="2022-06-19T15:24:33Z" level=debug msg="Adding route for kunde.tld with TLS options default" entryPointName=websecure
time="2022-06-19T15:24:35Z" level=debug msg="http: TLS handshake error from 10.42.0.1:23150: remote error: tls: unknown certificate"
time="2022-06-19T15:24:35Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2022-06-19T15:24:35Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:37Z" level=debug msg="http: TLS handshake error from 10.42.0.1:56995: remote error: tls: unknown certificate"
time="2022-06-19T15:24:37Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Sec-Ch-Ua\":[\"\\\" Not A;Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"102\\\", \\\"Google Chrome\\\";v=\\\"102\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\"],\"X-Forwarded-Host\":[\"kunde.tld\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-74b6bc66c6-xb8cf\"],\"X-Real-Ip\":[\"10.42.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"kunde.tld\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.0.1:17592\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2022-06-19T15:24:37Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Sec-Ch-Ua\":[\"\\\" Not A;Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"102\\\", \\\"Google Chrome\\\";v=\\\"102\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\"],\"X-Forwarded-Host\":[\"kunde.tld\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-74b6bc66c6-xb8cf\"],\"X-Real-Ip\":[\"10.42.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"kunde.tld\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.0.1:17592\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://10.42.0.24:80"
time="2022-06-19T15:24:37Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Sec-Ch-Ua\":[\"\\\" Not A;Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"102\\\", \\\"Google Chrome\\\";v=\\\"102\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\"],\"X-Forwarded-Host\":[\"kunde.tld\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-74b6bc66c6-xb8cf\"],\"X-Real-Ip\":[\"10.42.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"kunde.tld\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.0.1:17592\",\"RequestURI\":\"/\",\"TLS\":null}"

rtribotte · June 20, 2022, 8:38am

Hello @sl1288,

I overlooked a bit what was the use case you wanted to achieve here.
It seems that you want to configure a CA cert for Traefik as a server, to do so you need to leverage the TLSOption resource.
It will allow you to configure the CA for client authentication.

sl1288 · June 20, 2022, 9:14am

I want traefik to send the whole certificate chain to the browser tls.crt + ca.crt.
Or do I need to concat all certificates to the tls.crt file in the secret ?

rtribotte · June 20, 2022, 9:19am

Traefik will not concatenate the cert with the ca to serve a chain, it will only serve the cert.
So depending on your use case, you should probably concatenate the chain yourself and provide it in the Kubernetes Secret under the key tls.crt.

Topic		Replies	Views
Traefik's default TLS certificate instead of one from secret Traefik v3 (latest) kubernetes-ingress	1	317	June 27, 2024
TLS Cert from secret Traefik v2 file , kubernetes-ingress	3	2455	December 16, 2022
IngressRoute with "secretName" field still serves with default certificate Traefik v2 kubernetes-crd	18	4782	January 9, 2020
IngressRoute not serving cert from secret Traefik v2 kubernetes-crd , kubernetes-ingress , letsencrypt-acme	0	406	March 4, 2021
Traefik seems to not obtaining the SSL certificate that is supposed to acquire Traefik v2 kubernetes-ingress	0	516	September 29, 2023

CA certificate from secret is not served

What did you see instead?

What version of Traefik are you using?

What is your environment & configuration?

Related topics