CA certificate from secret is not served

I did create an secret with cert-manager which contains the server certificate and the ca certificate.

apiVersion: v1
data:
  ca.crt: LS0tLS...
  tls.crt: LS0tLS...
  tls.key: LS0tLS...
kind: Secret

After adding an IngressRoute with secretName set, I call "openssl s_client" to fetch the certificates from the https port.

What did you see instead?

"openssl s_client" only shows the "tls.crt" certificate, the "ca.crt" certificate is missing.

What version of Traefik are you using?

rancher/mirrored-library-traefik:2.6.2

What is your environment & configuration?

apiVersion: v1
kind: Secret
metadata:
  name: ca-key-pair
  namespace: cert-manager
data:
  tls.crt: LS0tLS1CRUd...
  tls.key: LS0tLS1CRUd...
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cert-manager-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: ca-key-pair
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: web-certificate
  namespace: web-namespace
spec:
  commonName: kunde.tld
  duration: 8760h
  dnsNames:
    - kunde.tld
  secretName: web-certificate
  issuerRef:
    name: cert-manager-issuer
    kind: ClusterIssuer
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: web
  namespace: web-namespace
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`kunde.tld`)
      kind: Rule
      services:
        - name: backend
          port: 80
  tls:
    secretName: web-certificate

Hello @sl1288,

The ingressRoute supports only Kubernetes secrets to be referenced in the TLS section.
In the example IngressRoute you provided, you have referenced a CRD Certificate from CertManager.

The name of the secret is also "web-certificate" and the normal certificate from that secret is used correctly only the ca certificate is not used.

Is it a problem to use the same name for different "kind" of objects ?

Is it a problem to use the same name for different "kind" of objects ?

No, this is not the issue, this is allowed.

Thus, in the resources definitions, you have shared, I see no Kubernetes Secret with the name web-certificate.
Can you share the full Traefik debug logs?

YAML Config
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZNekNDQXh1Z0F3SUJBZ0lVWVJnRDZSV0xreVF1VS9zNXo1UTdURUtaNHBrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0RURUxNQWtHQTFVRUF3d0NRMEV3SGhjTk1qSXdOakU1TVRVeE9ERTFXaGNOTkRJd05qRTBNVFV4T0RFMQpXakFOTVFzd0NRWURWUVFEREFKRFFUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCCkFOUEl2K3pWbTdpZjJyZU9MN3A3aWk2NEc0Q1VmM0V6dS8zWUNOcUlGOTF6VFNyajJ5c0dLbWZDeDVpSkVHbEIKRHJBUlNaMVRYT2hHRTg0em1aQlVNRUdBTExRWGd6OEJyMTJHckdlcWN4cVhpYmcyWEQrNmx2Nm85NERhejljQQpFNkVQMmtoYTFtTlZZLzY1Zis2QzE1blV3aCt3dk5UcEtyL2poOUZ3VlpXK1JIYXhBZCtKZ3VyQXQrOFBIVmV5Cm1JTE9QRzAzTmtpa0ZPdkhicGhxK1NZWXBDYlR3VG00d25LM3FRNUpCSFlHZDU4aUNmNW9OOG9WMnZkY2RsNm4Kc21EQk81SlFWY0FFQmpCWmlsR2l2VThaZEwvb1R0aUhmUmEwVWRMSEtldzZkTCtWcnJTd1h5NHBNUTVVbkdZbwpLclVnb3FKcWcvYTRQM0ovL3JpNWRCdDlGazNuN0RQWUpLRlgraU4rRjVVcCtDUmhhbzd3TC9ZQkJFUWJQaCtRCmZtZkNPdjI0VUtFZUxyREV4NHFCWlJJZS9tYkdmR3JBalQxQmtuWkE3MDM0V1V0VVZ0Ui9CcFJwNllvQndPOGYKWVE2MFZzZDFwVkZURDR5RXNlalhicGlpUEdiZlM5Q3JrbXVFQTBQei9UcjZwZXlyVjZ6Y1ZvSTlhOXJiN1RJLwp6MHVGeTlQUkdoZzdqb3ZNcTVWV25uWnlsall4UktyZjZyZjlDdXpnVTJmeXVWWXJLSFdXeW1LMGpOcnRjWlQ2Cjh5QThBZEI4Z2R3SWFEWWgwVnl4dU5meHpSYW5PNHdaT1d1SFV3cFk2UUN6YjRtOThhWXRRcUlWTW5RTE1lV0QKMkc5WmYwMjRTaUEwK05HMkVLd3pmalhlMVhKSUpVR1FsaWcwejdHYWZKK3hBZ01CQUFHamdZb3dnWWN3SFFZRApWUjBPQkJZRUZBRk4xdHBXTjBkY1JCMWdFSFdScXNTaWQzcDBNRWdHQTFVZEl3UkJNRCtBRkFGTjF0cFdOMGRjClJCMWdFSFdScXNTaWQzcDBvUkdrRHpBTk1Rc3dDUVlEVlFRRERBSkRRWUlVWVJnRDZSV0xreVF1VS9zNXo1UTcKVEVLWjRwa3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QUxCZ05WSFE4RUJBTUNBUVl3RFFZSktvWklodmNOQVFFTApCUUFEZ2dJQkFFamN5M1R3TmJqUFEzODc1VjUrVTFLSjV0WFFiM3ZxU2VRQ2QrRDlaR1F6VmtKT1pjYVhBbHI5CjFCcE9INUlRN3ROSzMvR3lxS3hEbkh3czI1eE1mMmI5djBPbXhtUFRRZVJXMG1PdDlPckZCZHBEZjZKOUpDZVoKTjhISUErRlA1ZllVWUlpY2JhQm9nT2R6ejdiRFRVTHpmQ044UmZLK1hHUFZxQ3BuS0NGUVBpV1QxOTljZ092ZQpGMTFteVprcVZVQUxFTTlsR0JvYm9hek9rNFRLVENGaStvTEc0N25xZ0o5eWsrVDBIYS9NRHhjSXJRTE4wZXFqCnhEU0hqRWNyVmpTZVhxZE16d3Y4ME1JMXh5MEJsYU93R2NTLzJVaytOcDJSUkViY05SUEtBTXFSZjBybEEzRkQKUmtaWlV6RXRrUDJrOUxzNnhYRE80a0VTazhRa2taaDFEVVJqaEN1UDVkRXc4VXdkNEd3b3hEc2ZoZ0NCYkxKYwpTVWpxZlBJN3d0VThFNDNzTGNKNEtEeUdjRXNLQkFhOTZzRmJBVmV0MEFGU2Y2dWtUWlMwYWFmaGJ6cVcwMmNJCnV0anowUEE1OURjQUE2Y1J3azJGWkg5eVVqZmFFUkY2ZGY3WjUwVit6dGcxYnl4UmwxQzYvanRTalZnWXowRGQKY0Jic01UNWRtQUJrbnBTRjRzQXJ6Y1JKV09SaEZleXZvSDJ4c2tNWXBTd0NSdDlnYkpSUjgwamFZOHJuNzdiZAo0OW5DTExDei9JVlp1KzY2cGZxd3hPRUhBVkJQaW51czcxU0tHT3U2blpFREMveTd6eVc0ZTIvTThkaDFaQndrCm1uY09DRlRDaG8xQnZKcWdsN1dJa0d1LzRDb2VmMnZFak1OelFQMm9CZDZUZUZmSnIxbDYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVBekNDQWV1Z0F3SUJBZ0lSQUxnM2dqOWVYK3RFcG5SNXMydVp4cjR3RFFZSktvWklodmNOQVFFTEJRQXcKRFRFTE1Ba0dBMVVFQXd3Q1EwRXdIaGNOTWpJd05qRTVNVFV5TkRJM1doY05Nak13TmpFNU1UVXlOREkzV2pBVQpNUkl3RUFZRFZRUURFd2xyZFc1a1pTNTBiR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUN2K2hLdm5mQmQ0cGRDeFQ0RThweEhwTUJuYWs3NmpWazlDc0wySWNIdG56a3dYbmJsRjlHZWI3MEgKeDhJak90OVBxMUJPV2cvOWJKU2J2blFFaDdkbEZUbURnb2RyQTFqRmxGUkFGcGM2dTgvaTh6S0ltUzREOENrcgpQd1dyZmliVllJdHhHNDNPUTV3WWNLU0JlM2xWTlVIQ3JKREFibGJPWnJmRHpzUGRSUjFsVkJRTExzWEZCbUpUCmVYQm14cEMycFBXK2wyaUVMZXZIVnBvemUzRnIzRDVIaVZUTjdvQXU4Q2QvRG1RSXN6Q0RDeVc4Z0N1QW4zalkKTHhwSVZUZ05iWUM0UG9wWlR6dU9yTTVTcFJaUmcxSlRMM3ZJMDhMT0xISGR6YWtSQkdVQXAyMnNMMktQRFBSTwpCUndKV3VLWmMxdGpkREwxNmdSdllZYUlKeGxqQWdNQkFBR2pWekJWTUE0R0ExVWREd0VCL3dRRUF3SUZvREFNCkJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkFGTjF0cFdOMGRjUkIxZ0VIV1Jxc1NpZDNwME1CUUcKQTFVZEVRUU5NQXVDQ1d0MWJtUmxMblJzWkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQTB0UkphaDIrZHpLbQp1R2d5R1ZGT010M05YWlphZHdDWjluSmZSYzVuMDFDRmYwNzY0WkRmWnhTcUMrMzE3NnowSHpxTmJwaTF1a0Z1CmZmbGV0cUpEWnZRYXFKVnhEaW1lMVg4Y1dzdyswUXF3QkxzY2orRm4zWEtPbVRhNmlOZ3dnRW9YaVYvb0RRM3UKLzdabmdOUTI5N3U0OExPUVJrRjd2K2RudXQvT0l0NC9FRERZVGliclFTMGc4elliNEVvNlAyVzZXeUNsK1VqSQpEUHZ3aEZYZ1ZleWthd2ttRmoxTWVuSWorcWFZU3lBWEhKeUxvVXNIMExJVXo1YkRIaHYzT0ppS2RJOGhOMHU0CmRTeUJ1NHF4b2pBb0RjcXB0Yzd3bVp1cXlDOUVWWC81b1cyRlBkalpqejVrYnNvWlp6SG8zQWVJaVdWdFdrYW0KdnZZUmUzUVhYTVVyNk53RDRoWmJXcmdBWFB2SGV1ME16N2FJd09MVEZoSW9wNEJvdUIzWmhPbURvak1oTjVqMApkZDMwczkvdVNQTmsxay9oYlBqblpkUEJySXlqci9aN3lZMFRYUTE4OTkvS1lhS2VmMFRuc3hxWjZaV0hoVEhpClJNMC9hb1ZiSE1BaWowY3FuVzNaQi9EczlzVlkyR3ExazB2Qkx3T1M5T2VoczN0NVUrRVZJTjUrbllHdVhHNEIKREE2R3FCSUNMejM3ZEdjbWRFTGRHMmJOZ3RvbG5nMFFPeU1mSERaNFdxV3pWT0JJRTEzNDBKbmhtc2pGU1QzdAppRm1hVlJZM1RkWWhwQTliZk5WWUhOUk5FQmxHb3NtekdYZkN6ak5vanh5T0lFbER6d0ZxU0pGNE0xbmw0L1FGCjRBVkJraWtyWmJsVldDa1lURnRqTFkrckxRTGVIU0k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBci9vU3I1M3dYZUtYUXNVK0JQS2NSNlRBWjJwTytvMVpQUXJDOWlIQjdaODVNRjUyCjVSZlJubSs5QjhmQ0l6cmZUNnRRVGxvUC9XeVVtNzUwQkllM1pSVTVnNEtIYXdOWXhaUlVRQmFYT3J2UDR2TXkKaUprdUEvQXBLejhGcTM0bTFXQ0xjUnVOemtPY0dIQ2tnWHQ1VlRWQndxeVF3RzVXem1hM3c4N0QzVVVkWlZRVQpDeTdGeFFaaVUzbHdac2FRdHFUMXZwZG9oQzNyeDFhYU0zdHhhOXcrUjRsVXplNkFMdkFuZnc1a0NMTXdnd3NsCnZJQXJnSjk0MkM4YVNGVTREVzJBdUQ2S1dVODdqcXpPVXFVV1VZTlNVeTk3eU5QQ3ppeHgzYzJwRVFSbEFLZHQKckM5aWp3ejBUZ1VjQ1ZyaW1YTmJZM1F5OWVvRWIyR0dpQ2NaWXdJREFRQUJBb0lCQVFDa0grUzdtOThwZ1FLNApTSU9lVTdQRDhmbHN1aTZzNlpXNEk4aFBqSTUxRTVKZjlVcUlRaDNEMmMwQWE2TTUvbGQxMDM1VGhSWHlzd2txCjlJYjZEcVhTQmVpZEtla291bmRaMXd4NHRWa1ljei9oR0JjaVpWTVFZelhTV3JYc0N2MG05eU0yTzQrWE4yRm4KUGU5L3Yrd2F0MC84dzd0QmJlZFNHMlQ2bjJYM2dFZVJsdnVycEl3K1VsZzdMYTFkQ3lFNnI4OUI4SzR0dGpNVwp3Qi9qcVVwSkFTMG9FREQ0ZXN1VHJpdUF3aGhEcVdLVUljM09QSmp2Qkxla3c1QU1QTW0zU0FxdjRBQ0hUUHhQCkxNN3dPM0ZaYlpDeVBQc1h3M0lsenJ4czVqcHhtSEFNRHdjS09XZnNYc0V0WFM1dVRXcXlrU2ZiV21FSVR2eDgKVThTMXQrTXhBb0dCQU9xZlpjK2RZb292MjYwV290YnpFRWZoWHgrRElQcDgxSVdOWmFpTFVZaTgwcFM5NHpoWQpvSUZkUDZsODdValVxWmQ2Ukx6eU1rN2NhdDYwM0V5V3gvWXVqbFJVR0FZQkRzNWExYVdQbUF1clJ1Z0FzSkFVCnR0VC9oMEtUZDJ4d0Znd3RnaGNDV1ZLT0ljVEtFblhQeXRtcDRiV1VFUWd4aC9TUWVxTVFEMmpyQW9HQkFNQUMKd1RlVXNZSUJRV0dIVUlqZENGWDhMR0JsYThoZlU1bHg2WlFMcmpxMnpoaU9LWkdGbkZEZnNqSXlWb3RjdFFYZQpZQ0hENmxPb054SUdmcU9HM3FnYUdGS1RlWitNN2YySXRQNjNOSFI4MWRLdXJsd2tvZ3FGWGg4THEweWRzODhXClNhejBFMkRWaFdpQUorelA0V2l2SHMvUDdDZlVDTmt2OEpha092TnBBb0dBREI1Sml1eXRIMGdUaDZBb3J3T0UKN3NHRVFVTnJtNlNBOFpqNUREaU44SXNZTVZpUmVPS1MvN3VLUXozUm43WmtRQSt2cHphM1JIMThBNTdCMWk3ZgppeWFpY1ZhYW13ekk3LzJmRlZzU1ZsLzFYSnhVZ2t5Zm1PYk4zTEZ6TktXaGJlV1gxNHBtaEs0VXJtNWxmN0pJCjN1ODRXa0dZazV6RFVlMTRlQjJuUGhzQ2dZQm1qNUloWEIxTXNkcjRlMHk3TGtWTG1IMGpxRWpnS0hzQkZXV00KbklpZCtCTXg3bzJwbTFLWnFFTUlxUGF0VGdHcmR0S21kbjF0M2dZOGJKZXNSVmdkTm9NVGFJNm9lS0NPc2p6cgphWFJ0WEZqaVJrZ0FFOWt5QVhiNjRrTEhrOXo5bW93VUEvTnQzOTk0cUN1clJJYkVZZlgxVHJ4M3NieGdOa2t1ClRkN25NUUtCZ0JQeUpMZUdmdmVGT3JESUUvNElXL3hmSlNiNldYdlhWbUp1MWErYWR0dWVWaFRiaE12R1RTRVYKQjA2MG0yUlB1RUNEaFF6UE93VkdvOEErVWIwekE1SUxNMXdFTEwxNVlMQzN3Q3dZaTg4UzlvbUEzMXB5OHRLYQpEWlBwODlJWlZqbDk1dkhVSk1iOTJnbXhOTjJJRVRVMmJ1RHlxVExoTStRcVJmZHJuSVN5Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  annotations:
    cert-manager.io/alt-names: kunde.tld
    cert-manager.io/certificate-name: web-certificate
    cert-manager.io/common-name: kunde.tld
    cert-manager.io/ip-sans: ""
    cert-manager.io/issuer-group: ""
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: cert-manager-issuer
    cert-manager.io/uri-sans: ""
  creationTimestamp: "2022-06-19T15:24:27Z"
  name: web-certificate-secret
  namespace: namespace
  resourceVersion: "3152"
  uid: 81cd6ec1-779d-4a75-9959-6e5546983e99
type: kubernetes.io/tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: web
  namespace: namespace
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`kunde.tld`)
      kind: Rule
      services:
        - name: web-server
          port: 80
  tls:
    secretName: web-certificate-secret
openssl s_client
openssl.exe s_client -connect kunde.tld:443 -servername kunde.tld
CONNECTED(000001D0)
depth=0 CN = kunde.tld
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = kunde.tld
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=kunde.tld
   i:/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEAzCCAeugAwIBAgIRALg3gj9eX+tEpnR5s2uZxr4wDQYJKoZIhvcNAQELBQAw
DTELMAkGA1UEAwwCQ0EwHhcNMjIwNjE5MTUyNDI3WhcNMjMwNjE5MTUyNDI3WjAU
MRIwEAYDVQQDEwlrdW5kZS50bGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCv+hKvnfBd4pdCxT4E8pxHpMBnak76jVk9CsL2IcHtnzkwXnblF9Geb70H
x8IjOt9Pq1BOWg/9bJSbvnQEh7dlFTmDgodrA1jFlFRAFpc6u8/i8zKImS4D8Ckr
PwWrfibVYItxG43OQ5wYcKSBe3lVNUHCrJDAblbOZrfDzsPdRR1lVBQLLsXFBmJT
eXBmxpC2pPW+l2iELevHVpoze3Fr3D5HiVTN7oAu8Cd/DmQIszCDCyW8gCuAn3jY
LxpIVTgNbYC4PopZTzuOrM5SpRZRg1JTL3vI08LOLHHdzakRBGUAp22sL2KPDPRO
BRwJWuKZc1tjdDL16gRvYYaIJxljAgMBAAGjVzBVMA4GA1UdDwEB/wQEAwIFoDAM
BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFAFN1tpWN0dcRB1gEHWRqsSid3p0MBQG
A1UdEQQNMAuCCWt1bmRlLnRsZDANBgkqhkiG9w0BAQsFAAOCAgEA0tRJah2+dzKm
uGgyGVFOMt3NXZZadwCZ9nJfRc5n01CFf0764ZDfZxSqC+3176z0HzqNbpi1ukFu
ffletqJDZvQaqJVxDime1X8cWsw+0QqwBLscj+Fn3XKOmTa6iNgwgEoXiV/oDQ3u
/7ZngNQ297u48LOQRkF7v+dnut/OIt4/EDDYTibrQS0g8zYb4Eo6P2W6WyCl+UjI
DPvwhFXgVeykawkmFj1MenIj+qaYSyAXHJyLoUsH0LIUz5bDHhv3OJiKdI8hN0u4
dSyBu4qxojAoDcqptc7wmZuqyC9EVX/5oW2FPdjZjz5kbsoZZzHo3AeIiWVtWkam
vvYRe3QXXMUr6NwD4hZbWrgAXPvHeu0Mz7aIwOLTFhIop4BouB3ZhOmDojMhN5j0
dd30s9/uSPNk1k/hbPjnZdPBrIyjr/Z7yY0TXQ1899/KYaKef0TnsxqZ6ZWHhTHi
RM0/aoVbHMAij0cqnW3ZB/Ds9sVY2Gq1k0vBLwOS9Oehs3t5U+EVIN5+nYGuXG4B
DA6GqBICLz37dGcmdELdG2bNgtolng0QOyMfHDZ4WqWzVOBIE1340JnhmsjFST3t
iFmaVRY3TdYhpA9bfNVYHNRNEBlGosmzGXfCzjNojxyOIElDzwFqSJF4M1nl4/QF
4AVBkikrZblVWCkYTFtjLY+rLQLeHSI=
-----END CERTIFICATE-----
subject=/CN=kunde.tld
issuer=/CN=CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
Debug Logs
time="2022-06-19T15:22:50Z" level=info msg="Configuration loaded from flags."
time="2022-06-19T15:22:50Z" level=info msg="Traefik version 2.7.0 built on 2022-05-24T17:07:05Z"
time="2022-06-19T15:22:50Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"metrics\":{\"address\":\":9100/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"traefik\":{\"address\":\":9000/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":8000/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":8443/tcp\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"tls\":{}},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"kubernetesIngress\":{\"ingressEndpoint\":{\"publishedService\":\"kube-system/traefik\"}},\"kubernetesCRD\":{}},\"api\":{\"dashboard\":true},\"metrics\":{\"prometheus\":{\"buckets\":[0.1,0.3,1.2,5],\"addEntryPointsLabels\":true,\"addServicesLabels\":true,\"entryPoint\":\"metrics\"}},\"ping\":{\"entryPoint\":\"traefik\",\"terminatingStatusCode\":503},\"log\":{\"level\":\"debug\",\"format\":\"common\"},\"pilot\":{\"dashboard\":true}}"
...
time="2022-06-19T15:23:09Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2022-06-19T15:23:09Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Service" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Service" providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:26Z" level=error msg="Error configuring TLS: secret namespace/web-certificate-secret does not exist" namespace=namespace providerName=kubernetescrd ingress=web
time="2022-06-19T15:24:26Z" level=error msg="subset not found for namespace/web-server" ingress=web namespace=namespace providerName=kubernetescrd
time="2022-06-19T15:24:26Z" level=debug msg="Skipping Kubernetes event kind *v1alpha1.IngressRoute" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=error msg="Error configuring TLS: secret namespace/web-certificate-secret does not exist" ingress=web namespace=namespace providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=error msg="subset not found for namespace/web-server" namespace=namespace providerName=kubernetescrd ingress=web
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=error msg="subset not found for namespace/web-server" ingress=web namespace=namespace providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"kube-system-traefik-dashboard-d012b7f875133eeab4e5\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/dashboard`) || PathPrefix(`/api`)\"}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:27Z" level=error msg="subset not found for namespace/web-server" providerName=kubernetescrd ingress=web namespace=namespace
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetescrd
time="2022-06-19T15:24:27Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" providerName=kubernetes
time="2022-06-19T15:24:27Z" level=debug msg="No store is defined to add the certificate MIIEAzCCAeugAwIBAgIRALg3gj9eX+tEpnR5s2uZxr4wDQYJKo, it will be added to the default store."
time="2022-06-19T15:24:27Z" level=debug msg="Adding certificate for domain(s) kunde.tld"
time="2022-06-19T15:24:27Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" entryPointName=metrics middlewareName=tracing middlewareType=TracingForwarder routerName=prometheus@internal
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=metrics middlewareName=traefik-internal-recovery
time="2022-06-19T15:24:27Z" level=debug msg="Added outgoing tracing middleware ping@internal" routerName=ping@internal entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2022-06-19T15:24:27Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=kube-system-traefik-dashboard-d012b7f875133eeab4e5@kubernetescrd middlewareName=tracing middlewareType=TracingForwarder
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareType=Metrics middlewareName=metrics-entrypoint entryPointName=traefik
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=websecure middlewareName=metrics-entrypoint
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=metrics
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=traefik
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=websecure
time="2022-06-19T15:24:27Z" level=debug msg="Creating middleware" entryPointName=metrics middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:33Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"kube-system-traefik-dashboard-d012b7f875133eeab4e5\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/dashboard`) || PathPrefix(`/api`)\"},\"namespace-web-8bb1e5490bca8946f993\":{\"entryPoints\":[\"web\",\"websecure\"],\"service\":\"namespace-web-8bb1e5490bca8946f993\",\"rule\":\"Host(`kunde.tld`)\",\"tls\":{}}},\"services\":{\"namespace-web-8bb1e5490bca8946f993\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.42.0.24:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="No default certificate, generating one" tlsStoreName=default
time="2022-06-19T15:24:33Z" level=debug msg="No store is defined to add the certificate MIIEAzCCAeugAwIBAgIRALg3gj9eX+tEpnR5s2uZxr4wDQYJKo, it will be added to the default store."
time="2022-06-19T15:24:33Z" level=debug msg="Adding certificate for domain(s) kunde.tld"
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware ping@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=ping@internal middlewareName=tracing
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=kube-system-traefik-dashboard-d012b7f875133eeab4e5@kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware prometheus@internal" routerName=prometheus@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Metrics middlewareName=metrics-entrypoint
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=web
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=websecure
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=metrics middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 middlewareName=pipelining middlewareType=Pipelining
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareType=Metrics entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 middlewareName=metrics-service
time="2022-06-19T15:24:33Z" level=debug msg="Creating load-balancer" routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 entryPointName=web
time="2022-06-19T15:24:33Z" level=debug msg="Creating server 0 http://10.42.0.24:80" entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 serverName=0
time="2022-06-19T15:24:33Z" level=debug msg="child http://10.42.0.24:80 now UP"
time="2022-06-19T15:24:33Z" level=debug msg="Propagating new UP status"
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware namespace-web-8bb1e5490bca8946f993" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=namespace-web-8bb1e5490bca8946f993@kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" serviceName=namespace-web-8bb1e5490bca8946f993 entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd middlewareName=pipelining middlewareType=Pipelining
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 middlewareName=metrics-service middlewareType=Metrics entryPointName=websecure
time="2022-06-19T15:24:33Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993
time="2022-06-19T15:24:33Z" level=debug msg="Creating server 0 http://10.42.0.24:80" entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd serviceName=namespace-web-8bb1e5490bca8946f993 serverName=0
time="2022-06-19T15:24:33Z" level=debug msg="child http://10.42.0.24:80 now UP"
time="2022-06-19T15:24:33Z" level=debug msg="Propagating new UP status"
time="2022-06-19T15:24:33Z" level=debug msg="Added outgoing tracing middleware namespace-web-8bb1e5490bca8946f993" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=websecure-namespace-web-8bb1e5490bca8946f993@kubernetescrd
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery entryPointName=websecure middlewareType=Recovery
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=traefik
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=metrics-entrypoint middlewareType=Metrics
time="2022-06-19T15:24:33Z" level=debug msg="Creating middleware" middlewareName=metrics-entrypoint middlewareType=Metrics entryPointName=metrics
time="2022-06-19T15:24:33Z" level=debug msg="Adding route for kunde.tld with TLS options default" entryPointName=web
time="2022-06-19T15:24:33Z" level=debug msg="Adding route for kunde.tld with TLS options default" entryPointName=websecure
time="2022-06-19T15:24:35Z" level=debug msg="http: TLS handshake error from 10.42.0.1:23150: remote error: tls: unknown certificate"
time="2022-06-19T15:24:35Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2022-06-19T15:24:35Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetes
time="2022-06-19T15:24:37Z" level=debug msg="http: TLS handshake error from 10.42.0.1:56995: remote error: tls: unknown certificate"
time="2022-06-19T15:24:37Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Sec-Ch-Ua\":[\"\\\" Not A;Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"102\\\", \\\"Google Chrome\\\";v=\\\"102\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\"],\"X-Forwarded-Host\":[\"kunde.tld\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-74b6bc66c6-xb8cf\"],\"X-Real-Ip\":[\"10.42.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"kunde.tld\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.0.1:17592\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2022-06-19T15:24:37Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Sec-Ch-Ua\":[\"\\\" Not A;Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"102\\\", \\\"Google Chrome\\\";v=\\\"102\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\"],\"X-Forwarded-Host\":[\"kunde.tld\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-74b6bc66c6-xb8cf\"],\"X-Real-Ip\":[\"10.42.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"kunde.tld\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.0.1:17592\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://10.42.0.24:80"
time="2022-06-19T15:24:37Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Sec-Ch-Ua\":[\"\\\" Not A;Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"102\\\", \\\"Google Chrome\\\";v=\\\"102\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\"],\"X-Forwarded-Host\":[\"kunde.tld\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-74b6bc66c6-xb8cf\"],\"X-Real-Ip\":[\"10.42.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"kunde.tld\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.0.1:17592\",\"RequestURI\":\"/\",\"TLS\":null}"

Hello @sl1288,

I overlooked a bit what was the use case you wanted to achieve here.
It seems that you want to configure a CA cert for Traefik as a server, to do so you need to leverage the TLSOption resource.
It will allow you to configure the CA for client authentication.

I want traefik to send the whole certificate chain to the browser tls.crt + ca.crt.
Or do I need to concat all certificates to the tls.crt file in the secret ?

Traefik will not concatenate the cert with the ca to serve a chain, it will only serve the cert.
So depending on your use case, you should probably concatenate the chain yourself and provide it in the Kubernetes Secret under the key tls.crt.