Cert validation error when using Service Fabric configuration provider

mike · September 28, 2019, 4:11am

Originally, I used the following backends:

[backends]
  [backends.api]
    [backends.api.servers.endpoint]
    url = "https://Api:11443"

The DNS name Api resolves to several web servers, and those servers are signed with a self signed cert. Now, we're switching over to the Service Fabric provider. This provider automatically configures the backend pool:

So, now Traefik knows all the IP addresses of the VMs running that service and doesn't need DNS. The problem is, those servers use an SSL cert signed for "Api", not the IP address. We we make a request, we get the error:

DEBU[2019-09-27T20:22:07-07:00] '500 Internal Server Error' caused by: x509: cannot validate certificate for 10.111.12.8 because it doesn't contain any IP SANs

Is there any way around this, or can we disable the cert validation while still validating the root CA and using HTTPS? Here's my Traefik config:

debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":81"

[api]
entrypoint="dashboard"

[entryPoints.dashboard]
  address = ":8443"

[serviceFabric]

clusterManagementUrl = "https://localhost:19080"
apiVersion = "3.0"
refreshSeconds = 10

[serviceFabric.tls]
  cert = "C:/Users/rdpadmin/TraefikTest/sf.crt"
  key = "C:/Users/rdpadmin/TraefikTest/sf.key"
  insecureSkipVerify = true

[tls.options]
  [tls.options.default]
    [tls.options.default.clientAuth]
      clientAuthType = "RequireAnyClientCert"

mike · September 28, 2019, 4:19am

Ok I believe I figured this one out as well.

The insecureSkipVerify = true under the [serviceFabric.tls] is used to ignore cert validation when connecting to the local service fabric endpoint (since we're connecting to it using localhost, and not its signed host name). I need to add another insecureSkipVerify = true at the top of the file, which will indicate backend certs are not validated. The entire config file is now:

debug = true
logLevel = "DEBUG"
insecureSkipVerify = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":81"

[api]
entrypoint="dashboard"

[entryPoints.dashboard]
  address = ":8443"

[serviceFabric]

clusterManagementUrl = "https://localhost:19080"
apiVersion = "3.0"
refreshSeconds = 10

[serviceFabric.tls]
  cert = "C:/Users/rdpadmin/TraefikTest/sf.crt"
  key = "C:/Users/rdpadmin/TraefikTest/sf.key"
  insecureSkipVerify = true

[tls.options]
  [tls.options.default]
    [tls.options.default.clientAuth]
      clientAuthType = "RequireAnyClientCert"

If there's a better approach for this scenario, I'd love to hear it.

Topic		Replies	Views
Traefik internal backend certificates validation Traefik v2 kubernetes-crd	3	969	November 3, 2020
Trying to get Service Fabric configuration provider working Traefik v1 service-fabric	3	1661	May 21, 2020
Tls pass through in service Fabric Traefik v2 tcp	0	320	September 24, 2019
Running Traefik behind a reverse proxy: specify the DNS name presented by the self-signed TRAEFIK DEFAULT CERT Traefik v2 middleware	2	953	October 12, 2020
ServiceFabric, Healtchecks, SNI and IP SANs Traefik v1 service-fabric	0	443	October 5, 2020

Cert validation error when using Service Fabric configuration provider

Related topics