Certificate resolver

Hello

I am using Traefik as a Kubernetes ingress controller. The static configuration is given through command line arguments.

I want to properly use the cert resolver. As a first step I use the acme staging server.

Here is the static configuration given :

      - "--certificatesresolvers.myresolver.acme.email={{ my_email }}"
      - "--certificatesresolvers.myresolver.acme.storage=acme.json"
      - "--certificatesresolvers.myresolver.acme.tlschallenge"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

Then I referenced this resolver in the configuration of my IngressRoute like this :

tls:
certResolver: myresolver
domains:
- main: "{{ my_domain }}"

With this when I visit https://{{ my_domain }} I expect to have the connexion secured using a certificate generated for {{ my_domain }}, untrusted because it comes from lets encrypt staging server.

Though when I display the certificate being used I can see Traefik's default cert.

What am I doing wrong ?

Thanks

What does your router rule look like ?
It the certResolver defined on the entrypoint or on the router?

https://doc.traefik.io/traefik/routing/entrypoints/#tls
https://doc.traefik.io/traefik/https/acme/#configuration-examples

Thank you for your quick answer.

It is defined at the router level :

kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: traefik-ui
spec:
  routes:
    - kind: Rule
      match: Host(`{{ my_domain }}`)
      priority: 1000
      services:
        - name: traefik-ui
          port: 80
  tls:
    certResolver: myresolver
    domains:
      - main: "{{ my_domain }}"

First I'd recommend checking with the tool https://letsdebug.net/ using TLS-ALPN-01 to make sure there are not issues connecting to the container from letsencrypt.

Add --log.level=DEDUG to traefik and see if anything interesting turns up.

From my (very)limited knowledge on k8s configuration looks okay from the snippets you've provided.

I saw the following error message with debug mode :

http: TLS handshake error from 10.233.70.0:50727: remote error: tls: bad certificate

After digging further I understood the problem was the ability to use the acme.json file with 600 permissions.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.