CN=TRAEFIK DEFAULT CERT despite certificates correctly generating

Traefik Traefik v2
, ,
1

I've been trying to figure this out for the last 10 days, but I can't fix this for some reason.
Traefik correctly generates certificates through let's encrypt but never applies them to the router.
I get an output .json file with all the correct certificates inside and I get no errors at all in the logs.

Docker Run:

docker run --user 0 --name traefik --restart=unless-stopped -e CF_API_EMAIL=myemail -e CF_API_KEY=key -d -p 8080:8080 -p 80:80 -p 443:443 \
-v /mnt/POOL2/Data/Traefik/Data/:/etc/traefik/ \
traefik:latest

traefik.yaml:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

entryPoints:
  web:
    address: :80

  websecure:
    address: :443
    http:
      tls:
        certResolver: maincert

api:
  insecure: true
  dashboard: true


ping:

  entryPoint: traefik


providers:
  file:
    directory: "/etc/traefik/config"
    watch: true

log:
  filePath: "/etc/traefik/log.log"
  format: log
  level: DEBUG

certificatesResolvers:
  maincert:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory #temporary measure to not trigger rate-limiting
      email: "myemail@myemail.com"
      storage: "/etc/traefik/TLS/maincert.json"
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 120
        resolvers:
        - "1.1.1.1:53"
        - "1.0.0.1:53"

experimental:
  plugins:
    geoblock:
      moduleName: "github.com/PascalMinder/geoblock"
      version: "v0.2.7"

Sample of my Public-Routers.yaml file under /etc/traefik/config/:

http:
  routers:
    Router0:
      entryPoints:
        - web
        - websecure
      middlewares:

      service: archlinuxmirror
      rule: Host(`dl.ptse.host`) && PathPrefix(`/archlinux`)
      tls:
        certResolver: maincert

    Router1:
      entryPoints:
        - web
        - websecure
      middlewares:

      service: dlpage
      rule: Host(`dl.ptse.host`) && PathPrefix(`/file`)
      tls:
        certResolver: maincert

    Router2:
      entryPoints:
        - web
        - websecure
      middlewares:

      service: specs
      rule: Host(`specs.ptse.host`) && PathPrefix(`/`)
      tls:
        certResolver: maincert

Switching from my 1st Traefik instance (Kubernetes over TrueNAS SCALE, the one I'm trying to replace) to this one causes this

image
image972×823 64.6 KB

What can I do ?

2

You enable TLS in routers listening to web/http and websecure/https. That’s rather unusual.

Check and compare to simple Traefik example.

Traefik static config in traefik.yml or command and dynamic config in file or labels is mostly interchangeable.

3

I enabled web/http for testing purposes, but I did try leaving only websecure/https. The reason for this is because leaving websecure only enabled HSTS so I couldn't test if the routing to the service was correct. Enabling web/http disabled HSTS and I was able to confirm that the routing was correct, I just forgot to disable it after the fact.

Using websecure/https only gives me the same result.

Also the example you sent me is harder for me to correctly understand because it is a docker-compose example and I do not understand docker-compose well, hence why I use docker run and .yaml files.

4

Enable Traefik debug log (doc) and check after restart if router with domain is recognized and what happens with the cert.

5

My loglevel is set to debug. I just uploaded my logfile to my download server:
https://dl.ptse.host/file/log.log

6

You redacted whole lines because it included email? How about just replacing the email?

Update config like that:

http:
  routers:
    Router0:
      entryPoints:
        - websecure
      service: archlinuxmirror
      rule: Host(`dl.ptse.host`) && PathPrefix(`/archlinux`)

In routers don’t use entrypoint web, remove TLS as that is declared already in entrypoint.

Declare TLS globally on web entrypoint:

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
7

Thanks, I'll try this right now

8

I have switched back to the non-staging env of let's encrypt and reset the certificates. One line caught my attention:

time="2024-01-29T07:05:13Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default

I'm still getting CN=TRAEFIK DEFAULT CERT despite seeing certificates being correctly generated inside maincert.json.

9

I tried specifying a default certificate using the following config:

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: maincert
        domain:
          main: "ptse.host"

and I get this:

time="2024-01-29T07:25:50Z" level=error msg="Error while creating certificate store: unable to find certificate for domains \"ptse.host\": falling back to the internal generated certificate" tlsStoreName=default
10

Share your updated Traefik static and dynamic config,

Don't leave out whole lines in the log. Replace domain, email and auth only.

11

Alright, give me a moment to prepare this.

12

Static:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443
    http:
      tls:
        certResolver: maincert

api:
  insecure: true
  dashboard: true


ping:

  entryPoint: traefik


providers:
  file:
    directory: "/etc/traefik/config"
    watch: true

log:
  filePath: "/etc/traefik/log.log"
  format: log
  level: DEBUG

certificatesResolvers:
  maincert:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: "EMAIL"
      storage: "/etc/traefik/TLS/maincert.json"
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 120
        resolvers:
        - "1.1.1.1:53"
        - "1.0.0.1:53"


experimental:
  plugins:
    geoblock:
      moduleName: "github.com/PascalMinder/geoblock"
      version: "v0.2.7"

Dynamic (Public-Routers.yaml sample):

#public routers
http:
  routers:
    Router0:
      entryPoints:
        - websecure
      middlewares:

      service: archlinuxmirror
      rule: Host("dl.ptse.host") && PathPrefix("/archlinux")

    Router1:
      entryPoints:
        - websecure
      middlewares:

      service: dlpage
      rule: Host("dl.ptse.host") && PathPrefix("/file")

    Router2:
      entryPoints:
        - websecure
      middlewares:

      service: specs
      rule: Host("specs.ptse.host") && PathPrefix("/")

    Router3:
      entryPoints:
        - websecure
      middlewares:

      service: staging
      rule: Host("staging.ptse.host") && PathPrefix("/")

TLS.yaml (dynamic):

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: maincert
        domain:
          main: "ptse.host"

Full log: https://dl.ptse.host/file/temp/log-log.log

13

If you use Traefik LetsEncrypt, then you don’t need tls.yml.

14

I'll remove this file then

15

You need to use backticks:

Host(`dl.ptse.host`) && PathPrefix(`/`)
16

According to the documentation, both can be used. Traefik still detects this line in the config. I don't think that is relevant to the main issue.

17

I forgot what the issue was :joy: The download from https://dl.ptse.host/ works in the browser without a problem, so it must have a valid TLS cert.

18

It works because I'm running it on my old TrueNAS server which uses Kubernetes. The goal is to make Traefik work on my new server which uses Docker run + .yaml config so I can get rid of the old server as I'm converting my TrueNAS servers to Archlinux.

Basically all the Traffic is going through server #1, which works.
But I'm trying to upgrade Server #1 from TrueNAS to Arch, which will require me to reconfig.

So I took Server #2, which is already running arch, to test a new config for Traefik. This is the instance that does not apply certificates. If I disable the 80 / 443 port foward on server 1 and enable server 2's I get CN=TRAEFIK DEFAULT CERT along with a HSTS error.

19

Not sure why you provided one hour of logs :smile:

In general it seems to work, you got a cert:

msg="Adding certificate for domain(s) dl.ptse.host"

No ACME certificate generation required for domains [\"dl.ptse.host\"]."
[because you already have one]

There is only one domain you have been trying too hard:

domains \"archive.ptse.host\": unable to generate a certificate for the domains [archive.ptse.host]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: archive.ptse.host, retry after 2024-01-29T11:36:13Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/"

With your Live system in between and you switching back and forth, there are too many things that can break.

I would start new with a fresh minimal Traefik setup and a simple whoami service, run it externally on ports 8080 and 8443, with dnsChallenge you don’t need ports 80+443.

Sorry, I can only provide a minimal setup in compose command and with labels (link). But you could try to run this with your dnsChallenge.

20

I don't see how it can break, it's simply redirecting to another server instead of the first one (basically you disable the port foward on the first to enable the second) so the second server redirects the traffic to the exact same services.

run it externally on ports 8080 and 8443

Did you meant 8080 and 443 ?