Help: Traefik on DigitalOcean Kubernetes cluster using Helm

emiljj · August 21, 2019, 9:18am

Hi everybody,
thank you for looking at this, since I have been fighting with this setup for several days now, and could really use a breakthrough

I am having difficulty with setting up Traefik as the Ingress on my DigitalOcean managed Kubernetes cluster using Helm and the official traefik chart to install. When deployed the services are available at the domain, BUT the certificate is read as self-signed and therefore invalid. Several restarts of the traefik pod does not seem to have any effect.

I started out with the seemingly simple tutorial here but want to use Let's Encrypt for SSL certificates.

Thereby it looks like the moving-parts for me is the custom values.yaml override file and the helm command to install/update traefik. Here is what I currently have:

accessLogs:
  enabled: true
dashboard:
  enabled: true
  domain: traefik.mydomain.com
debug:
  enabled: true

rbac:
  enabled: true
ssl:
  enabled: true        # Enables SSL
  enforced: true       # Redirects HTTP to HTTPS
acme:
  enabled: true             # Enables Let's Encrypt certificates
  onHostRule: true
  logging: true
  acmelogging: true
  staging: true             # Use Lets Encrypt staging area for this example. For production purposes set this to false
  email: me@mydomain.com # Email address that Let's Encrypt uses to notify about certificate expiry etc.

##  challengeType: http-01
##  entryPoint: https
##  httpChallenge:
##    entryPoint: http
  challengeType: "dns-01"   
  dnsProvider:              
    name:  digitalocean     # This is why you need your domain to be under Digital Ocean control
    digitalocean:
      DO_AUTH_TOKEN: "my DO API key"
  domains:
    enabled: true
    domainsList:
      - main: "api.dev.mydomain.com" # Name of the domain that belongs to this certificate
      - sans:
          - "login.dev.mydomain.com"
          - "words.dev.mydomain.com"

And I am installing the chart with the following command:

helm upgrade traefik -f ..\..\traefik\values.yaml stable/traefik --set acme.dnsProvider.digitalocean.DO_AUTH_TOKEN="my-DO-API-key-again-to-later-avoid-having-in-file" --tls --tls-ca-cert ..\//\
helm-tiller\cluster\ca.cert.pem --tls-cert ..\..\helm-tiller\cluster\helm.cert.pem --tls-key ..\..\helm-tiller\cluster\helm.key.pem --namespace kube-system --install --recreate-pods

Additionally the traefik ServiceAccount has clusteradmin privileges so it can act in all namespaces.

This is the output of the kubectl -n kube-system logs traefik-xxxxx-xxx (own domain replaced to mydomain):

{"level":"info","msg":"Using TOML configuration file /config/traefik.toml","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback.","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Traefik version v1.7.12 built on 2019-05-29_07:35:02PM","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":true,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":{\"format\":\"common\",\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"keep\"}}},\"TraefikLogsFile\":\"\",\"TraefikLog\":{\"format\":\"json\"},\"Tracing\":null,\"LogLevel\":\"\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":[{\"CertFile\":\"/ssl/tls.crt\",\"KeyFile\":\"/ssl/tls.key\"}],\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false},\"DefaultCertificate\":{\"CertFile\":\"/ssl/tls.crt\",\"KeyFile\":\"/ssl/tls.key\"},\"SniStrict\":false},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"traefik\":{\"Address\":\":8080\",\"TLS\":null,\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":{\"Email\":\"me@mydomain.com\",\"Domains\":[{\"Main\":\"api.dev.mydomain.com\",\"SANs\":[\"login.dev.mydomain.com\",\"words.dev.mydomain.com\"]}],\"Storage\":\"/acme/acme.json\",\"StorageFile\":\"\",\"OnDemand\":false,\"OnHostRule\":true,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"DNSChallenge\":{\"Provider\":\"digitalocean\",\"DelayBeforeCheck\":0,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"DNSProvider\":\"\",\"DelayDontCheckDNS\":0,\"ACMELogging\":true,\"OverrideCertificates\":false,\"TLSConfig\":null},\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":false,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"KeepTrailingSlash\":false,\"Web\":null,\"Docker\":null,\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null},\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":{\"EntryPoint\":\"traefik\",\"Dashboard\":true,\"Debug\":true,\"CurrentConfigurations\":null,\"Statistics\":null},\"Metrics\":null,\"Ping\":{\"EntryPoint\":\"http\"},\"HostResolver\":null}","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Setting Acme Certificate store from Entrypoint: https","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) *.example.com","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Preparing server traefik \u0026{Address::8080 TLS:\u003cnil\u003e Redirect:\u003cnil\u003e Auth:\u003cnil\u003e WhitelistSourceRange:[] WhiteList:\u003cnil\u003e Compress:false ProxyProtocol:\u003cnil\u003e ForwardedHeaders:0xc0005b2a80} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Preparing server http \u0026{Address::80 TLS:\u003cnil\u003e Redirect:\u003cnil\u003e Auth:\u003cnil\u003e WhitelistSourceRange:[] WhiteList:\u003cnil\u003e Compress:true ProxyProtocol:\u003cnil\u003e ForwardedHeaders:0xc0005b2a20} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Preparing server https \u0026{Address::443 TLS:0xc0003beab0 Redirect:\u003cnil\u003e Auth:\u003cnil\u003e WhitelistSourceRange:[] WhiteList:\u003cnil\u003e Compress:true ProxyProtocol:\u003cnil\u003e ForwardedHeaders:0xc0005b2a40} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) *.example.com","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Starting provider configuration.ProviderAggregator {}","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Starting server on :8080","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Starting server on :80","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Starting server on :443","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null}","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Starting provider *acme.Provider {\"Email\":\"me@mydomain.com\",\"ACMELogging\":true,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"/acme/acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"digitalocean\",\"DelayBeforeCheck\":0,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":[{\"Main\":\"api.dev.mydomain.com\",\"SANs\":[\"login.dev.mydomain.com\",\"words.dev.mydomain.com\"]}],\"Store\":{}}","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Testing certificate renew...","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Using Ingress label selector: \"\"","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"ingress label selector is: \"\"","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Creating in-cluster Provider client","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"api.dev.mydomain.com\" \"login.dev.mydomain.com\" \"words.dev.mydomain.com\"]...","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"api.dev.mydomain.com\" \"login.dev.mydomain.com\" \"words.dev.mydomain.com\"].","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Configuration received from provider ACME: {}","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) *.example.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) api.dev.mydomain.com,login.dev.mydomain.com,words.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Server configuration reloaded on :80","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Server configuration reloaded on :443","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Server configuration reloaded on :8080","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1beta1.Ingress","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Configuration received from provider kubernetes: {\"backends\":{\"api.dev.mydomain.com/api/v1/words\":{\"servers\":{\"mydomain-words-774769777b-n8bp8\":{\"url\":\"http://10.244.1.146:5002\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"login.dev.mydomain.com/\":{\"servers\":{\"mydomain-login-c67948c64-fklwb\":{\"url\":\"http://10.244.1.41:5000\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"traefik.mydomain.com\":{\"loadBalancer\":{\"method\":\"wrr\"}},\"words.dev.mydomain.com/\":{\"servers\":{\"mydomain-words-774769777b-n8bp8\":{\"url\":\"http://10.244.1.146:5002\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"api.dev.mydomain.com/api/v1/words\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"api.dev.mydomain.com/api/v1/words\",\"routes\":{\"/api/v1/words\":{\"rule\":\"PathPrefix:/api/v1/words;ReplacePathRegex: ^/api/v1/words(.*) $1\"},\"api.dev.mydomain.com\":{\"rule\":\"Host:api.dev.mydomain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"login.dev.mydomain.com/\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"login.dev.mydomain.com/\",\"routes\":{\"/\":{\"rule\":\"PathPrefix:/\"},\"login.dev.mydomain.com\":{\"rule\":\"Host:login.dev.mydomain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"traefik.mydomain.com\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"traefik.mydomain.com\",\"routes\":{\"traefik.mydomain.com\":{\"rule\":\"Host:traefik.mydomain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null},\"words.dev.mydomain.com/\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"words.dev.mydomain.com/\",\"routes\":{\"/\":{\"rule\":\"PathPrefix:/\"},\"words.dev.mydomain.com\":{\"rule\":\"Host:words.dev.mydomain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) *.example.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend api.dev.mydomain.com/api/v1/words to entryPoint http","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend api.dev.mydomain.com/api/v1/words","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend api.dev.mydomain.com/api/v1/words","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating server mydomain-words-774769777b-n8bp8 at http://10.244.1.146:5002 with weight 1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route /api/v1/words PathPrefix:/api/v1/words;ReplacePathRegex: ^/api/v1/words(.*) $1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route api.dev.mydomain.com Host:api.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend api.dev.mydomain.com/api/v1/words to entryPoint https","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend api.dev.mydomain.com/api/v1/words","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend api.dev.mydomain.com/api/v1/words","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating server mydomain-words-774769777b-n8bp8 at http://10.244.1.146:5002 with weight 1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route api.dev.mydomain.com Host:api.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route /api/v1/words PathPrefix:/api/v1/words;ReplacePathRegex: ^/api/v1/words(.*) $1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend login.dev.mydomain.com/ to entryPoint http","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend login.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend login.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating server mydomain-login-c67948c64-fklwb at http://10.244.1.41:5000 with weight 1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route / PathPrefix:/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route login.dev.mydomain.com Host:login.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend login.dev.mydomain.com/ to entryPoint https","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend login.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend login.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating server mydomain-login-c67948c64-fklwb at http://10.244.1.41:5000 with weight 1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route / PathPrefix:/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route login.dev.mydomain.com Host:login.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend traefik.mydomain.com to entryPoint http","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route traefik.mydomain.com Host:traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend traefik.mydomain.com to entryPoint https","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route traefik.mydomain.com Host:traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend words.dev.mydomain.com/ to entryPoint http","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend words.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend words.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating server mydomain-words-774769777b-n8bp8 at http://10.244.1.146:5002 with weight 1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route / PathPrefix:/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route words.dev.mydomain.com Host:words.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Wiring frontend words.dev.mydomain.com/ to entryPoint https","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating backend words.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding TLSClientHeaders middleware for frontend words.dev.mydomain.com/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating load-balancer wrr","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating server mydomain-words-774769777b-n8bp8 at http://10.244.1.146:5002 with weight 1","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route / PathPrefix:/","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Creating route words.dev.mydomain.com Host:words.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) traefik.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Adding certificate for domain(s) api.dev.mydomain.com,login.dev.mydomain.com,words.dev.mydomain.com","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Server configuration reloaded on :8080","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Server configuration reloaded on :80","time":"2019-08-21T09:07:23Z"}
{"level":"info","msg":"Server configuration reloaded on :443","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No domain parsed in rule \"PathPrefix:/\" in provider ACME","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Try to challenge certificate for domain [words.dev.mydomain.com] founded in Host rule","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No domain parsed in rule \"PathPrefix:/api/v1/words;ReplacePathRegex: ^/api/v1/words(.*) $1\" in provider ACME","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Try to challenge certificate for domain [api.dev.mydomain.com] founded in Host rule","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"words.dev.mydomain.com\"]...","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No domain parsed in rule \"PathPrefix:/\" in provider ACME","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Try to challenge certificate for domain [login.dev.mydomain.com] founded in Host rule","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"words.dev.mydomain.com\"].","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Try to challenge certificate for domain [traefik.mydomain.com] founded in Host rule","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"traefik.mydomain.com\"]...","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"traefik.mydomain.com\"].","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"api.dev.mydomain.com\"]...","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"api.dev.mydomain.com\"].","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Looking for provided certificate(s) to validate [\"login.dev.mydomain.com\"]...","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"No ACME certificate generation required for domains [\"login.dev.mydomain.com\"].","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Secret","time":"2019-08-21T09:07:23Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Endpoints","time":"2019-08-21T09:07:24Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Endpoints","time":"2019-08-21T09:07:24Z"}

A couple of Ingress objects have been created, here is one which is reachable (but shows invalid certificate):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: login-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: login.dev.mydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: login-svc
          servicePort: http

Thank you very much for your time and any insights or help you can provide. Also please request further information if needed.

emiljj · August 23, 2019, 7:12am

SOLVED: After many days of tinkering i finally found the issue which was causing none of the challenge types. I am using DigitalOcean as my DNS (as shown in the values.yaml), but had a Droplet there with a name similar to my domain. Apparently DigitalOcean automatically creates PTR records for droplet names which match a domain controlled by their DNS. When I had renamed this droplet to something different a clean installation of Traefik worked.

Topic		Replies	Views
How to setup HTTPS using helm? Traefik v1 kubernetes-helm	1	737	November 13, 2022
HTTP works, but HTTPs does not Traefik v1 kubernetes-helm , letsencrypt-acme	5	913	May 27, 2020
Traefik SSL Let's Encrypty in Kubernetes Ingress Traefik v1 kubernetes-helm , kubernetes-ingress , letsencrypt-acme	2	1283	September 25, 2019
Can't get Traefik v2 to generate HTTPS Certificate with Let's Encrypt http-challenge Traefik v2 kubernetes-ingress , letsencrypt-acme	4	4570	February 17, 2020
TLS with traefik and Kubernetes Traefik v2 kubernetes-crd	0	781	January 3, 2024

Help: Traefik on DigitalOcean Kubernetes cluster using Helm

Related topics