I have an IngressRoute that is referencing a cert that I have updated as the previous one had expired. I've restarted Traefik multiple times and it will serve the correct one for a bit, but it still randomly reverts back to serving the old expired cert and sometimes restarting serves the new one again. This is a manually provided cert, not let's encrypt.
I see the following line once in the logs, but it never repeats so I'm not sure if its just a temporary error while the pod loads or not.
time="2023-10-03T19:13:21Z" level=error msg="Error configuring TLS: secret application/wildcard-tls does not exist" namespace=application providerName=kubernetescrd ingress=applicant
This secret DOES exist however! The Traefik Service/ClusterRole/ClusterRoleBinding all also appear to be correct as far as I can see.
Can anyone offer any advice? This is still an issue for us
Hi @bnason, thanks for your interest in Traefik!
Could you please share your configuration?
Thanks in advance!
If you are running k8s I would expect a lot more configs
- kind: Rule
- name: project
- name: http
- name: project
> kubectl --namespace project describe service project
IP Families: <none>
Port: http 80/TCP
Session Affinity: None
> kubectl --namespace project get secret wildcard-tls -o json | jq -r '.data.["tls.crt"]' | base64 --decode | openssl x509 -enddate -noout
notAfter=Feb 24 20:37:49 2024 GMT
Anything else I need to provide?
Your log says
And the other files use
Did you see How Traefik is Storing and Serving TLS Certificates?
Did you confirm that you have only the latest cert in your K8s secrets and that you do not reference the old cert somewhere?
Sorry, that was an error in obfuscating the texts at different times, both namespaces are the same.
Does this mean that Traefik can potentially use a cert OTHER than the one directly referenced in the
The cert referenced in my
IngressRoute is definitely the latest one. I believe I've updated the cert everywhere else in my cluster, but it's a bit disconcerting if its using a cert other than the one I explicitly told it to.
For each incoming connection, Traefik is serving the "best" matching TLS certificate for the provided server name.
If Traefik still finds the old cert, it will prefer the old cert over the new one.
The best way to make sure that Traefik is using the new cert is to remove the old cert completely from the cluster.