IngressRoute not serving cert from secret

rp346 · March 4, 2021, 9:35pm

I have following configuration

traefik.toml

    ## static configuration
    [global]
      checkNewVersion = true

    [entryPoints]
      [entryPoints.web]
        address = ":80"
      [entryPoints.websecure]
        address = ":443"

    [providers]
      [providers.kubernetesCRD]
      [providers.file]
        directory = "/etc/traefik/providers/"
        watch = true
      [providers.kubernetesIngress]
        ingressClass = "traefik-cert-manager"

    [log]
      level = "INFO"

    [accessLog]

    [api]
      insecure = true
      dashboard = true
      debug = true

    [metrics]
      [metrics.prometheus]
        buckets = [0.1,0.3,1.2,5.0]
        addEntryPointsLabels = true
        addServicesLabels = true
        entryPoint = "web"

    [ping]

    [certificatesResolvers]
      [certificatesResolvers.default]
        [certificatesResolvers.default.acme]
          email = "admin@domain.com"
          caServer = "https://acme-v02.api.letsencrypt.org/directory"
          storage = "/etc/traefik/storage/acme.json"
          [certificatesResolvers.default.acme.dnsChallenge]
            provider = "route53"
            delayBeforeCheck = 0
            resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

Providing default certificate for *.domain.com

dynamic.toml

  ## dynamic configuration

    [[tls.certificates]]
      certFile = "/certs/tls.crt"
      keyFile = "/certs/tls.key"
      stores = ["default"]

    [tls.stores]
      [tls.stores.default]
        [tls.stores.default.defaultCertificate]
          certFile = "/certs/tls.crt"
          keyFile  = "/certs/tls.key"

cert-manager is deployed to get subdomain wildcard certificates like *.dev.domain.com, *.qa.domain.com, etc and stored in secret dev-cert, qa-cert which is configured in IngressRoute

IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-external-secure
  namespace: qa
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`qa.domain.com`)
      kind: Rule
      services:
        - name: nginx
          port: 80
      middlewares:
        - name: secured-restricted
  tls:
    secretName: qa-cert

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: secured-restricted
  namespace: qa
spec:
  chain:
    middlewares:
    - name: permited-ips
    - name: https-redirect

When I open https://qa.domain.com in a browser I get *.domain.com certificate not sub domain wildcard cert *.qa.domain.com which is present in a secret qa-cert.

Whats is wrong here ?

Topic		Replies	Views
Certificate resolver Traefik v2 letsencrypt-acme	6	2732	July 12, 2021
Lets encrypt certificate doesn't work Traefik v2 letsencrypt-acme	2	689	March 25, 2022
How to use TLS in k8s IngressRoute Traefik v2 file , kubernetes-crd	1	4803	September 4, 2020
Ingress not using the kubernetes secret certificate, instead uses default generated Traefik v2 kubernetes-ingress	1	1933	September 2, 2022
Traefik v2 & cert-manager? Traefik v2 kubernetes-crd	17	9125	November 13, 2019

IngressRoute not serving cert from secret

Related topics