Hello, i have one client that i need to auth the connection with already generated client certificate.
How i can insert while i make requests for their backend?
The certificate is signed by his CA on the backend (their side)
But i was wondering how i can insert the .pfx file and use it to auth that connection to the client backend?
Regards,
You can load mTLS and TLS certs in a dynamic config file (doc), which you load via providers.file in static config.
If i import from tls.certificates part, they will be forwarded to the load balancer backend? And acting like client certificate ?
If you need to use custom TLS between Traefik and your target service, check this doc.
When using a TCP router, you can tell Traefik to forward the TLS-encrypted request with tls.passthrough. But then Traefik and the target service both need the certs to decrypt. If Traefik doesn’t have the cert, you can only use rule=HostSNI(`*`).
Thanks, here is what i'm trying but i'm not getting any responses, getting 421 error.
[http.routers.test-1]
rule = "Host(`domain.com`)"
entryPoints = ["web2"]
service = "test-1"
[http.services]
[http.services.test-1]
[http.services.test-1.loadBalancer]
serversTransport = "test-1"
[[http.services.test-1.loadBalancer.servers]]
url = "https://thehostwhoisrequiringclientcertificate"
[http.serversTransports.test-1]
insecureSkipVerify = true
[[http.serversTransports.test-1.certificates]]
certFile = "/etc/nginx/ssl/client-cert/domain.crt"
keyFile = "/etc/nginx/ssl/client-cert/domain.rsa"
[http.serversTransports.test-1.forwardingTimeouts]
responseHeaderTimeout = "40s"
dialTimeout = "40s"
[[tls.certificates]]
certFile = "/opt/zero-downtime/config/ssls/cert.pem"
keyFile = "/opt/zero-downtime/config/ssls/certkey.pem"
Here is the error that i'm gettting
Enable access log in JSON format to see where the error is coming from. OriginStatus is the code coming from the target service.
I have been adding this :
[tls.options]
[tls.options.test-1]
sniStrict = false
And
[http.services.test-1]
[http.services.test-1.loadBalancer]
passHostHeader = false
then i was adding the :
[http.middlewares.test-1.headers.customrequestheaders]
Host = "remotedomain that i'm connecting (client backend)"
But now receiving new error :
level=debug msg="'502 Bad Gateway' caused by: local error: tls: no renegotiation"
And after i disable the insecureSkipVerify = true
i'm getting :
500 Internal Server Error' caused by: tls: failed to verify certificate: x509: certificate signed by unknown authority
Thanks!
502 happens when the target IP can’t be reached, usually when using Docker and not both are on the same Docker network.
The target backend it's not hosted on same network, it's on external network, which it's working fine with Postman (by inserting client certificate)
Go into Traefik container and try a wget to the target.
[root@serv1]# wget https://externalbackendtogetconnected/
--2023-12-15 08:17:23-- https://externalbackendtogetconnected/
Resolving externalbackendtogetconnected (externalbackendtogetconnected)... x.x.x.x
Connecting to externalbackendtogetconnected (externalbackendtogetconnected)|x.x.x.x|:443... connected.
ERROR: cannot verify externalbackendtogetconnected's certificate, issued by ‘/O=Company1/CN=Company1 - RSP2 Root CI1’:
Self-signed certificate encountered.
To connect to externalbackendtogetconnected insecurely, use `--no-check-certificate'.
[root@serv1]# wget https://externalbackendtogetconnected/ --no-check-certificate
--2023-12-15 08:17:32-- https://externalbackendtogetconnected/
Resolving externalbackendtogetconnected (externalbackendtogetconnected)... x.x.x.x
Connecting to externalbackendtogetconnected (externalbackendtogetconnected)|x.x.x.x|:443... connected.
WARNING: cannot verify externalbackendtogetconnected's certificate, issued by ‘/O=Company1/CN=Company1 - RSP2 Root CI1’:
Self-signed certificate encountered.
HTTP request sent, awaiting response... 403 Forbidden
2023-12-15 08:17:33 ERROR 403: Forbidden.
There seem to be 3 options:
insecureSkipVerify on Traefik service definition to ignore unknown certtls.passthrough in serviceThanks bluepuma,
Actually
level=debug msg="'502 Bad Gateway' caused by: local error: tls: no renegotiation"
Thanks will try that.
Tried the third option, however cannot offer any connectivity because it's listened on https port.