redirectScheme Middleware not redirecting

I have following IngressRoute & Middleware definitions. http://qa.domain.com works in works in Chrome, Safari, MS Edge. But Firefox I get 404 page not found. Again https://qa.domain.com works in all browser.

Middleware

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-external
  namespace: qa
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`qa.domain.com`)
      kind: Rule
      services:
        - name: nginx
          port: 80
      middlewares:
        - name: secured-restricted
  tls:
    secretName: qa-cert

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: secured-restricted
  namespace: qa
spec:
  chain:
    middlewares:
    - name: https-redirect
    - name: permited-ips

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: https-redirect
  namespace: qa
spec:
  redirectScheme:
    scheme: https
    permanent: true

---


apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: permited-ips
  namespace: qa
spec:
  ipWhiteList:
    sourceRange:
    - x.x.x.x/32 

---

In Python with requests lib I get 404 page not found with http

import requests
url = 'https://qa.domain.com/#/login'
values = {'username': 'xyz',
          'password': 'abc'}
r = requests.post(url, data=values)
print r.content

& with https I get

requests.exceptions.SSLError: HTTPSConnectionPool(host='qa.domain.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

I am using cert-manager to get letsencrypt certificates. Confirmed I have valid certificate stored in secret qa-cert

Using traefik : 2.3.6

What I am missing here ?

Hello rp346,

I understand that you are able to reach you via HTTP but you are facing the issue with HTTPS.

Please have a look at the documentation for IngressRoute and see the section secrets [10] that refers to Kubernetes secrets, especially TLS-Secrets.

Thank you,

Hi @jakubhajek

I have configured tls as per documentation

  tls:
    secretName: qa-cert

Its working in Chrome/Safari. But not working in Firefox & Python request lib.

hi @rp346

Can you please validate your SSL certificate using one of the existing online SSL checkers just to make sure that the given cert is correct?
I assume that something is wrong with the certificate and that's why it works correctly with selected browsers/tools.

Perhaps, the intermediate certificates are missing in the server certificate chain.

I have validated the cert stored in secret qa-cert using online tool (Certificate Checker - Verify and Decode Intermediate Certificates | KeyCDN Tools) & it has correct cert. I see two certificates in secret qa-cert (tls.crt)

  1. *.qa.domain.com
  2. Let's Encrypt
Let's Encrypt
{
    "name": "\/C=US\/O=Let's Encrypt\/CN=R3",
    "subject": {
        "C": "US",
        "O": "Let's Encrypt",
        "CN": "R3"
    },
    "hash": "8d33f237",
    "issuer": {
        "O": "Digital Signature Trust Co.",
        "CN": "DST Root CA X3"
    },
    "version": 2,
    "serialNumber": "***********",
    "serialNumberHex": "************",
    "validFrom": "201007192140Z",
    "validTo": "210929192140Z",
    "validFrom_time_t": 1602098500,
    "validTo_time_t": 1632943300,
    "signatureTypeSN": "RSA-SHA256",
    "signatureTypeLN": "sha256WithRSAEncryption",
    "signatureTypeNID": 668,
    "purposes": {
        "1": [
            true,
            true,
            "sslclient"
        ],
        "2": [
            true,
            true,
            "sslserver"
        ],
        "3": [
            false,
            true,
            "nssslserver"
        ],
        "4": [
            false,
            false,
            "smimesign"
        ],
        "5": [
            false,
            false,
            "smimeencrypt"
        ],
        "6": [
            true,
            true,
            "crlsign"
        ],
        "7": [
            true,
            true,
            "any"
        ],
        "8": [
            true,
            true,
            "ocsphelper"
        ],
        "9": [
            false,
            true,
            "timestampsign"
        ]
    },
    "extensions": {
        "basicConstraints": "CA:TRUE, pathlen:0",
        "keyUsage": "Digital Signature, Certificate Sign, CRL Sign",
        "authorityInfoAccess": "CA Issuers - URI:http:\/\/apps.identrust.com\/roots\/dstrootcax3.p7c\n",
        "authorityKeyIdentifier": "keyid:***********\n",
        "certificatePolicies": "Policy: 2.23.140.1.2.1\nPolicy: 1.3.6.1.4.1.44947.1.1.1\n  CPS: http:\/\/cps.root-x1.letsencrypt.org\n",
        "crlDistributionPoints": "\nFull Name:\n  URI:http:\/\/crl.identrust.com\/*****.crl\n",
        "subjectKeyIdentifier": "***********",
        "extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication"
    }
}

I think if secret qa-cert had wrong cert it would have failed for Chrome, Safari, MS Edge, not just Firefox.

As you said its working in the other browsers (and is also showing the correct/valid certificates there) I assume it has something to do with the browser maybe?

Maybe your https redirect is not working at all, but all the other browsers have something like "https everywhere" in place, that is automatically redirecting to https in case it exists?

Could you share the redirect and the entrypoint part of your configuration?

make sense, but how I can figure this out ?

Here is my redirect and the entrypoint configuration.

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-external
  namespace: qa
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`qa.domain.com`)
      kind: Rule
      services:
        - name: nginx
          port: 80
      middlewares:
        - name: secured-restricted
          namespace: qa
  tls:
    secretName: qa-cert

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: secured-restricted
  namespace: qa
spec:
  chain:
    middlewares:
    - name: https-redirect
    - name: permited-ips

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: https-redirect
  namespace: qa
spec:
  redirectScheme:
    scheme: https
    permanent: true

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: permited-ips
  namespace: qa
spec:
  ipWhiteList:
    sourceRange:
    - x.x.x.x/32 

After reading up on the topic of https everywhere features, I'm pretty sure it is not implemented in any browser. At least not in the way it would automatically detect if there is a https redirect possible. Extensions like "HTTPS Everywhere" build on YOU sending in rulesets for the redirects.

Your setup looks good imho. Only weird thing is, that you basically also attach the https redirect to the router on the websecure entrypoint. But I'd guess this would be ignored then. And if it wouldn't, why would Firefox be the only browser having issues?

Maybe something with caching in the browsers? Have you tried in a private window? Or deleteing browser data?

Have you tried using plain old curl? Like curl -v http://qa.domain.com?

In general I do the https redirect on the entrypoint static configuration in the traefik configuration file. Maybe that is worth a try? Of course this only works in case you redirect all of your non-https traffic to https. But if you do you can find my static entrypoint config in this issue.

Another idea that came to my mind was maybe some proxy config, that you have setup in all other browser, but not in FF?

Sorry, I don't really know a solution there. Just throwing in some ideas.

@razr Thanks for the suggestion. After reading your comment I tried to search similar issue and found this which pointed me here

If you need to define the same route for both HTTP and HTTPS requests, you will need to define two different routers: one with the tls section, one without.

I had completely missed this in my traefik setup. After splitting IngressRoute into two Firefox/curl was able to load the page with https redirect.

app-external
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-external
  namespace: qa
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`qa.domain.com`)
      kind: Rule
      services:
        - name: nginx
          port: 80
      middlewares:
        - name: secured-restricted
app-external-secure
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-external-secure
  namespace: qa
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`qa.domain.com`)
      kind: Rule
      services:
        - name: nginx
          port: 80
      middlewares:
        - name: secured-restricted
  tls:
    secretName: qa-cert

But python request lib still fails with same error as mentioned in my main question.

1 Like

Ah, interesting! Never really thought about that.

Remember, that you can now remove the redirect from your -secure ingress route, as it does not do anything anymore. Not sure if it hurts if it stays though.

Also your non-secure router no does not hit the application with any traffic anymore. To reflect this, there is the noop@internal service you could use here.

And in case you are exclusively using https connections you can also globally define the https redirect in your static configuration (see here EntryPoints - Traefik | Site | v2.4). That way you can get rid of the non-secure ingress route entirely!

Glad that I could help ...in some way :smiley: