RequireAndVerifyClientCert and ACME TLS-ALPN-01

Korijn · September 15, 2022, 12:47pm

I'm trying to set up an ingress that requires both:

Lets Encrypt certificate acquired via TLS-ALPN-01 challenge
Client certificates for incoming requests

I'm under the impression that Traefik is denying the TLS-ALPN-01 requests incoming from LE, because they aren't supplying a client certificate. Is that possible?

kevinpollet · September 15, 2022, 3:29pm

Hello @Korijn and thanks for your interest in Traefik,

I'm under the impression that Traefik is denying the TLS-ALPN-01 requests incoming from LE, because they aren't supplying a client certificate. Is that possible?

You are right, when ACME is making the TLS challenge request the defined TLSOption applies. This means that the client certificate will be requested during this challenge request.

Using HTTP or DNS challenges should help to solve this issue, check out the following documentation: Traefik Let's Encrypt Documentation - Traefik

Hope this helps!

Korijn · September 15, 2022, 5:48pm

Thanks for responding so quickly. I'm also on a .dev domain (so HSTS) so HTTP-01 challenge is also not feasible. DNS challenge it is, I guess!

system · September 18, 2022, 5:49pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik v2 with ACME DNS-01 Challenge Traefik v2 docker , letsencrypt-acme	0	1665	May 19, 2020
Traefik fails to obtain letsencrypt certificate with dns-01 challenge Traefik v1 kubernetes-ingress , letsencrypt-acme	5	2783	July 25, 2019
Traefik Letsencrypt TLSChallenge - Documentation Incomplete? Traefik v2 letsencrypt-acme	12	1369	February 24, 2024
Let'sEncrypt Certificate HTTP ACME challenge issue Traefik v2 kubernetes-ingress	0	373	June 13, 2020
Delay ACME TLS-ALPN-01 challenge Traefik v2 kubernetes-ingress , letsencrypt-acme	5	361	September 13, 2024

RequireAndVerifyClientCert and ACME TLS-ALPN-01

Related topics