Self Signed certificate in Traefik 2.10, AKS

Sebastian1887 · December 16, 2023, 6:40pm

Hello everyone, im having trouble with the SSL auto signed certificate to work. When i go to my web page it says that i doesnt have any certificate.
imagen

Im deploying traefik with helm on azure kubernetes services.

This is my ingress yaml of the microservice:

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: httpbin-http-route
  namespace: $NAMESPACE
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`$HOST`)
    middlewares:
    - name: http-redirect-https
      namespace: $NAMESPACE
    services:
    - kind: Service
      name: $NAME_SERVICE
      namespace: $NAMESPACE
      port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: httpbin-https-route
  namespace: $NAMESPACE
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`$HOST`)
    middlewares:
    - name: http-redirect-https
      namespace: $NAMESPACE
    services:
    - kind: Service
      name: $NAME_SERVICE
      namespace: $NAMESPACE
      port: 80
  tls:
    secretName: $CERTIFICATE
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: http-redirect-https
  namespace: $NAMESPACE
spec:
  redirectScheme:
    scheme: https
    permanent: true
---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: $NAMESPACE
  name: services-ingress-md-sp
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`$HOST`) && Path(`/serv/sesion`)
      kind: Rule
      middlewares:
        - name: services-ingress-md-sp
      services:
        - name: sesion-service
          port: 80
    - match: Host(`$HOST`) && Path(`/serv/backend`)
      kind: Rule
      middlewares:
        - name: services-ingress-md-sp
      services:
        - name: backend-service
          port: 80      
    - match: Host(`$HOST`) && Path(`/backoffice-service`)
      kind: Rule
      middlewares:
        - name: services-ingress-md-sp
      services:
        - name: backoffice-service
          port: 80
    - match: Host(`$HOST`) && Path(`/backoffice`)
      kind: Rule
      middlewares:
        - name: services-ingress-md-sp
      services:
        - name: openbit-backoffice-service
          port: 80      
      
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  namespace: $NAMESPACE
  name: services-ingress-md-sp
spec:
  stripPrefix:
    prefixes:
      - /serv/sesion
      - /serv/backend
      - /backoffice-service
      - /backoffice

and this is the code in 1.7 that was working:

# # Ingress--------------------
# apiVersion: networking.k8s.io/v1beta1
# kind: Ingress
# metadata:
#   namespace: $NAMESPACE
#   name: $NAME_INGRESS_SERVICE
#   annotations:
#     kubernetes.io/ingress.class: traefik
#     traefik.ingress.kubernetes.io/redirect-entry-point: https
#     traefik.ingress.kubernetes.io/rule-type: "PathPrefixStrip"
# spec:
#   rules:
#   - host: $HOST
#     http:
#       paths:
#       - path: /serv/sesion
#         backend:
#           serviceName: sesion-service
#           servicePort: http
#       - path: /serv/backend
#         backend:
#           serviceName: backend-service
#           servicePort: http
#       - path: /serv/backoffice
#         backend:
#           serviceName: backoffice-service
#           servicePort: http
#       - path: /backoffice
#         backend:
#           serviceName: openbit-backoffice-service
#           servicePort: http
#   - host: $HOST
#     http:
#       paths:
#       - path: /serv/sesion
#         backend:
#           serviceName: sesion-service
#           servicePort: http
#       - path: /serv/backend
#         backend:
#           serviceName: backend-service
#           servicePort: http
#       - path: /serv/backoffice
#         backend:
#           serviceName: backoffice-service
#           servicePort: http
#       - path: /backoffice
#         backend:
#           serviceName: openbit-backoffice-service
#           servicePort: http   
     
# ---
# apiVersion: networking.k8s.io/v1beta1
# kind: Ingress
# metadata:
#   name: $NAME_INGRESS
#   namespace: $NAMESPACE
#   annotations:
#     kubernetes.io/ingress.class: traefik
#     #traefik.ingress.kubernetes.io/auth-type: "basic"
#     traefik.ingress.kubernetes.io/redirect-entry-point: https 
#     #traefik.ingress.kubernetes.io/auth-secret: "mysecret"
#     #traefik.ingress.kubernetes.io/priority: "$PRIORITY"
# spec:
#   tls:
#    - secretName: $CERTIFICATE
#   rules:
#   - host: $HOST
#     http:
#       paths:
#       - backend:
#           serviceName: $NAME_SERVICE
#           servicePort: http
#   - host: $HOST
#     http:
#       paths:
#       - backend:
#           serviceName: $NAME_SERVICE
#           servicePort: http   
#############prueba tls#########3

i am creating the certificate with open SSL:

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout tls.key -out xls.crt -subj "/CN=BLABLABLA" -days 365

kubectl create secret tls certname --key=tls.key --cert=xls.crt -n develop

i dont see any error in the traefik pod
I am missing something? thanks in advance

bluepuma77 · December 16, 2023, 7:04pm

Use 3 backticks in front and after code. It improves readability and in yaml ever space matters.

Sebastian1887 · December 16, 2023, 8:04pm

I just uploaded a few screenshots, thanks!

bluepuma77 · December 16, 2023, 8:15pm

Here is an image for you:

which results in

code
  with correct spacing

which is readable on every device

Sebastian1887 · December 16, 2023, 8:20pm

Done it ! i didnt know that! thanks!

bluepuma77 · December 17, 2023, 8:02am

Did you read this Traefik blog post (link)?

We don’t use k8s, so I know little about the k8s config. To me it seems strange that you have an ingress on websecure that uses http-to-https middlewares.

Sebastian1887 · December 17, 2023, 1:51pm

yes, i even tried doing this without the middleware part, but i got the same result:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
  namespace: dev
spec:
  entryPoints:
    - websecure
  routes:
  - kind: Rule
    match: Host(`whoami.local`)
    services:
    - name: whoami
      port: 80
  tls:
    secretName: whoami-secret

bluepuma77 · December 17, 2023, 3:09pm

Did you create the secret in k8s?

kubectl create secret generic whoami-secret --from-file=tls.crt=./server.crt --from-file=tls.key=./server.key --namespace dev secret/whoami-secret created

Enable and check Traefik debug log.

Sebastian1887 · December 17, 2023, 4:21pm

Finally i was able to make it work, by some unknown reason it is not working with these commands:
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout tls.key -out xls.crt -subj "/CN=blablabla" -days 365
kubectl create secret tls certificate-bitcow --key=tls.key --cert=xls.crt -n qa
I tried again with the one with the whoami app that u send me on that post and its working. Weird, its works great on 1.7.
Thanks a lot!

system · December 20, 2023, 4:22pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Setup TLS/SSL, need help Traefik v2 kubernetes-ingress	3	754	April 16, 2021
Self signed certificate in forwardauth Traefik v2 kubernetes-ingress	2	1267	November 7, 2022
Cannot get traefik to work with self-signed certificate - an exception cannot be added for the website Traefik v2 docker	9	2581	October 22, 2021
Self Signed Certificate Generation example for a development environment Traefik v2 kubernetes-ingress	2	1198	March 25, 2021
Traefik default tls on kubernetes Traefik v2 file , kubernetes-ingress	2	1360	December 28, 2021

Self Signed certificate in Traefik 2.10, AKS

Related topics