Setting TLS using crd, self signed certs

AlexTM · October 22, 2019, 7:23pm

Is there a way to generate a self signed certs on a dynamic basis that would have the CN of the HostSNI record?

Something like:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingress-database-tls
spec:
  entryPoints:
    - db
  routes:
  - match: HostSNI(`{{INGRESS_DOMAIN}}`)
    kind: Rule
    priority: 1
    services:
    - name: database-service
      port: 1433
  tls: {}

daniel.tomcej · October 22, 2019, 7:29pm

@AlexTM,

For most situations, to use self-signed certificates, your client would have to skip certificate validation, which includes the name check.

For this reason, having this automated from within traefik would not be very useful.

However, you can use a tool like pebble or boulder to create custom certificates with your own CA, dynamically:

AlexTM · October 22, 2019, 7:35pm

Yes appreciate this is probably not a standard use case. However Traefik already happily generates self signed certs if no details are provided and tls is requested. Would is be feasible to extend the self signing to include the host name?

Topic		Replies	Views
Self Signed Certificate Generation example for a development environment Traefik v2 kubernetes-ingress	2	1274	March 25, 2021
KubernetesCRD config for Cert-Manager Traefik v2 kubernetes-crd , kubernetes-ingress , letsencrypt-acme	10	2674	October 1, 2022
Unable to create TLS cert with IngressRouteTCP Traefik v2 kubernetes-ingress	2	693	October 10, 2022
IngressRoute to use default certificate for certain host Traefik v2 kubernetes-crd	1	2058	November 28, 2019
Traefik - Custom TLS certificate Traefik v2 kubernetes-ingress	4	330	July 19, 2024

Setting TLS using crd, self signed certs

Related topics