Hello community,
My traefik.yaml file:
providers:
file:
directory: /home/user1/traefik-3.1.0/config
watch: true
entryPoints:
ldap:
address: ":8006"
web:
address: ":80"
http:
redirections:
entryPoint:
to: web-secure
scheme: https
permanent: true
web-secure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
storage: /home/user1/traefik-3.1.0/letsencrypt/acme.json
httpChallenge:
entryPoint: web
api:
dashboard: true
insecure: true
log:
level: INFO
Following is my dynamic configuration file (say ldap.yaml) for the unencrypted ldap setup (which is working when I try it using public IP):
tcp:
routers:
ldap:
rule: HostSNI(`*`)
entryPoints:
- "ldap"
service: "ldap-service"
services:
ldap-service:
loadBalancer:
servers:
- address: "<container_running_ldap_ip>:389"
Following is the ldap.yaml file with TLS enabled and it is not working:
tcp:
routers:
ldaps:
rule: HostSNI(`ldap.mydomain.com`)
tls:
certResolver: letsencrypt
entryPoints:
- "ldap"
service: "ldap-service"
services:
ldap-service:
loadBalancer:
servers:
- address: "<container_running_ldap_ip>:389"
I have noticed that when I try to access the ldap server with TLS enabled ldap.yaml file and if I use level:DEBUG in traefik.yaml file, I get following debug information in the logs:
2024-10-29T18:45:36Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
Is there something I am missing?
Check if you have a TLS cert for ldap.mydomain.com in acme.json file.
Usually httpChallenge only works on port 80 and tlsChallenge on port 443.
The Traefik default cert is not trusted by client/browsers, so you would see an error on connection attempt.
You could use rule: HostSNI(`*`) also for ldaps.
Are you sure ldap and ldaps use the same port?
Hello @bluepuma77 ,
The TLS certificate is successfully generated for the ldap.mydomain.com because I checked it by assigning the subdomain to another web application and it is working.
I am not using browser, rather I am using the ldapsearch command for accessing the ldap server via search query.
ldapsearch -H ldaps://ldap.mydomain.com:8006 -x -b "dc=ldap,dc=mydomain,dc=com" -v
Also, if the letsencrypt certificate is generated and is present in acme.json, why is the traefik using default certificate?
As I understand traefik, using HostSNI(*), one cannot assign a TLS certificate to it. What I am trying to do is to get ldap traffic unencrypted from the container and use the letsencrypt TLS cert generated in traefik to encrypt it and then route it to public IP, which should then be accessible using ldaps.
ldap uses port 389 (which I am using here) and ldaps uses port 636. I am not using port 636 because I want the ldap to be encrypted after passing through traefik. If I use port 636 from the container in which ldap is present, then there will be no use of traefik, a simple iptable routing with do the trick. Also, all of my other subdomains' TLS certs are managed in traefik so it is centralized. I do not want to add another TLS cert location (as long as it is possible).
phantom
October 30, 2024, 10:02am
4
@bluepuma77 I was reading this conversation and it seems that traefik uses its own certificates by default. What is the proper way to make traefik use letsencrypt instead of its own default self signed certificates? (I still dont understand why traefik is using self signed certificate and not the letsencrypt one in my case above)
ldapsearch needs to support TLS with HostSNI.
Check if the correct TLS cert is used by Traefik:
openssl s_client -connect ldap.mydomain.com:8006
phantom
November 14, 2024, 7:32am
6
@bluepuma77 The suggested command returned following output (I have truncated the domain specific stuff):
issuer=C = US, O = Let's Encrypt, CN = R11
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3612 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: E6C85149B63FA0FB9C75CAD9ECCD342F14700CBB22FC1F84129D3DC9EBA32DA0
Session-ID-ctx:
Resumption PSK: 64FCBE7FE6BE8CEF1CC623CA57C7EC3A34AEBC83B245A1879FB564F11EB29802
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - ec 9c ef 30 5c 79 b6 04-a4 ca 45 16 d7 7a 36 6e ...0\y....E..z6n
0010 - f4 c1 93 c4 27 78 81 77-c5 00 a4 2f ce b6 d9 d9 ....'x.w.../....
0020 - 14 ec 79 7b 82 da 91 ae-5d 8c 6a 50 a4 b6 84 0e ..y{....].jP....
0030 - 89 a5 fa 30 ff fc 30 94-9f 0b 3c 28 52 92 53 ec ...0..0...<(R.S.
0040 - 26 58 ce 1f 54 58 a5 36-71 ac 87 0c 12 11 20 00 &X..TX.6q..... .
0050 - cc 8e 15 5d c2 3e 42 28-8d 72 c6 cf 1c 1b f2 22 ...].>B(.r....."
0060 - 09 a3 a4 c1 c7 a7 8c fb-2d ........-
Start Time: 1731569049
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
By the word Let's Encrypt, I am assuming that traefik is using correct certificate.
There is one more thing I have noticed here. When I use the ldap command with -v flag I get the following output:
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
tls_write: want=341, written=341
0000: 16 03 01 01 50 01 00 01 4c 03 03 2a 66 f1 0e 5e ....P...L..*f..^
0010: 44 96 f3 ad 52 7c ed 81 c9 cb 3d 6a 61 57 cf 48 D...R|....=jaW.H
0020: ae ec 45 fb 56 0c 44 0e e7 4b 2f 00 00 3a 13 02 ..E.V.D..K/..:..
0030: 13 03 13 01 13 04 c0 2c cc a9 c0 ad c0 0a c0 2b .......,.......+
0040: c0 ac c0 09 c0 30 cc a8 c0 14 c0 2f c0 13 00 9d .....0...../....
0050: c0 9d 00 35 00 9c c0 9c 00 2f 00 9f cc aa c0 9f ...5...../......
0060: 00 39 00 9e c0 9e 00 33 01 00 00 e9 00 05 00 05 .9.....3........
0070: 01 00 00 00 00 00 0a 00 16 00 14 00 17 00 18 00 ................
0080: 19 00 1d 00 1e 01 00 01 01 01 02 01 03 01 04 00 ................
0090: 0b 00 02 01 00 00 0d 00 22 00 20 04 01 08 09 08 ........". .....
00a0: 04 04 03 08 07 05 01 08 0a 08 05 05 03 08 08 06 ................
00b0: 01 08 0b 08 06 06 03 02 01 02 03 00 16 00 00 00 ................
00c0: 17 00 00 00 23 00 00 00 33 00 6b 00 69 00 17 00 ....#...3.k.i...
00d0: 41 04 0b d7 01 91 85 11 d1 bf 35 5f 3a 9d c8 0a A.........5_:...
00e0: e7 69 18 e2 02 00 80 18 ad 3a bf 00 d2 1c 4f c4 .i.......:....O.
00f0: b7 c8 96 3f d3 19 1d 6b e1 2d 21 ac d1 d2 fa 22 ...?...k.-!...."
0100: 3b 16 90 9f 88 b3 04 4e 50 5b aa 84 ce b1 6d 65 ;......NP[....me
0110: 59 0e 00 1d 00 20 08 7d b1 d7 49 d8 b2 8e 6c ce Y.... .}..I...l.
0120: cd 13 39 48 6c dd c1 55 63 a3 0a 2e 59 07 b4 22 ..9Hl..Uc...Y.."
0130: d7 39 30 93 83 46 00 2b 00 09 08 03 04 03 03 03 .90..F.+........
0140: 02 03 01 ff 01 00 01 00 00 2d 00 03 02 01 00 00 .........-......
0150: 1c 00 02 40 01 ...@.
tls_read: want=5, got=5
0000: 16 03 03 00 5a ....Z
tls_read: want=90, got=90
0000: 02 00 00 56 03 03 cd b8 1e 5b 47 31 98 4b 03 18 ...V.....[G1.K..
0010: dc 39 68 e1 27 20 42 9a 8a bc 7e e1 98 f8 91 d7 .9h.' B...~.....
0020: b0 c5 05 f9 24 78 00 13 01 00 00 2e 00 2b 00 02 ....$x.......+..
0030: 03 04 00 33 00 24 00 1d 00 20 2a f9 d9 10 a2 32 ...3.$... *....2
0040: ed 35 e2 e2 a8 8d c4 ca e1 bd 0a 4a bc 6d 31 99 .5.........J.m1.
0050: 31 89 6b e2 60 09 72 77 85 17 1.k.`.rw..
tls_write: want=6, written=6
0000: 14 03 03 00 01 01 ......
tls_read: want=5, got=5
0000: 14 03 03 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 17 03 03 00 17 .....
tls_read: want=23, got=23
0000: 2c 5c 30 4c 81 bc ba 45 8f 74 de 6f eb a7 9b 46 ,\0L...E.t.o...F
0010: 38 56 32 43 58 93 40 8V2CX.@
tls_read: want=5, got=5
0000: 17 03 03 03 80 .....
tls_read: want=896, got=896
0000: 0a be 7e ea f7 20 17 87 8a 9d 2c e4 48 ec 7c 3e ..~.. ....,.H.|>
0010: 92 27 32 06 23 8e 70 30 b3 9e f0 e3 62 fa 40 a7 .'2.#.p0....b.@.
0020: f6 a2 1b 4e d5 e0 df 56 55 43 97 b6 d8 f5 07 98 ...N...VUC......
0030: 31 5e e1 ed d3 52 f6 56 33 3e 40 0a e3 2d 8a 53 1^...R.V3>@..-.S
0040: d1 52 72 88 92 a8 96 66 9b 5a 17 c4 f3 6f c0 8a .Rr....f.Z...o..
0050: 4c 10 86 a2 60 9d c9 a2 76 46 1f 4e 10 1b 3f 32 L...`...vF.N..?2
0060: 7b 88 ac aa 87 b3 44 47 0b 87 43 05 ba 9e a5 ae {.....DG..C.....
0070: a9 eb 5d 77 3c c5 6e c6 a9 3e a6 ee 8d b3 ff f2 ..]w<.n..>......
0080: e0 73 35 c6 20 b9 b4 33 27 c5 a9 8c 6a ca dc 04 .s5. ..3'...j...
0090: 38 3e 56 f2 fc 0a 7c 03 e2 0f df c3 f3 b4 2d 0e 8>V...|.......-.
00a0: 46 98 4c e9 cb 9d c4 86 16 ab 9f 1d 29 8c 58 0c F.L.........).X.
00b0: 10 11 81 dd 5b 2b bb 38 40 64 d6 64 9f 9c e6 58 ....[+.8@d.d...X
00c0: 90 1c 73 e1 ec f7 4c 08 e3 89 81 68 5a c5 0e e6 ..s...L....hZ...
00d0: 35 12 3c a5 d0 40 a8 36 38 7a 66 7a d7 73 44 e9 5.<..@.68zfz.sD.
00e0: 23 36 d2 55 89 b9 f4 d5 75 fc 8c f3 a7 a3 39 82 #6.U....u.....9.
00f0: 25 c8 40 2a 02 25 3a c6 56 5c 22 da b7 32 f7 e5 %.@*.%:.V\"..2..
0100: d2 4e 5f 5e ff 60 fe b4 77 32 36 f9 d4 47 cf ff .N_^.`..w26..G..
0110: 12 8b 34 21 70 74 8b 13 db 7f 0d e2 f2 b7 75 34 ..4!pt........u4
0120: df 52 aa 0f c6 d3 77 99 6b 5d cb 1a 2f 45 db cf .R....w.k]../E..
0130: e8 b0 b2 b6 8b 99 26 e1 ca e4 d8 3b ce 58 af 1f ......&....;.X..
0140: 53 65 68 15 ae 49 09 08 1e ba 0f 76 76 8c 0f 86 Seh..I.....vv...
0150: 15 bf 20 78 05 7c 8c 4c 19 94 ed 38 be 6e a5 7b .. x.|.L...8.n.{
0160: 5e 97 26 61 f2 4e 16 df 07 5a d5 5e 14 09 92 9c ^.&a.N...Z.^....
0170: 28 00 42 26 d3 da 36 1b 7f 50 1e 35 12 bf 38 6f (.B&..6..P.5..8o
0180: 14 31 d5 59 f3 f5 ee dc e3 3c 4b f8 07 8f f2 81 .1.Y.....<K.....
0190: 29 4c aa 52 18 cf 45 a1 84 f1 63 18 20 fd 19 95 )L.R..E...c. ...
01a0: 2b b9 c4 31 cb 47 7f d1 07 7d a0 16 89 ea e0 8f +..1.G...}......
01b0: 3e fe b1 8b 46 b6 e3 5b 10 d1 99 0e 6f bd 14 a4 >...F..[....o...
01c0: 5e dd c4 be 6c af 45 ea 60 04 df 46 75 cb b6 cd ^...l.E.`..Fu...
01d0: 88 ce 07 77 db 68 29 ff 26 19 3f f0 fa 69 a3 50 ...w.h).&.?..i.P
01e0: f9 05 4b 70 9f e2 0c d2 83 d6 c6 80 0e 70 34 b8 ..Kp.........p4.
01f0: 40 2d 74 53 00 55 2c 92 e3 50 57 a8 90 e1 fe 74 @-tS.U,..PW....t
0200: 81 a1 21 41 d8 2d 5a 6b 1c 2f f1 69 c1 a3 c6 8e ..!A.-Zk./.i....
0210: ac d4 fb ad e3 94 5f e9 e5 fc 74 21 54 87 88 a4 ......_...t!T...
0220: 28 cb 10 73 1d b0 53 cf 47 29 5f 32 e6 9a 27 be (..s..S.G)_2..'.
0230: b0 46 8e 1f 8f 1d 96 07 f8 a1 e4 38 d1 88 e4 a5 .F.........8....
0240: 0a ae 59 48 42 be 08 4a 31 00 b1 e6 d3 9c 91 3a ..YHB..J1......:
0250: a3 d8 86 97 4a ed 83 4b dc c7 52 ef e3 de c0 a4 ....J..K..R.....
0260: 11 4f 05 6b 55 e6 e9 d9 a3 e4 e0 ec 9d e4 7f b0 .O.kU...........
0270: 9e 6c ee 5e 09 2d 2b a5 1b 45 73 27 43 76 55 35 .l.^.-+..Es'CvU5
0280: 07 df 7f 6b 49 ec ed 39 b3 3e 73 c2 fd ff 3d e7 ...kI..9.>s...=.
0290: 89 1b 06 e1 07 0f 26 05 e9 e2 b8 91 4a 91 cb 21 ......&.....J..!
02a0: df de e3 84 a3 83 1a 70 1a dd 61 07 32 2f 1e 6c .......p..a.2/.l
02b0: 45 2f 32 22 4b 87 df 64 67 dd 20 74 28 a0 fa 38 E/2"K..dg. t(..8
02c0: ae db fa c2 7e 6a 92 85 e2 dc f8 c4 da df 54 56 ....~j........TV
02d0: ea cb 2a 52 1f 4e 0a 78 82 67 fe e5 ad 58 d8 9e ..*R.N.x.g...X..
02e0: 52 0c 01 16 54 59 22 39 e1 1b 33 0f 8d b5 fd 13 R...TY"9..3.....
02f0: df b4 90 52 d8 01 b1 c8 2e ec 82 f3 a3 c8 06 a5 ...R............
0300: 8e 79 9f 72 12 3f e6 b7 ff 01 3c e1 f8 f4 e5 ab .y.r.?....<.....
0310: 94 81 ab 51 3e 87 f0 10 e8 38 e3 2c 2a cf e9 14 ...Q>....8.,*...
0320: 55 53 ba bf 5a e8 1b 82 f2 cc d4 a7 fa f8 02 17 US..Z...........
0330: 38 81 49 06 04 9f 60 c5 62 00 88 0c fe 26 e3 42 8.I...`.b....&.B
0340: 67 7f 92 bd 05 96 9f 99 7a ac 91 2e a8 e6 48 75 g.......z.....Hu
0350: d5 bd aa e7 b7 42 99 ab a7 3d 3b 55 7b 52 dc e3 .....B...=;U{R..
0360: 9f 03 ad d9 d1 5d fc 99 2f 26 1b 6e 13 5d 2c aa .....]../&.n.],.
0370: 79 ac e4 0f 19 80 05 50 12 99 e0 9f 1c 6c 81 ff y......P.....l..
tls_read: want=5, got=5
0000: 17 03 03 01 19 .....
tls_read: want=281, got=281
0000: a5 cc 0c c1 3c 2f 13 f7 44 6b 71 b4 e6 e1 76 3c ....</..Dkq...v<
0010: fa 8e 05 3a 4c e1 10 6d 5b 9a 85 ec 87 2e 7b a4 ...:L..m[.....{.
0020: c1 e5 9c e6 68 04 33 3f db cd aa 13 1d d4 20 6f ....h.3?...... o
0030: d8 40 9a 8f 19 5b d2 a2 40 2a a7 39 85 82 26 cf .@...[..@*.9..&.
0040: ed 44 94 d4 6c 7c 8c c6 54 59 08 0c 5b 57 61 35 .D..l|..TY..[Wa5
0050: a7 ba c2 89 34 30 5a 95 fd 17 4e bf ad ae fa 02 ....40Z...N.....
0060: fc 8f 5f 03 da a6 7c a3 ed f7 66 ff 04 ed a7 f7 .._...|...f.....
0070: 83 73 28 b4 39 8d 9e 93 ab f3 32 e2 a2 7c a9 aa .s(.9.....2..|..
0080: 49 a8 ef 9b c4 f9 e9 a1 a5 4a 1a 15 91 4d 28 ae I........J...M(.
0090: 5f 60 be bc 12 32 3a 3d 16 9a 72 68 8f 92 73 3d _`...2:=..rh..s=
00a0: da 1f 82 b3 2e 38 d9 d2 00 cd a0 30 3d 2a 03 66 .....8.....0=*.f
00b0: 63 34 ec 65 1d 1f 04 da 95 ca ff 17 c1 bd 60 f7 c4.e..........`.
00c0: 8b 9a ac ea 29 32 95 af 7f 3a 22 49 11 c9 1c 62 ....)2...:"I...b
00d0: 28 31 93 d8 b7 44 b1 a6 4e 3a 56 f4 b5 71 b1 7e (1...D..N:V..q.~
00e0: 05 05 de e6 07 18 c3 c7 45 75 d6 bf 8e 92 db b3 ........Eu......
00f0: 9a 75 58 e4 2a 54 a6 ec a1 0b 2e 9a 07 ba 06 ff .uX.*T..........
0100: 85 1a 1e 2b d3 11 fa 18 fb c2 58 90 b3 39 de 87 ...+......X..9..
0110: 27 68 90 46 34 d2 94 86 bb 'h.F4....
tls_read: want=5, got=5
0000: 17 03 03 00 35 ....5
tls_read: want=53, got=53
0000: d6 4d 85 88 17 9f 0a 0d 32 b1 9f d2 bc e4 36 bb .M......2.....6.
0010: a6 2a d5 b7 f2 7d 1b 51 80 36 c2 82 6f 2c cd d8 .*...}.Q.6..o,..
0020: 20 b1 26 45 23 69 e5 8e c2 41 a4 1a 32 48 2a 96 .&E#i...A..2H*.
0030: 41 ca dc c3 0d A....
tls_write: want=58, written=58
0000: 17 03 03 00 35 84 90 85 fb 22 66 5a 61 a4 88 e2 ....5...."fZa...
0010: 01 e3 93 2a b5 1c 70 d2 c5 ee d3 89 07 8a d2 0e ...*..p.........
0020: 4e 7c 35 d8 a6 80 d0 39 70 c0 10 46 77 2c d8 16 N|5....9p..Fw,..
0030: d7 d4 e3 c5 c2 dd 8d 12 35 8b ........5.
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I would interpret the result as Traefik has a cert, HostSNI works, but your LDAP client is probably not using it. I think Traefik would also log this in debug log.
It is possible to set a LetsEncrypt cert as default cert, then Traefik should not provide it's own default cert. Maybe that would help.
phantom
November 14, 2024, 8:43am
8
How can I set the letsencrypt as default cert in traefik? Is there a commandline option or do I have to manually add it in the traefik.yml file?
It's all in the doc :
# Dynamic configuration
tls:
stores:
default:
defaultGeneratedCert:
resolver: myresolver
domain:
main: example.org
sans:
- foo.example.org
- bar.example.org
This needs to go into a dynamic config file, which is loaded via providers.file in static config.