SSL breaks routing?

If I use this configuration with http, everything works OK:

[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
  
  [entryPoints.http]
   address = ":8029"

If I change it to use HTTPS/TLS like this:

[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
  
  [entryPoints.https]
   address = ":8029"
   [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "certs/mfx-servicefabric.crt"
      keyFile = "certs/mfx-servicefabric.key" 

The correct certificate shows up in the browser using https://myserver:8029/whatever...

But now all the routing fails... All requests return 404.

What gives, how can I troubleshoot this further.?

With the TLS in place the access log says "backend not found" while with http it routed ok..

Hi, there is an example here: https://docs.traefik.io/v1.7/user-guide/examples/#http-https-with-sni.

TL;DR; you have to add the httpsentrypoint you created to the list of default entrypoints:

# traefik.toml file
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
  
  [entryPoints.https]
   address = ":8029"
# (...)

By default, the top-level directive (that must be on top of the traefik.toml file to avoid issues like https://github.com/containous/traefik/issues/5163) defaultEntryPoints is only set to http.

In the example you gave below, by changing the name of the entrypoint to https, then it's not part of the default entrypoints anymore. Hence the need to add it.

Alternatively, you can define the entrypoints of a specific service by using labels/annotations. In your case it would be traefik.frontend.entryPoints=http,https (as described in https://docs.traefik.io/v1.7/configuration/backends/servicefabric/#available-labels).

Let us know the result?

Thanks for the reply.. So, I am using the default entry points as you outlined in my TOML file.

# Entrypoints to be used by frontends that do not specify any entrypoint.
defaultEntryPoints = ["http", "https"]

As far as the labels go in the help doc:

traefik.frontend.entryPoints=http,https	
-Assign this frontend to entry points http and https.
-Overrides defaultEntryPoints

Doesnt seem like I need that, I'm not trying to override the defaults...

With my current config, the dashboard doesnt show http or https as an entry point and the services just ouright fail onn 8029...

So In the context of using the service Fabric provider, how much of the configuration is read from the TOML file and how much is used from the provider?

I can’t ever see how it’s really configured. Are they combined? Overridden? Can I call the api to see the configuration at runtime? This is a big question that might have big implications for my configuration..

Here is my traefik.toml in its entirety:

################################################################
# Global configuration
################################################################

# Enable debug mode
#
# Optional
# Default: false
#
debug = true

# Traefik logs file
# If not defined, logs to stdout
#
# Optional
# 
[traefiklog]
filePath = "log/traefik.log"
format = "json"

# Log level
#
# Optional
# Default: "ERROR"

logLevel = "DEBUG"

# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]

# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
	 [entryPoints.https]
   address = ":8029"
   [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "certs/mfx-servicefabric.crt"
      keyFile = "certs/mfx-servicefabric.key" 
#	[entryPoints.https.tls.clientCA]
#        files = ["certs/gdroot-g2.crt"]
#        optional = false


# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
[accessLog]

# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath = "log/accesslog.txt"

# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
format = "common"

################################################################
# API definition
################################################################

[api]
  entryPoint = "dashboard"
  dashboard = true
  debug = true

################################################################
# Service Fabric provider
################################################################

# Enable Service Fabric configuration backend
[serviceFabric]

# Service Fabric Management Endpoint
clusterManagementUrl = "https://localhost:19080"
# Note: use "https://localhost:19080" if you're using a secure cluster

# Service Fabric Management Endpoint API Version
apiVersion = "3.0"

refreshSeconds = 10

# Enable TLS connection.
#
# Optional
#
[serviceFabric.tls]
  cert = "certs/localClusterCert-rte.crt"
  key = "certs/localClusterCert-rte.key"
  insecureskipverify = true

UseCertificateAuth    =  true
ClientCertFilePath    = "certs/localClusterCert-rte.crt"
ClientCertKeyFilePath = "certs/localClusterCert-rte.key"
InsecureSkipVerify    =  true


Hello @solidcloudio,

logLevel and defaultEntryPoints are not subkeys of [traefiklog].

Please try this:

 # Global configuration

debug = true
defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"

[traefiklog]
filePath = "log/traefik.log"
format = "json"

So If I uncomment the logging, it breaks this entire configuration ? You can easily see how I got into this state..

It never seems clear in the TOML where a section starts and ends.. You are saying that everything "global" has to go at the top of the file? once you add a key, its enabled for that section of the doc until it finds another key?

Toml ignores whitespace, so this is correct. Everything starts with a key or a table, and only ends when another is defined.

This is correct. In Traefik v2, we created a [global] table to help prevent this sort of issue.

Please see https://docs.traefik.io/v1.7/configuration/commons/#global-configuration
for the full list of global configurations that to be used must be defined at the beginning of the toml file.

1 Like

OK, thats nice to know.. It seems my Frontends show up with https in the dashboard now.. the https seems to work, now i guess i need to figure out my routing rules in another thread..

thanks for help on this one..