I am trying to setup TCP entrypoint tcp5050 with following config in traefik.toml
traefik.toml
traefik.toml: |
## static configuration
[global]
checkNewVersion = true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.tcp5050]
address = ":5050"
[providers]
[providers.kubernetesCRD]
[providers.file]
directory = "/etc/traefik/providers/"
watch = true
[log]
level = "INFO"
[accessLog]
[api]
insecure = true
dashboard = true
debug = true
[metrics]
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
addEntryPointsLabels = true
addServicesLabels = true
entryPoint = "web"
[ping]
entryPoint = "web"
[tls.stores]
[tls.stores.one]
[tls.stores.one.logstash]
certFile = "/certs/logstash.crt"
keyFile = "/certs/logstash.key"
[[tls.certificates]]
stores = ["one"]
[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = "admin@domain.com"
caServer = "https://acme-v02.api.letsencrypt.org/directory"
storage = "/etc/traefik/storage/acme.json"
[certificatesResolvers.default.acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
[certificatesResolvers.logstash]
and IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: logstash-external
namespace: kube-logging
spec:
entryPoints:
- tcp5050
routes:
- match: HostSNI(`logstash.dev.domain.com`)
services:
- name: logstash
port: 5050
tls:
certResolver: logstash
domains:
- main: logstash.dev.domain.com
# sans:
# - "logstash.dev.domain.com"
I have *.dev.domain.com Let's Encrypt certificate, but for this endpoint (logstash.dev.domain.com) want to use self-sign certificate (logstash.crt), which I have in-place in traefik container.
But I am not able to reach to this endpoint from public internet.
I was able to openssl s_client -connect logstash:5050 from any container within the kubernetes cluster, but not from outside of the cluster using openssl s_client -connect logstash.dev.domain.com:5050
When remote rsyslogd tries to send messages to logstash.dev.domain.com it gets following message
Certificate 1 info: certificate valid from Wed Oct 16 15:31:08 2019 to Tue Jan 14 15:31:08 2020; Certificate public key: RSA; DN: CN=*.dev.domain.com; Issuer DN:]
Also tried creating completely new endpoint logstash.test.domain.com just to avoid any certificate conflicts. With this I dont dont have any certificate for *.test.domain.com. Just logstash.test.domain.com (new self-signed)
When I tried to openssl s_client -connect logstash.test.domain.com:5050 I got
<HOST>$ openssl s_client -connect logstash.test.domain.com:5050
CONNECTED(00000006)
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=TRAEFIK DEFAULT CERT
i:/CN=TRAEFIK DEFAULT CERT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDRjCCAi6gAwIBAgIQCnHmb+k3f0Dr145ta6pk1zANBgkqhkiG9w0BAQsFADAf
MR0wGwYDVQQDExRUUkFFRklLIERFRkFVTFQgQ0VSVDAeFw0xOTEwMjUxNDMzNDJa
Fw0yMDEwMjQxNDMzNDJaMB8xHTAbBgNVBAMTFFRSQUVGSUsgREVGQVVMVCBDRVJU
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxZS7yLkXNWzHntfXFtR6
7tCSHQEnv2/bn4vM2BvdecKb0KeiNq/PxX4mBmMwgkJ4PU/LT/hQtJ0qi3A01HUn
oARu30PWVm+14+gGN98MV5qzcVtQ/oKPRpz/nytROpLl4irGsnCJVd+s7rbF/tjX
6Ar6mT2rz4xXDrdVtWQMqswtyw/lmV43S97tq9mlhQ2hXvglX5LiTfFf4CL3BWos
2fCj+d9ntd41NlhJb16tJXi6UJ1vnGz8/SyR7gVNGDJpWPgw/M5lLIR2dqZnlnf5
rdndVbCcu/2FWNN4DRPAtI0/zENOOsoNUViPqKhIgq6R1m7gTnGjrOy5TRZoeNGY
/wIDAQABo34wfDAOBgNVHQ8BAf8EBAMCA7gwDAYDVR0TAQH/BAIwADBcBgNVHREE
VTBTglEzMGEwOWMxZmFkYmRmYWE2OTMwNTc5MjU1ZDVmNjI1Ny4zNzcxOTlhYTI1
OTgwZjAwYWVkYjc1ZmZkYjQ4MTliZi50cmFlZmlrLmRlZmF1bHQwDQYJKoZIhvcN
AQELBQADggEBAEjEoXfXSDlznHPAi0wqC2cnmslT6g3L181bDqPrB6QCMW5o0M+D
bkrOdBlS2LpJUQjWoXKoKZZGeUVQIcJMvLmTmpAibLVErd4bdFKOCAt7h1BfApZT
4tArXTkh8af5NRialdxD5oTRHZbyNRaGSrGVzpNW+7gMcuLIqombIJoLaciybcVR
BtUswYDqjW0In5+NBIdLOB6BRxQKpNxAoXMjCjjx1g2W733spI4NQLCQfP835B37
dcikE2KZp81sRXr4q1csb/2JZwK+fxDo6CGV0cOoCyihLZ0J8FzVvqsD94quTucA
NjfVJH21bJyOYx6IqL01W5XFSLFFDEMYv7o=
-----END CERTIFICATE-----
subject=/CN=TRAEFIK DEFAULT CERT
issuer=/CN=TRAEFIK DEFAULT CERT
---
No client certificate CA names sent
---
SSL handshake has read 1448 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 03B123746C3A6E558DA363C508ED44877633793EF8443675B4875FC3F65D4E3C
Session-ID-ctx:
Master-Key: 7FCE0EDB3D8C333D548EE7C5F92C640A6145F1C4228510CB7CAC478BC63A4F74975E34410F926EF57AE06C6C0D94D576
TLS session ticket:
0000 - 65 e8 fd 4c b7 10 ef 75-17 d1 f5 c6 de 3d 05 72 e..L...u.....=.r
0010 - cf 23 a4 46 12 7a 98 16-c9 b3 41 76 6f 63 55 91 .#.F.z....AvocU.
0020 - f8 c3 f3 cd ff 05 78 46-57 6a 9e bb 8a 13 29 0c ......xFWj....).
0030 - a0 51 5b b8 84 bd 38 75-f0 9a 73 ec d4 a4 76 86 .Q[...8u..s...v.
0040 - 87 b7 55 62 18 91 ae 7e-8b 76 75 d8 e0 fb 46 77 ..Ub...~.vu...Fw
0050 - d0 06 53 c4 22 11 52 bc-d5 64 de 94 f5 33 00 2a ..S.".R..d...3.*
0060 - e7 49 db c7 f9 09 c4 40-0a e8 0c fa 8a 0b 89 5d .I.....@.......]
0070 - 9f d4 c2 ee 3b 24 a9 c8- ....;$..
Start Time: 1572014023
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close
400 Bad Requestclosed
I have AWS network load balancer at the front.
appreciate any help here.