Terminate Cloudflare TLS in Traefik, send self-signed client cert to Vault

Traefik Traefik v2 (latest)
1

I'm trying to route traffic from Cloudflare to Traefik to my Consul and Vault UIs in addition to my various services tracked by Consul. That latter part is working just fine. The former is giving me trouble. I do not want or need Traefik to generate certificates for me, I am using certificates provided by Cloudflare to handle HTTPS ingress over port 443.

I also do not want to set up additional listeners in Consul and Vault which listen on 443 and use the CloudFlare certs. All Vault and Consul instances speak to each other over https on 8200 and 8501 respectively.

I have Vault registered as a service in consul and have set tags up for the Vault service so Traefik knows how to route to the vault instances.

Where I am getting stuck is how to have Traefik terminate ingress using my provided CloudFlare TLS certs, and then route to the Vault UI using the self-signed client certs. Looking at the logs, it appears that the CloudFlare cert is getting handed off to the Vault instances which then return an Internal Server Error error.

My Vault service tags are set like so:

"traefik.http.routers.vault.rule=Host(`vault.mydomain.com`) && PathPrefix(`/ui`),
traefik.http.routers.vault.service=vault,
traefik.http.routers.vault.tls=true,
traefik.http.routers.vault.tls.domains[0].main=vault.mydomain.com,
traefik.http.routers.vault.tls.domains[0].sans=vault.service.consul,
traefik.http.services.vault.loadbalancer.server.scheme=https,
traefik.http.services.vault.loadbalancer.server.port=8200,
traefik.http.services.vault.loadbalancer.passhostheader=false"

The bottom of my traefik-dynamic.toml file looks like so:

[...other configuration...]

[tls]
  [tls.stores]
    [tls.stores.default]
      [tls.stores.default.defaultCertificate]
        certFile = "/tls/cloudflare/cert.pem"
        keyFile  = "/tls/cloudflare/key.pem"

[[tls.certificates]]
  certFile = "/tls/vault/vault.mydomain.com.crt"
  keyFile  = "/tls/vault/vault.mydomain.com.key"

I feel like I'm missing something obvious, but I've poured over the docs several times over and can't quite find the thing to link the certificates to pass to the Vault service. Since I'm not using the LetsEncrypt certificate generation, I'm not sure whether any of the domain matching magic applies here, and it's not clear whether there are any Consul tags that I'm missing (maybe middlewares?) or whether this belongs in the toml files.

Any assistance would be appreciated. Many thanks in advance!

2

It's been over a month since this was posted. Just trying to get eyes on it again as it seems like this should be a fairly common scenario

3

I could solve with a ServersTransport here in my config. hope it helps.

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: vault-transport
  namespace: vault

spec:
  serverName: vault-internal
  insecureSkipVerify: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: vault-tls-option
  namespace: vault

spec:
  minVersion: VersionTLS12

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: vault-ui
  namespace: vault
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`vault.domain.com`)
      kind: Rule
      services:
        - name: vault
          port: 8200
          scheme: https
          serversTransport: vault-transport
          namespace: vault
  tls:
    options:
        name: vault-tls-option
        namespace: vault
1 Like