I'm trying to route traffic from Cloudflare to Traefik to my Consul and Vault UIs in addition to my various services tracked by Consul. That latter part is working just fine. The former is giving me trouble. I do not want or need Traefik to generate certificates for me, I am using certificates provided by Cloudflare to handle HTTPS ingress over port 443.
I also do not want to set up additional listeners in Consul and Vault which listen on 443 and use the CloudFlare certs. All Vault and Consul instances speak to each other over https on 8200 and 8501 respectively.
I have Vault registered as a service in consul and have set tags up for the Vault service so Traefik knows how to route to the vault instances.
Where I am getting stuck is how to have Traefik terminate ingress using my provided CloudFlare TLS certs, and then route to the Vault UI using the self-signed client certs. Looking at the logs, it appears that the CloudFlare cert is getting handed off to the Vault instances which then return an
Internal Server Error error.
My Vault service tags are set like so:
"traefik.http.routers.vault.rule=Host(`vault.mydomain.com`) && PathPrefix(`/ui`), traefik.http.routers.vault.service=vault, traefik.http.routers.vault.tls=true, traefik.http.routers.vault.tls.domains.main=vault.mydomain.com, traefik.http.routers.vault.tls.domains.sans=vault.service.consul, traefik.http.services.vault.loadbalancer.server.scheme=https, traefik.http.services.vault.loadbalancer.server.port=8200, traefik.http.services.vault.loadbalancer.passhostheader=false"
The bottom of my traefik-dynamic.toml file looks like so:
[...other configuration...] [tls] [tls.stores] [tls.stores.default] [tls.stores.default.defaultCertificate] certFile = "/tls/cloudflare/cert.pem" keyFile = "/tls/cloudflare/key.pem" [[tls.certificates]] certFile = "/tls/vault/vault.mydomain.com.crt" keyFile = "/tls/vault/vault.mydomain.com.key"
I feel like I'm missing something obvious, but I've poured over the docs several times over and can't quite find the thing to link the certificates to pass to the Vault service. Since I'm not using the LetsEncrypt certificate generation, I'm not sure whether any of the domain matching magic applies here, and it's not clear whether there are any Consul tags that I'm missing (maybe middlewares?) or whether this belongs in the toml files.
Any assistance would be appreciated. Many thanks in advance!