Tls handshake occurs when using traefik helm on eks and cloudfront

jskorlol · March 25, 2022, 11:38pm

I generate and receive tls ssl certificate from cloudfront.

http works fine,
https will result in tls handshake error.

---
apiVersion: v1
kind: Service
metadata:
  namespace: test
  name: whoami
  labels:
    app: whoami
spec:
  ports:
    - port: 80
  selector:
    app: whoami
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: test
  name: whoami
  labels:
    app: whoami
spec:
  replicas: 1
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          ports:
            - containerPort: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: tlsoptions
  namespace: test
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV
  curvePreferences:
    - CurveP521
    - CurveP384
  sniStrict: false
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: transport
  namespace: test

spec:
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-web
  namespace: test
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`domain.com`)
      kind: Rule
      middlewares:
        - name: headers-default@file
      services:
        - name: whoami
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-websecure
  namespace: test
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`domain.com`)
      kind: Rule
      services:
        - name: whoami
          port: 80
          serversTransport: transport
  tls:
    options:
      name: tlsoptions
      namespace: test
---

time="2022-03-25T23:34:24Z" level=debug msg="Serving default certificate for request: \"domain.com\""
time="2022-03-25T23:34:24Z" level=debug msg="http: TLS handshake error from 10.11.11.240:41668: read tcp 10.11.10.41:8443->10.11.11.240:41668: read: connection reset by peer"

Can you tell me which one is wrong ?

jskorlol · March 27, 2022, 1:03pm

I finally solved it using cert-manager.

The certificate was issued by route53 to dns01.

For certificate sharing,

used

Very convenient and recommended.

system · March 30, 2022, 1:04pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting SSL version error intermittently Traefik v2 (latest) kubernetes-crd , kubernetes-ingress	1	258	January 18, 2024
Cloudflare and traefik configuation to enable https on kubernetes Traefik v2 (latest) kubernetes-ingress	2	727	February 14, 2022
Please Help grpc TLS settings Traefik v2 (latest) kubernetes-crd	4	239	November 12, 2023
How to pass-through TLS with Traefik Kubernetes Ingress? Traefik v2 (latest) kubernetes-ingress	1	1841	July 17, 2023
Traefik v2 + helm v3 + IngressRoute: "Error getting validation data" (let's encrypt) Traefik v2 (latest) kubernetes-crd , kubernetes-ingress , letsencrypt-acme	1	3584	May 28, 2020

Tls handshake occurs when using traefik helm on eks and cloudfront

Related Topics