Tls options for sniStrict=false in tcp router

Traefik Traefik v2
,
1

Hi, we have the following service:

  mqtt:
    image: eclipse-mosquitto:1.6.7
    container_name: mqtt
    restart: unless-stopped
    volumes:
      - /opt/mosquitto/config:/mosquitto/config
      - /opt/mosquitto/log:/mosquitto/log
      - /opt/mosquitto/data:/mosquitto/data
    ports:
      - "8883:8883"
    logging:
      options:
        max-size: 100m
    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.mqtt.entrypoints=mqtt"
      - "traefik.tcp.routers.mqtt.tls=true"
      - "traefik.tcp.routers.mqtt.rule=HostSNI(`mqtt.ourdomain.tld`)"
      - "traefik.tcp.routers.mqtt.tls.certResolver=le"
      - "treafik.tcp.routers.mqtt.service=mqtt-svc"
      - "treafik.tcp.routers.mqtt.tls.domains.main=mqtt.cold.its.be.continental.cloud"
      - "traefik.tcp.services.mqtt-svc.loadbalancer.server.port=1883"
      - "treafik.tcp.routers.mqtt.tls.options=mqtt"
      - "traefik.tls.options.mqtt.sniStrict=false"

When not using tls, everything is fine. When using tls, only newer mqtt-clients/libraries can connect, that support the HostSNI feature.

Unfortunatelly, we have to be compatible to older clients, that do not support the tls extension.

The result should be, that traefik does the tls termination and forwards all traefik, that comes in trough the mqtt-entrypoint to the mqtt-service, whilst using the letsencrypt certificate defined in HostSNI...

Our approach now was to disable the sniStrict checking, but it seems the tls.options reference above does nothing :frowning:

Anyone an idea how to achieve this?

2

I'm pretty sure the TLS options can only be set in the dynamic file provider or Kubernetes.

I only got it working with a file provider.

3

@anle did you find a solution?

PS. also setting sniStrict: false in the provider files seems to not help

4

sniStrict is false by default.

I have a similar issue where I wanted the DNS over TLS clients who do not support SNI to use the ACME cert rather than the default certificate.

Right now, with sniStrict=true, the connection attempt is rejected (correctly so).
strict SNI enabled - No certificate found for domain: \"\", closing connection"
But with sniStrict=false, the connection is allowed, but the default certificate is served due to lack of acme cert that matches the SNI which is "" (empty).

There should be a way to tell Traefik to always serve the ACME cert even if the SNI fails, similar to sniStrict=false but not to search for certs that match the empty SNI.

Edit: Found the bug for the same: Allow assuming default host if no SNI indication is given (for Let's Encrypt) · Issue #8123 · traefik/traefik (github.com)

1 Like