Hello Community,
I'm reaching out for some assistance with a perplexing issue I've encountered while setting up Traefik in a Kubernetes environment. My goal is to configure TLS certificates for my domain, but I'm stuck with a self-signed certificate problem despite several attempts to rectify it.
Here's a brief overview of my situation:
- Setup: I've deployed Traefik as a reverse proxy in my Kubernetes cluster. My domain and DNS provider is Ionos.
- Configuration: I've edited the Traefik configuration to include parameters for the ACME challenge. The configuration includes the necessary details like the ACME email, storage path, and the DNS challenge provider set to Ionos. I've also added the Ionos API key as an environment variable.
- Issue: Despite the configurations, I'm still encountering a self-signed certificate error when I try to access my domain. The Kubernetes (k8s—I'm using microk8s) commands
k get certificate -Aandk get certificates -Ashow no resources, indicating that the certificate hasn't been issued as expected. - Logs: The Traefik logs show the initialization of the ACME provider and DNS challenge, but there's no clear indication of the certificate being issued or any errors preventing it.
- Attempts: I've tried enabling debug logs for Traefik to gain more insight, but this hasn't led to a resolution. The suggestion to try the HTTP-01 challenge was also considered, but I'm currently focused on resolving the issue with the DNS-01 challenge through Traefik.
There are traefik configuration:
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik
namespace: traefik
labels:
app: traefik
spec:
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v2.10
args:
- --global.checknewversion
- --entrypoints.web.address=:80/tcp
- --entrypoints.websecure.address=:443/tcp
- --api.dashboard=true
- --ping=true
- --providers.kubernetescrd
- --entrypoints.websecure.http.tls=true
- --certificatesresolvers.ionosresolver.acme.email=contact@league-item-recommender.com
- --certificatesresolvers.ionosresolver.acme.storage=/data/acme.json
- --certificatesresolvers.ionosresolver.acme.dnschallenge=true
- --certificatesresolvers.ionosresolver.acme.dnschallenge.provider=ionos
- --certificatesresolvers.ionosresolver.acme.dnschallenge.delaybeforecheck=0
- --log.level=DEBUG
env:
- name: IONOS_API_KEY
value: "APIKEY.APISECRET"
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
volumeMounts:
- mountPath: /data
name: data
- mountPath: /tmp
name: tmp
volumes:
- emptyDir: {}
name: data
- emptyDir: {}
name: tmp
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 65532
terminationGracePeriodSeconds: 60
The associated service:
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
namespace: traefik
spec:
type: LoadBalancer
ports:
- targetPort: web
port: 80
name: web
- targetPort: websecure
port: 443
name: websecure
selector:
app: traefik
The logs:
time="2024-01-02T22:49:53Z" level=info msg="Starting provider *acme.Provider"
time="2024-01-02T22:49:53Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"contact@domain.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/data/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"ionos\"},\"ResolverName\":\"ionosresolver\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2024-01-02T22:49:53Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" providerName=ionosresolver.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-02T22:49:53Z" level=info msg="Testing certificate renew..." providerName=ionosresolver.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2024-01-02T22:49:53Z" level=info msg="Starting provider *crd.Provider"
time="2024-01-02T22:49:53Z" level=debug msg="*crd.Provider provider configuration: {}"
time="2024-01-02T22:49:53Z" level=warning msg="CRDs API Group \"traefik.containo.us\" is deprecated, and its support will end starting with Traefik v3. Please use the API Group \"traefik.io\" instead." providerName=kubernetescrd
time="2024-01-02T22:49:53Z" level=warning msg="CRDs API Version \"traefik.io/v1alpha1\" will not be supported in Traefik v3 itself. However, an automatic migration path to the next version will be available." providerName=kubernetescrd
time="2024-01-02T22:49:53Z" level=info msg="label selector is: \"\"" providerName=kubernetescrd
time="2024-01-02T22:49:53Z" level=info msg="Creating in-cluster Provider client" providerName=kubernetescrd
time="2024-01-02T22:49:53Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"ping\":{\"entryPoints\":[\"traefik\"],\"service\":\"ping@internal\",\"rule\":\"PathPrefix(`/ping`)\",\"priority\":2147483647}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{},\"ping\":{}},\"models\":{\"websecure\":{\"tls\":{}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2024-01-02T22:49:53Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=ionosresolver.acme
time="2024-01-02T22:49:53Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-01-02T22:49:53Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2024-01-02T22:49:54Z" level=debug msg="Ignoring traefik.containo.us/v1alpha1 ingress route (production/traefik-ingress-route) already listed within traefik.io/v1alpha1 API GroupVersion"
time="2024-01-02T22:49:54Z" level=error msg="kubernetes service not found: production/production-api-ping" namespace=production providerName=kubernetescrd ingress=traefik-ingress-route
time="2024-01-02T22:49:54Z" level=error msg="kubernetes service not found: production/production-api-version" ingress=traefik-ingress-route namespace=production providerName=kubernetescrd
time="2024-01-02T22:49:54Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"production-traefik-ingress-route-692f7afa85f7089d9d56\":{\"entryPoints\":[\"websecure\",\"web\"],\"service\":\"production-traefik-ingress-route-692f7afa85f7089d9d56\",\"rule\":\"Host(`registry.domain.com`) \\u0026\\u0026 PathPrefix(`/.*`)\"},\"production-traefik-ingress-route-6ff222f5332146c7eee6\":{\"entryPoints\":[\"websecure\",\"web\"],\"service\":\"production-traefik-ingress-route-6ff222f5332146c7eee6\",\"rule\":\"Host(`domain.com`) \\u0026\\u0026 Path(`/`)\"},\"production-traefik-ingress-route-9043d3531a9c1371e68a\":{\"entryPoints\":[\"websecure\",\"web\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.domain.com`) \\u0026\\u0026 PathPrefix(`/dashboard`) || Host(`traefik.domain.com`) \\u0026\\u0026 PathPrefix(`/api`)\"}},\"services\":{\"production-traefik-ingress-route-692f7afa85f7089d9d56\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.1.15.226:5000\"}],\"passHostHeader\":true}},\"production-traefik-ingress-route-6ff222f5332146c7eee6\":{\"loadBalancer\":{\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=kubernetescrd
time="2024-01-02T22:49:54Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
I'm wondering if anyone here has experienced a similar issue or could provide some insights into what might be going wrong. Any suggestions on how to troubleshoot this further would be greatly appreciated.
Thank you in advance for your help!
Best regards, Dayrion