TLSStore not used and no error messages in the logs

Environment

  • Traefik-Version: 2.10.5
  • Kuberntes-Version: 1.27.4

Given configurations

  1. Secret: ingress-controller-traefik-cluster-cert
    apiVersion: v1
    kind: Secret
    metadata:
      name: ingress-controller-traefik-cluster-cert
      namespace: kube-system
    type: kubernetes.io/tls
    data:
      tls.crt: LS0t # ... snip
      tls.key: LS0t # ... snip
    
  2. TLSStore ingress-controller-traefik-default
    apiVersion: traefik.io/v1alpha1
    kind: TLSStore
    metadata:
      name: ingress-controller-traefik-default
      namespace: kube-system
    spec:
      defaultCertificate:
        secretName: ingress-controller-traefik-cluster-cert
      certificates:
        - secretName: ingress-controller-traefik-cluster-cert
    
  3. IngressRoute my-app-https
    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: my-app-https
      namespace: kube-system
    spec:
      entryPoints:
        - https
      routes:
        - kind: Rule
          match: Host(`my-domain.com`) && PathPrefix(`/my-app`)
          services:
            - name: my-app
              port: 80
      tls:
        store:
          name: ingress-controller-traefik-default
    

Test scenario

  1. Insecure

    • Command:
      curl --insecure https://my-domain.com/my-app
      
    • Actual result:
      {"status":200,"ok":true}
      
  2. Regular

    • Command:

      curl https://my-domain.com/my-app
      
    • Actual result:

      curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - [..]
      More details here: https://curl.se/docs/sslcerts.html
      
      curl failed to verify the legitimacy of the server and therefore could not
      establish a secure connection to it. To learn more about this situation and
      how to fix it, please visit the web page mentioned above.
      
    • Issuer: TRAEFIK DEFAULT CERT

My question

The target certificate is not picked-up from the secret ingress-controller-traefik-cluster-cert and I do not see any meaningful message in the logs of traefik. Also not log level debug gives me a hint so far. I only see:

time="2023-11-19T21:56:25Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=kube-system-ingress-controller-traefik-default

What I'm doing wrong?

Thanks already in advance.

Anyone can help out, here?