Do you want to request a feature or report a bug?
Bug
Did you try using a 1.7.x configuration for the version 2.0?
- [ ] Yes
- [X] No
What did you do?
We have a k8s cluster which hosts services that our customers want to address with their own domains, of which we are not able to control the DNS records, hence we want to swap out the dns in favour of the http challenge. Using Traefik 1.7.x we got a lot of errors from acme / lego, so we switched to 2.0 GA.
Our cluster contains one master and two worker nodes. Traefik is deployed as a daemon set on both worker nodes. For starters, we want to make the http challenge work for services laying behind our company intern domain. The DNS records of this Domain are managed by Cloudflare, and each subdomain points to both worker nodes. We do not use Cloudflare's SSL, SSL is only meant to be terminated by Traefik.
Example DNS records:
A swift.cloudiety.de node0IP
A swift.cloudiety.de node1IP
The swift pod in this example is a swift-nio hello world project, listening on 8080
.
We have not managed to make the http challenge work.
What did you expect to see?
A Let's Encrypt staging certificate being issued for swift.cloudiety.de
What did you see instead?
curl rejects the certificate, stating it's TRAEFIK DEFAULT CERT
, so I it's not a LE staging certificate
* Rebuilt URL to: swift.cloudiety.de/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 195.201.221.205...
* TCP_NODELAY set
* Connected to swift.cloudiety.de (195.201.221.205) port 80 (#0)
> GET / HTTP/1.1
> Host: swift.cloudiety.de
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Location: https://swift.cloudiety.de/
< Date: Wed, 18 Sep 2019 13:58:33 GMT
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
<
* Ignoring the response-body
{ [5 bytes data]
100 5 100 5 0 0 115 0 --:--:-- --:--:-- --:--:-- 116
* Connection #0 to host swift.cloudiety.de left intact
* Issue another request to this URL: 'https://swift.cloudiety.de/'
* Trying 195.201.221.205...
* TCP_NODELAY set
* Connected to swift.cloudiety.de (195.201.221.205) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [224 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [58 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [852 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Sep 18 13:58:32 2019 GMT
* expire date: Sep 17 13:58:32 2020 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f92b2800400)
> GET / HTTP/2
> Host: swift.cloudiety.de
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< content-length: 13
< date: Wed, 18 Sep 2019 13:58:33 GMT
<
{ [13 bytes data]
100 13 100 13 0 0 86 0 --:--:-- --:--:-- --:--:-- 86
* Connection #1 to host swift.cloudiety.de left intact
Hello World
Output of traefik version
: (What version of Traefik are you using?)
Version: 2.0.0
Codename: montdor
Go version: go1.13
Built: 2019-09-16T17:35:17Z
OS/Arch: linux/amd64
What is your environment & configuration (arguments, toml, provider, platform, ...)?
Traefik DaemonSet
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.0
args:
- --api.insecure
- --accesslog
- --log.level=debug
- --entrypoints.web.Address=:80
- --entrypoints.websecure.Address=:443
- --providers.kubernetescrd
- --certificatesResolvers.default.acme.httpChallenge=true
- --certificatesresolvers.default.acme.httpChallenge.entryPoint=web
- --certificatesresolvers.default.acme.email=devops@worldiety.de
- --certificatesresolvers.default.acme.storage=acme.json
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- name: web
containerPort: 80
hostPort: 80
- name: websecure
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
Traefik Service
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- protocol: TCP
name: web
port: 80
- protocol: TCP
name: admin
port: 8080
- protocol: TCP
name: websecure
port: 443
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami
IngressRoutes
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: swift-ingress-http
namespace: default
spec:
entryPoints:
- web
routes:
- kind: Rule
priority: 10
match: Host(`swift.cloudiety.de`)
middlewares:
- name: https-redirect
services:
- name: swift-nio-service
port: 8080
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: swift-ingress-https
namespace: default
spec:
entryPoints:
- websecure
routes:
- kind: Rule
priority: 11
match: Host(`swift.cloudiety.de`)
middlewares:
- name: https-redirect
services:
- name: swift-nio-service
port: 8080
tls: {}
swift nio deployment
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: swift-nio-test
namespace: default
labels:
k8s-app: swift-nio-test
spec:
replicas: 2
selector:
matchLabels:
k8s-app: swift-nio-test
template:
metadata:
labels:
k8s-app: swift-nio-test
name: swift-nio-test
spec:
terminationGracePeriodSeconds: 60
containers:
- image: juka/swift-nio-test
name: swift-nio
ports:
- name: http
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: swift-nio-service
namespace: default
spec:
selector:
k8s-app: swift-nio-test
ports:
- name: web
port: 8080
targetPort: 8080
If applicable, please paste the log output in DEBUG level (--log.level=DEBUG
switch)
Logs from Traefik instance on node 0, filtered by acme
$ kubectl logs traefik-t9dpz | grep -i acme
time="2019-09-18T12:51:21Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"kubernetesCRD\":{}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"debug\",\"format\":\"common\"},\"accessLog\":{\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}},\"certificatesResolvers\":{\"default\":{\"acme\":{\"email\":\"devops@worldiety.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"
time="2019-09-18T12:51:21Z" level=info msg="Starting provider *acme.Provider {\"email\":\"devops@worldiety.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"default\",\"store\":{},\"ChallengeStore\":{}}"
time="2019-09-18T12:51:21Z" level=info msg="Testing certificate renew..." providerName=default.acme
time="2019-09-18T12:51:21Z" level=debug msg="Configuration received from provider default.acme: {\"http\":{},\"tls\":{}}" providerName=default.acme
Logs from Traefik instance on node 1, filtered by acme
$ kubectl logs traefik-kvmnh | grep -i acme
time="2019-09-18T12:51:21Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"kubernetesCRD\":{}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"debug\",\"format\":\"common\"},\"accessLog\":{\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}}},\"certificatesResolvers\":{\"default\":{\"acme\":{\"email\":\"devops@worldiety.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"
time="2019-09-18T12:51:21Z" level=info msg="Starting provider *acme.Provider {\"email\":\"devops@worldiety.de\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"default\",\"store\":{},\"ChallengeStore\":{}}"
time="2019-09-18T12:51:21Z" level=info msg="Testing certificate renew..." providerName=default.acme
time="2019-09-18T12:51:21Z" level=debug msg="Configuration received from provider default.acme: {\"http\":{},\"tls\":{}}" providerName=default.acme