Traefik default tls on kubernetes

dafzor · December 28, 2021, 2:35am

I'm trying to configure traefik on kubernetes to use my own cloudflare tls cert, however I can't seem to make it work, it will continue the self generated cert or no longer accept https connections at all.

Bellow is my applied manifests (note: Using helmoperator from flux cd):

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: traefik-public
spec:
  releaseName: traefik-public
  chart:
    spec:
      chart: traefik
      sourceRef:
        kind: HelmRepository
        name: traefik
        namespace: kube-system
  interval: 1h0m0s
  timeout: 30m
  install:
    remediation:
      retries: 3
  values:
    ingressRoute:
      dashboard:
        annotations:
          # Using ingress class makes the dashboard give 404 unless this annotation is set
          kubernetes.io/ingress.class: traefik-public
    ingressClass:
      enabled: true
      isDefaultClass: false
    providers:
      kubernetesCRD:
        enabled: true
        ingressClass: traefik-public
      kubernetesIngress:
        enabled: true
        publishedService:
          enabled: true
    globalArguments: [] # to disable anonymous usage reports
    additionalArguments:
    - "--log.level=TRACE" # to try and figure out why it doesn't work
    - "--providers.kubernetesingress.ingressclass=traefik-public"
    # Enable HTTPS redirection on web entrypoint
    - "--providers.file.filename=/config/dynamic.yml"
    - "--providers.file.watch=true"
    - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
    - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
    volumes:
    - name: cloudflare-tls
      mountPath: "/certs"
      type: secret
    - name: 'traefik-public-config'
      mountPath: "/config"
      type: configMap
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-public-config
data:
  dynamic.yml: |
    tls:
      certificates:
      - certFile: /certs/tls.crt
        keyFile: /certs/tls.key
      stores:
        default:
          defaultCertificate:
            certFile: /certs/tls.crt
            keyFile: /certs/tls.key

The errors i get:

traefik-public time="2021-12-28T02:21:35Z" level=error msg="Unable to append certificate <redacted> to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default
traefik-public time="2021-12-28T02:21:35Z" level=error msg="Error during the build of the default TLS configuration: TLS store default not found" entryPointName=websecure

I've already tried searching for a solution, double checked my cert is ok and paths are correct...

dafzor · December 28, 2021, 5:33am

After some more troubleshooting seems the issue was the cert having windows line breaks (CRLF) instead of linux line breaks (LF) making it invalid.

rtribotte · December 28, 2021, 4:37pm

Hello @dafzor,

Thanks for your interest in Traefik!

After some more troubleshooting seems the issue was the cert having windows line breaks (CRLF) instead of linux line breaks (LF) making it invalid.

If it was indeed the root cause of your issue, can you please mark this topic as resolved?

Topic		Replies	Views
Traefik v2.1 Configuration for HTTPs support with Kubernetes Ingress Traefik v2 (latest) kubernetes-ingress	0	546	January 17, 2020
Is a non-TLS Kubernetes Ingress not offered over default HTTPS anymore? Traefik v2 (latest) kubernetes-ingress	0	254	April 14, 2021
Troubleshooting HTTPS to HTTPS Kubernetes Ingress Routes Traefik v2 (latest) kubernetes-ingress	1	802	March 29, 2022
TLS issues routing to kubernetes-dashboard Traefik v2 (latest) kubernetes-ingress	4	1800	March 6, 2024
404 on all the ingresses with TLS on AKS Traefik v2 (latest) kubernetes-ingress	3	103	February 23, 2024

Traefik default tls on kubernetes

Related Topics