Traefik delivers two certificates and uses TLS 1.0

KBst · November 28, 2019, 10:30am

I have got two identical configured Traefik reverse proxys. Running on the identical Debian 10 platform.
But testing with SSL Labs SSL Server Test gives different results:

traefik version

Version: 2.0.5
Codename: montdor
Go version: go1.13.4
Built: 2019-11-14T18:11:01Z
OS/Arch: linux/amd64

Server A:

Server B: (Delivers the Let’s Encrypt cert and the TRAEFIK DEFAULT CERT and uses TLS 1.0)

Questions:

How to get rid of the additional cert?
How to debug further?

dduportal · November 28, 2019, 11:15am

Hi @KBst, you might be interested by this answer: Traefik should not serve TRAEFIK DEFAULT CERT when there is a matching custom cert · Issue #5849 · traefik/traefik · GitHub .

SSL Labs tests SNI and Non-SNI connection attempts to your server.

By default, if a non-SNI request is sent to Traefik, and it cannot find a matching certificate (with an IP SAN), it will return the default certificate, which is usually self signed.

If you are required to pass this sort of SSL test, you may need to either:

Configure a default certificate to serve when no match can be found:
EntryPoints | Traefik | v1.7

Configure Strict SNI checking so that no connection can be made without a matching certificate:
EntryPoints | Traefik | v1.7

Please check the links for Traefik v2.0:

Set a default certificate to handle requests without SNI: TLS | Traefik | v2.0
Or enable Strict SNI and refuse non SNI HTTP/TLS requests: TLS | Traefik | v2.0

KBst · November 28, 2019, 2:02pm

Or enable Strict SNI and refuse non SNI HTTP/TLS requests: https://docs.traefik.io/v2.0/https/tls/#strict-sni-checking

Thanks. I also found this discussion and tried to setup identical tls.options. But I will double check.
By the way: my options are defined in separate files in a directory where all dynamic definitions are sitting. Are they also reread when changes occur?

dduportal · November 28, 2019, 2:10pm

It should be, as the TLS options are part of the "dynamic configuration" of Traefik. The first condition is that the watch directive of the file provider must be enabled (ref. https://docs.traefik.io/v2.0/providers/file/#watch).

KBst · November 29, 2019, 11:03am

O.k. that's clear. So let me show the respective sections of my setup:

Static part

###############################################################
# File configuration backend
###############################################################
providers:
  file:
    directory: /etc/traefik/sites
    watch: true
###############################################################
# Let's Encrypt Certificates Resolver
###############################################################
certificatesResolvers:
  letsencrypt:
    acme:
      email: my.mail@ydomain>
      storage: "/etc/traefik/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      tlsChallenge: {}

Dynamic part

###############################################################
# server service
################################################################http:
http:
  routers:
    server:
      entryPoints:
        - websecure
      rule: "Host(`server.<mydomain>`)"
      service: server-service
      tls:
        options: withsni
        certResolver: letsencrypt

  services:
    server-service:
      loadBalancer:
        servers:
          - url: "https://192.168.1.2:443"

###############################################################
#  tls options withsni
################################################################
tls:
  options:
    withsni:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

As I metioned: identical setup only for two different domains (I generated the configuration files from one source using sed). Even with Strict SNI checking. For one of the domains traefik delivers two certificates and also provides TLS 1.0. For the other I only get one certificate and no TLS 1.0.

Using the dashboard I can't explore the active SNI settings. Is there another possibility to find the differences in effective setup?

dduportal · November 29, 2019, 11:14am

Enable debug log of traefik: you'll see what settings are applied in the debug lines.

KBst · November 29, 2019, 12:10pm

O.k. THX. I’ll try and come back with results.

Klaus

KBst · December 1, 2019, 8:17pm

Now I've got the debug output for both setups ... and really cannot find any difference
I dare to include both (rather long) log files. The first one "domain1.log" covers more routers as this is a production site. SSL-Labs test (also included) is only done with "server.domain1.de" i.e.

"Adding route for server.domain1.de with TLS options withsni" entryPointName=websecure

As expected with identical configuration files the debug log - as far as I see - doesn't show differences. But: Even with sniStrict = true the first setup:

Still delivers the second self signed cert and
Accepts TLS 1.0

domain1.log the one with errors
domain2.log

dduportal · December 4, 2019, 9:52am

Can you try to set it with the tls option default as well please? It looks like you defined a tls option block named nosni, so it is not the default behavior if a request is not caught by a router.... which certainly happens when SSLLabs tries things.

Not sure why this would work on one server, but not on the other, but worth it to try.

KBst · December 4, 2019, 6:25pm

I defined a default tls option. Shall I reference the default option in the router definition or default and withsni (and how to do that?)

KBst · December 4, 2019, 8:13pm

Just to mention the differences which I though should have no effect:

System_1 (the bad one)
- Traefik runs on Debian10, minimal install, text mode only.
- connected to /29 net / DSL modem via Sophos UTM9, port forwarding (80, 443)
System_2 (the good one)
- Traefik runs on Debian10, Gnome GUI
- connected to private network via Sophos UTM9, port forwarding (80, 443)
- connected to the outer world via DSL router, port forwarding (80, 443)

Klaus

KBst · December 4, 2019, 8:46pm

O.k. completely renamed the tls option withsni to default ... and:

the delivery of the second (self signed) cert stopped
TLS1.0 isn't supported any more.

One difference still exists: Only good server uses HTTP Strict Transport Security (HSTS).

dduportal · December 5, 2019, 2:48pm

Happy to hear it fixed the issue!

Regarding the HSTS, this is a middleware to enable: https://docs.traefik.io/v2.0/middlewares/headers/#using-security-headers .

As the middleware have to be defined on a router, I would suggest to you the following strategy: defining a "fallback" router which will take care of the behavior when no router match your requests.
For doing this, build a default http (and eventually a 2nd as http+tls) router associated to Traefik itself likewise https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d#49a5 (but in your file configuration here) and then, enable http to https redirect on the HTTP default router, and enable the hsts on all router, including the default.

Topic		Replies	Views
Traefik serves default cert for HostSNI (tls over tcp) Traefik v2 (latest) docker , letsencrypt-acme , tcp	7	1532	August 14, 2023
Multiple default certs Traefik v2 (latest) file	5	252	November 2, 2023
Traefik still serving default cert Traefik v2 (latest) docker , letsencrypt-acme , tcp	1	1217	October 27, 2022
HTTPS backend with Traefik's frontend Certificate Traefik v2 (latest) docker , tcp	0	1105	April 4, 2022
Strange behavior in multi-traefik Kubernetes cluster Traefik v2 (latest) kubernetes-crd	0	252	September 15, 2022

Traefik delivers two certificates and uses TLS 1.0

traefik version

Related Topics