Traefik delivers two certificates and uses TLS 1.0

Traefik delivers two certificates and uses TLS 1.0

I have got two identical configured Traefik reverse proxys. Running on the identical Debian 10 platform.
But testing with SSL Labs SSL Server Test gives different results:

traefik version

Version: 2.0.5
Codename: montdor
Go version: go1.13.4
Built: 2019-11-14T18:11:01Z
OS/Arch: linux/amd64

Server A:

Server B: (Delivers the Let’s Encrypt cert and the TRAEFIK DEFAULT CERT and uses TLS 1.0)


Questions:

  • How to get rid of the additional cert?
  • How to debug further?

Hi @KBst, you might be interested by this answer: https://github.com/containous/traefik/issues/5849#issuecomment-559166453 .

SSL Labs tests SNI and Non-SNI connection attempts to your server.

By default, if a non-SNI request is sent to Traefik, and it cannot find a matching certificate (with an IP SAN), it will return the default certificate, which is usually self signed.

If you are required to pass this sort of SSL test, you may need to either:

  1. Configure a default certificate to serve when no match can be found:
    https://docs.traefik.io/v1.7/configuration/entrypoints/#default-certificate
  2. Configure Strict SNI checking so that no connection can be made without a matching certificate:
    https://docs.traefik.io/v1.7/configuration/entrypoints/#strict-sni-checking

Please check the links for Traefik v2.0:

Thanks. I also found this discussion and tried to setup identical tls.options. But I will double check.
By the way: my options are defined in separate files in a directory where all dynamic definitions are sitting. Are they also reread when changes occur?

It should be, as the TLS options are part of the "dynamic configuration" of Traefik. The first condition is that the watch directive of the file provider must be enabled (ref. https://docs.traefik.io/v2.0/providers/file/#watch).

O.k. that's clear. So let me show the respective sections of my setup:

  1. Static part
###############################################################
# File configuration backend
###############################################################
providers:
  file:
    directory: /etc/traefik/sites
    watch: true
###############################################################
# Let's Encrypt Certificates Resolver
###############################################################
certificatesResolvers:
  letsencrypt:
    acme:
      email: my.mail@ydomain>
      storage: "/etc/traefik/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      tlsChallenge: {}
  1. Dynamic part
###############################################################
# server service
################################################################http:
http:
  routers:
    server:
      entryPoints:
        - websecure
      rule: "Host(`server.<mydomain>`)"
      service: server-service
      tls:
        options: withsni
        certResolver: letsencrypt

  services:
    server-service:
      loadBalancer:
        servers:
          - url: "https://192.168.1.2:443"

###############################################################
#  tls options withsni
################################################################
tls:
  options:
    withsni:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

As I metioned: identical setup only for two different domains (I generated the configuration files from one source using sed). Even with Strict SNI checking. For one of the domains traefik delivers two certificates and also provides TLS 1.0. For the other I only get one certificate and no TLS 1.0.

Using the dashboard I can't explore the active SNI settings. Is there another possibility to find the differences in effective setup?

Enable debug log of traefik: you'll see what settings are applied in the debug lines.

O.k. THX. I’ll try and come back with results.

Klaus

1 Like

Now I've got the debug output for both setups ... and really cannot find any difference :hot_face:
I dare to include both (rather long) log files. The first one "domain1.log" covers more routers as this is a production site. SSL-Labs test (also included) is only done with "server.domain1.de" i.e.

"Adding route for server.domain1.de with TLS options withsni" entryPointName=websecure

As expected with identical configuration files the debug log - as far as I see - doesn't show differences. But: Even with sniStrict = true the first setup:

  1. Still delivers the second self signed cert and
  2. Accepts TLS 1.0

Can you try to set it with the tls option default as well please? It looks like you defined a tls option block named nosni, so it is not the default behavior if a request is not caught by a router.... which certainly happens when SSLLabs tries things.

Not sure why this would work on one server, but not on the other, but worth it to try.

I defined a default tls option. Shall I reference the default option in the router definition or default and withsni (and how to do that?)

Just to mention the differences which I though should have no effect:

  1. System_1 (the bad one)

    • Traefik runs on Debian10, minimal install, text mode only.
    • connected to /29 net / DSL modem via Sophos UTM9, port forwarding (80, 443)
  2. System_2 (the good one)

    • Traefik runs on Debian10, Gnome GUI
    • connected to private network via Sophos UTM9, port forwarding (80, 443)
    • connected to the outer world via DSL router, port forwarding (80, 443)

Klaus

O.k. completely renamed the tls option withsni to default ... and:

  • the delivery of the second (self signed) cert stopped
  • TLS1.0 isn't supported any more.

One difference still exists: Only good server uses HTTP Strict Transport Security (HSTS).

1 Like

Happy to hear it fixed the issue!

Regarding the HSTS, this is a middleware to enable: https://docs.traefik.io/v2.0/middlewares/headers/#using-security-headers .

As the middleware have to be defined on a router, I would suggest to you the following strategy: defining a "fallback" router which will take care of the behavior when no router match your requests.
For doing this, build a default http (and eventually a 2nd as http+tls) router associated to Traefik itself likewise https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d#49a5 (but in your file configuration here) and then, enable http to https redirect on the HTTP default router, and enable the hsts on all router, including the default.