Traefik does not use user-specified wildcard certificate in routers using matching Host rules

Traefik Traefik v2
1

I'm trying to move to Traefik v2 and also move certificate generation outside of Traefik. My let's encrypt certificate is correctly mounted in the Traefik container, but Traefik always uses the default generated certificate instead of the user defined one.

traefik.yml:

global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: DEBUG

entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"

providers:
  file:
    directory: /etc/traefik/conf
    watch: true

dynamic conf:

http:
  routers:
    test:
      rule: "Host(`subdomain.wildcard.domain.tld`)"
      entryPoints: ["web"]
      service: service-test
      middlewares: ["https_redirect"]
    test-secure:
      rule: "Host(`subdomain.wildcard.domain.tld`)"
      entryPoints: ["web-secure"]
      service: service-test
      tls: {}

  services:
    service-test:
      loadBalancer:
        servers:
          - url: "http://helloworld"

  middlewares:
    https_redirect:
      redirectScheme:
        scheme: https
        permanent: true

tls:
  certificates:
    - certFile: /ssl/wildcard.crt
      keyFile: /ssl/wildcard.key

I can see this in traefiks log output:

time="2020-03-04T10:44:13Z" level=debug msg="No store is defined to add the certificate <...>, it will be added to the default store."
time="2020-03-04T10:44:13Z" level=debug msg="Adding certificate for domain(s) wildcard.domain.tld,*.wildcard.domain.tld"
time="2020-03-04T10:44:13Z" level=debug msg="No default certificate, generating one"

A request to the router always ends up with the default certificate:

* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Mar  4 10:44:13 2020 GMT
*  expire date: Mar  4 10:44:13 2021 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

According to the log everything seems fine with the certificate itself, so I wonder why Traefik doesn't use it based on the routers Host rule.

2

Looks reasonable to me. How are you testing ?

3

I'm using curl to do a request with the specified host:

curl -k -v --header "Host: subdomain.wildcard.domain.tld" https://192.168.173.143/

As soon as I set a default certificate, the lets encrypt certificate is used. So for some reason Traefik just doesn't decide to use the wildcard certificate by itself.

tls:
  certificates:
    - certFile: /ssl/wildcard.crt
      keyFile: /ssl/wildcard.key
  stores:
    default:
      defaultCertificate:
        certFile: /ssl/wildcard.crt
        keyFile: /ssl/wildcard.key
4

have you try to rename cert and key like that ?

tls:
  certificates:
    - certFile: /path/to/cert.crt
      keyFile: /path/to/cert.key
5

The configured paths to the certificate seem correct, otherwise Traefik shouldn't be able to detect the domains in the certificate (see log in original post) and shouldn't be able to use it as a defaultCertificate.

6

@Strayer

Use the --resolve flag for curl for this type of testing(I guess you do not have dns for it yet)

I believe traefik is deciding which certificate to use (builtin vs yours) when the ssl/tls handshake is done.

curl -k -v  https://subdomain.wildcard.domain.tld --resolve subdomain.wildcard.domain.tld:443:192.168.173.143

I just did this on traefik running with LE. And the same thing happens if I send a Host header vs using --resolve.