Traefik Hubs' backend AWS Global Accellerator seems to have a self-signed cert attached to it

Hello,
Super happy about the new Traefik Hub for publishing services! I've ran in to an issue: The random-generated FQDN for the service seems to work fine on https:, however the SSL chain fails if you point at that service endpoint as a CNAME from an owned domain. This should be easy to reproduce:

Digging around a bit, when I ping the FQDN of the traefik-provided DNS name, it resolves to an AWS global accelerator. Cool. That tells me Traefik is using some automation in AWS to build out the ELB endpoint in AWS. The default cert attached to this ELB should be either a LE cert, or perhaps even easier and cheaper for Traefik, just do a DNS-validated *.lbname.traefikhub.io AWS ACM certificate, and the chain will pass cleanly

Hoping for some comments from the Traefik Hub team on this. Thank you, and happy to help troubleshoot if helpful.

1 Like

Bueller...? Bueller? :cricket:

Hey OMG, the engineering team has seen this and is looking into it. Someone should be back really soon...

Hello OMG, thanks for your feedback and your interest in Traefik Hub.

If I understand correctly, you want to publish a service using your own domain instead of the one generated by Traefik Hub.
Good news! The team is currently working on this feature and we'll bring it soon.

We'll keep you updated as soon as the feature is available.

1 Like

Great, I’m excited to hear that! Please take a look however, because the AWS ELB endpoint is returning a self-signed Traefik cert, which could easily be resolved (I’d suggest using a free AWS ACM cert for *.{lbname}.traefikhub.io), if that were done, I would be able to point CNAMEs at the Traefik Hub provided FQDNs without issue.

Hey OMG,

I don't think that using a valid certificate instead of the current one allows you to use a CNAME.

Indeed, Traefik Hub uses the Host SNI to redirect the traffic. In your use case, it means that it uses newservice.example.com instead of shiny-new.asdfasdf.traefikhub.io. As newservice.example.com is not a domain Traefik Hub handles, you won't reach any service.

I see what you're saying. the ELB listener isnt listing for the host header provided by the browser, when I'm providing my own FQDN, so it lands at the default on the match list. That adds up.

I'll keep an eye out for the BYO-domain feature availability in the future!

1 Like