Traefik in RKE2 cluster change to an old certificate randomly

Traefik in RKE2 cluster change to an old certificate randomly

Hi,

We are looking for from some days ago the cause of an issue related with the certificate used in our installation of Traefik in the RKE2 cluster.

We have installed traefik as the "main" LoadBalancer for our applications deployed in the cluster. We have installed using the chart 32.1.0, and configured the default certificate using the specific key in value.yaml:

tlsStore:
  default:
    certificates:
      - secretName: traefik-certificates
    defaultCertificate:
      secretName: traefik-certificates

The problem is suddenly each some minutes (not existis a time pattern for this), the certificate turns to old other certificate not valid, configured in the past.

In that moment, we checked the values of the configured secret for the certificate, in previous example "traefik-certificates", and the cert and key are the valid new certificate. So, because of this, we know that not exists any external process changing the value of the certificate in the secret.

Anyone had this experience? Someone knows if existis any place or resource in the cluster that is stored a kind of "cache" of certificates that could be the source of the problem?

Do you use k8s cert-manager (article, doc)?

Hi @bluepuma77

Nope. The secret used as certificate (in the example "traefik-certificates") was created with:

 kubectl create secret tls traefik-certificates --cert ./certs/cert.crt --key ./certs/cert.key --namespace traefik

To clarify, the certificate is generated by a "on-premise" internal tool, we don't use automations with Let's Encrypt or something similar.