Traefik Ingress (not IngressRoute CRD) is unable to return intermediate certificate


We are using Traefik K8s Ingress and have following setup details.

NAME                           READY   STATUS    RESTARTS   AGE
pod/httpbin-644f898c86-xxxx   2/2     Running   0          2d16h
pod/httpbin-644f898c86-xxxx   2/2     Running   0          2d16h

NAME                  TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/httpbin       ClusterIP   <none>        8080/TCP   61d
service/httpbin-ssl   ClusterIP      <none>        8081/TCP   61d

NAME                         TYPE                                  DATA   AGE
secret/httpbin-ssl                      2      45h

NAME                                            CLASS    HOSTS                    ADDRESS   PORTS     AGE       <none>             80        61d   <none>             80, 443   47h

Issue is with httpbin-ingress-tls. This Ingress uses secret "httpbin-ssl" to support tls requests. The httpbin-ssl secret holds the entire cert chain (wild card server cert, intermediate certs and RootCert) and keys. Can verify this with secret from kubectl get command.

While the configuration works and From browser it is fine, using openssl/curl/wget TLS calls to is failing with ERROR : Verification error: unable to verify the first certificate.

But if i pass same certificate chain these tools it works. e.g.: openssl s_client -showcerts -connect -CAfile cert_chain.pem

Not sure why Traefik is unable to send the Intermediate certs. It is self-signed cert by the way.

Any response would help us massively. Thanks.

Does anyone have any idea? Or this forum is not active anymore?

Hi @roy.susmit, thanks for your interest in Traefik!

Could you please share your full configuration and Debug logs?

Thanks for for response. Debug log didnt show any issues. However we was able to figure out the issue.

In our case : The certificate in question is a wildcard (and self signed) one (e.g, * and there were multiple apps deployed in k8s and have their ingress set such as:

Now we didn't have whole certificate chain in any of them and we tried to incorporate it into on app: httpbin and its ingress: Which was causing the issue.

Then we updated for all app and it started sending whole cert chain for httpbin and also for other apps. So we suspect Traefik was somehow sending the response from its cache or from first app ingress it encounters (because may be all are using same wildcard cert /self signed cert ??). Changing all apps make it work. Not ideal but there couldn't be any other reason. Not sure i would open a Bug for this .

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.