Traefik Ingress (not IngressRoute CRD) is unable to return intermediate certificate

roy.susmit · June 18, 2023, 8:28am

Hi,

We are using Traefik K8s Ingress and have following setup details.

NAME                           READY   STATUS    RESTARTS   AGE
pod/httpbin-644f898c86-xxxx   2/2     Running   0          2d16h
pod/httpbin-644f898c86-xxxx   2/2     Running   0          2d16h


NAME                  TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/httpbin       ClusterIP   10.97.149.232   <none>        8080/TCP   61d
service/httpbin-ssl   ClusterIP   10.99.20.8      <none>        8081/TCP   61d

NAME                         TYPE                                  DATA   AGE
secret/httpbin-ssl           kubernetes.io/tls                     2      45h


NAME                                            CLASS    HOSTS                    ADDRESS   PORTS     AGE
ingress.networking.k8s.io/httpbin-ingress       <none>   httpbin.k8s.mycorp.org             80        61d
ingress.networking.k8s.io/httpbin-ingress-tls   <none>   httpbin.k8s.mycorp.org             80, 443   47h

Issue is with httpbin-ingress-tls. This Ingress uses secret "httpbin-ssl" to support tls requests. The httpbin-ssl secret holds the entire cert chain (wild card server cert, intermediate certs and RootCert) and keys. Can verify this with secret from kubectl get command.

While the configuration works and From browser it is fine, using openssl/curl/wget TLS calls to httpbin.k8s.mycorp.org is failing with ERROR : Verification error: unable to verify the first certificate.

But if i pass same certificate chain these tools it works. e.g.: openssl s_client -showcerts -connect httpbin.k8s.mycorp.org:443 -CAfile cert_chain.pem

Not sure why Traefik is unable to send the Intermediate certs. It is self-signed cert by the way.

roy.susmit · June 19, 2023, 10:10am

Any response would help us massively. Thanks.

roy.susmit · June 21, 2023, 1:01pm

Does anyone have any idea? Or this forum is not active anymore?

svx · June 22, 2023, 1:17pm

Hi @roy.susmit, thanks for your interest in Traefik!

Could you please share your full configuration and Debug logs?

roy.susmit · June 27, 2023, 8:57am

Hi,
Thanks for for response. Debug log didnt show any issues. However we was able to figure out the issue.

In our case : The certificate in question is a wildcard (and self signed) one (e.g, *.k8s.mycorp.org) and there were multiple apps deployed in k8s and have their ingress set such as:
app1.k8s.mycorp.org
app2.k8s.mycorp.org
app3.k8s.mycorp.org
..usw

Now we didn't have whole certificate chain in any of them and we tried to incorporate it into on app: httpbin and its ingress: httpbin.k8s.mycorp.org:443. Which was causing the issue.

Then we updated for all app and it started sending whole cert chain for httpbin and also for other apps. So we suspect Traefik was somehow sending the response from its cache or from first app ingress it encounters (because may be all are using same wildcard cert /self signed cert ??). Changing all apps make it work. Not ideal but there couldn't be any other reason. Not sure i would open a Bug for this .

system · June 30, 2023, 8:58am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Traefik seems to not obtaining the SSL certificate that is supposed to acquire Traefik v2 kubernetes-ingress	0	520	September 29, 2023
Unable to passthrough tls Traefik v2 kubernetes-crd , kubernetes-ingress	5	1247	February 7, 2022
How to pass-through TLS with Traefik Kubernetes Ingress? Traefik v2 kubernetes-ingress	1	2444	July 17, 2023
Hosting a HTTP-App on a custom TCP-Port with TLS Traefik v2 kubernetes-crd , kubernetes-ingress , tcp	1	1328	March 25, 2022
Unable to create TLS cert with IngressRouteTCP Traefik v2 kubernetes-ingress	2	693	October 10, 2022

Traefik Ingress (not IngressRoute CRD) is unable to return intermediate certificate

Related topics