Traefik internal backend certificates validation

Traefik Traefik v2 (latest)
1

I've deployed a backend configured to use https.

I''ve configured an traeffic route like:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-registry
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`registry.localhost`)
    services:
    - name: registry-docker-registry
      port: 5000
      scheme: https
  tls: {}

As you can see, I've set that:

  1. From internet to traeffik, using https with default traeffik generated certificates.
  2. From traeffik to backend, using https with certificates configured to backend.

The problem I'm facing with is that:

When traeffik tries to connect to backend using https, it's telling me:

time="2020-04-14T08:20:53Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/v2/_catalog\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"],\"X-Forwarded-Host\":[\"registry.localhost\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-54dc69dd6f-n4zg8\"],\"X-Real-Ip\":[\"10.42.2.48\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"registry.localhost\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.48:59318\",\"RequestURI\":\"/v2/_catalog\",\"TLS\":null}"
time="2020-04-14T08:20:53Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/v2/_catalog\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.58.0\"],\"X-Forwarded-Host\":[\"registry.localhost\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik-54dc69dd6f-n4zg8\"],\"X-Real-Ip\":[\"10.42.2.48\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"registry.localhost\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.48:59318\",\"RequestURI\":\"/v2/_catalog\",\"TLS\":null}" ForwardURL="https://10.42.0.122:5000"
time="2020-04-14T08:20:53Z" level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 10.42.0.122 because it doesn't contain any IP SANs"

Basically, it's telling me that:

cannot validate certificate backend certificates

Any ideas?

2

Hi @jeusdi,

Did you get it working?
I have the same issue connecting to kubernetes dashboard which exposes only https port.

3

It is good to know I am not the only experiencing this similar issue. When I check the k8 dashboard logs I can see the following: http: TLS handshake error from 10.244.125.124:55680: remote error: tls: bad certificate.
I see the following from traefik: {"level":"debug","msg":"'500 Internal Server Error' caused by: x509: cannot validate certificate for 10.244.125.83 because it doesn't contain any IP SANs"}
Setup is k8 v1.19.2 and using helm deployment model. I tried messing with tlsOption SNI: false but that didn't seem to work and I dont see a way to inject trusted CA at a global or default scope.

4

looks like a potential fix was merged in https://github.com/traefik/traefik/pull/7203 and will be coming in 2.4 whenever that comes out...